diff options
| author | Unknwon <u@gogs.io> | 2017-04-04 19:29:59 -0400 |
|---|---|---|
| committer | Unknwon <u@gogs.io> | 2017-04-04 19:29:59 -0400 |
| commit | d05395fe906dad7741201faa69a54fef538deda9 (patch) | |
| tree | 11dae6c5c9b40b8ce85c7294bd0309c03cb1199e /pkg/markup/sanitizer.go | |
| parent | 37b10666dea98cebf75d0c6f11ee87211ef94703 (diff) | |
Refactoring: rename modules -> pkg
Reasons to change:
1. Shorter than 'modules'
2. More generally used by other Go projects
3. Corresponds to the naming of '$GOPATH/pkg' directory
Diffstat (limited to 'pkg/markup/sanitizer.go')
| -rw-r--r-- | pkg/markup/sanitizer.go | 51 |
1 files changed, 51 insertions, 0 deletions
diff --git a/pkg/markup/sanitizer.go b/pkg/markup/sanitizer.go new file mode 100644 index 00000000..63ead6df --- /dev/null +++ b/pkg/markup/sanitizer.go @@ -0,0 +1,51 @@ +// Copyright 2017 The Gogs Authors. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package markup + +import ( + "regexp" + "sync" + + "github.com/microcosm-cc/bluemonday" + + "github.com/gogits/gogs/pkg/setting" +) + +// Sanitizer is a protection wrapper of *bluemonday.Policy which does not allow +// any modification to the underlying policies once it's been created. +type Sanitizer struct { + policy *bluemonday.Policy + init sync.Once +} + +var sanitizer = &Sanitizer{} + +// NewSanitizer initializes sanitizer with allowed attributes based on settings. +// Multiple calls to this function will only create one instance of Sanitizer during +// entire application lifecycle. +func NewSanitizer() { + sanitizer.init.Do(func() { + sanitizer.policy = bluemonday.UGCPolicy() + // We only want to allow HighlightJS specific classes for code blocks + sanitizer.policy.AllowAttrs("class").Matching(regexp.MustCompile(`^language-\w+$`)).OnElements("code") + + // Checkboxes + sanitizer.policy.AllowAttrs("type").Matching(regexp.MustCompile(`^checkbox$`)).OnElements("input") + sanitizer.policy.AllowAttrs("checked", "disabled").OnElements("input") + + // Custom URL-Schemes + sanitizer.policy.AllowURLSchemes(setting.Markdown.CustomURLSchemes...) + }) +} + +// Sanitize takes a string that contains a HTML fragment or document and applies policy whitelist. +func Sanitize(s string) string { + return sanitizer.policy.Sanitize(s) +} + +// SanitizeBytes takes a []byte slice that contains a HTML fragment or document and applies policy whitelist. +func SanitizeBytes(b []byte) []byte { + return sanitizer.policy.SanitizeBytes(b) +} |