aboutsummaryrefslogtreecommitdiff
path: root/internal/route/api/v1/misc
diff options
context:
space:
mode:
authorᴜɴᴋɴᴡᴏɴ <u@gogs.io>2020-01-27 00:18:46 +0800
committerGitHub <noreply@github.com>2020-01-27 00:18:46 +0800
commit5e6c3b9d0e9a06764079bc07c0419b1ebf9183eb (patch)
treeb745ef368b6efdc34c508232f1ad785ae3fb8ce1 /internal/route/api/v1/misc
parent0a461b829af1ff54994287505012bd07fbf3bf44 (diff)
api: sanitize raw markdown content (#5907)
Fixed a security issue reported by bluebird.
Diffstat (limited to 'internal/route/api/v1/misc')
-rw-r--r--internal/route/api/v1/misc/markdown.go10
1 files changed, 6 insertions, 4 deletions
diff --git a/internal/route/api/v1/misc/markdown.go b/internal/route/api/v1/misc/markdown.go
index 8731e32b..cd0ba905 100644
--- a/internal/route/api/v1/misc/markdown.go
+++ b/internal/route/api/v1/misc/markdown.go
@@ -20,16 +20,18 @@ func Markdown(c *context.APIContext, form api.MarkdownOption) {
}
if len(form.Text) == 0 {
- c.Write([]byte(""))
+ _, _ = c.Write([]byte(""))
return
}
+ var md []byte
switch form.Mode {
case "gfm":
- c.Write(markup.Markdown([]byte(form.Text), form.Context, nil))
+ md = markup.Markdown([]byte(form.Text), form.Context, nil)
default:
- c.Write(markup.RawMarkdown([]byte(form.Text), ""))
+ md = markup.SanitizeBytes(markup.RawMarkdown([]byte(form.Text), ""))
}
+ _, _ = c.Write(md)
}
func MarkdownRaw(c *context.APIContext) {
@@ -38,5 +40,5 @@ func MarkdownRaw(c *context.APIContext) {
c.Error(http.StatusUnprocessableEntity, "", err)
return
}
- c.Write(markup.RawMarkdown(body, ""))
+ _, _ = c.Write(markup.SanitizeBytes(markup.RawMarkdown(body, "")))
}
Powered by cgit, Themed by Ted Yin.