Security: prevent XSS attach on wiki page

Reported by Miguel Ángel Jimeno.
author: Unknwon <u@gogs.io> 2017-02-15 18:05:02 -0500
committer: Unknwon <u@gogs.io> 2017-02-15 18:05:02 -0500
commit: f97b250509f579f62e2ce846adb89a400da88f8f (patch)
tree: eda12f24dd80eb6b4b5e249d0477cb6e8d986342 /modules/template/template.go
parent: 59981b8818e9ed5f56e7b34e5b425a2192c0c26d (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/modules/template/template.go b/modules/template/template.go
index d5d9804d..f7ce7dca 100644
--- a/modules/template/template.go
+++ b/modules/template/template.go
@@ -15,6 +15,7 @@ import (
 	"strings"
 	"time"
 
+	"github.com/microcosm-cc/bluemonday"
 	"golang.org/x/net/html/charset"
 	"golang.org/x/text/transform"
 	log "gopkg.in/clog.v1"
@@ -60,6 +61,7 @@ func NewFuncMap() []template.FuncMap {
 		},
 		"AvatarLink":   base.AvatarLink,
 		"Safe":         Safe,
+		"Sanitize":     bluemonday.UGCPolicy().Sanitize,
 		"Str2html":     Str2html,
 		"TimeSince":    base.TimeSince,
 		"RawTimeSince": base.RawTimeSince,
author	Unknwon <u@gogs.io>	2017-02-15 18:05:02 -0500
committer	Unknwon <u@gogs.io>	2017-02-15 18:05:02 -0500
commit	f97b250509f579f62e2ce846adb89a400da88f8f (patch)
tree	eda12f24dd80eb6b4b5e249d0477cb6e8d986342 /modules/template/template.go
parent	59981b8818e9ed5f56e7b34e5b425a2192c0c26d (diff)