aboutsummaryrefslogtreecommitdiff
path: root/modules/base
diff options
context:
space:
mode:
Diffstat (limited to 'modules/base')
-rw-r--r--modules/base/markdown.go48
-rw-r--r--modules/base/template.go66
-rw-r--r--modules/base/tool.go27
3 files changed, 55 insertions, 86 deletions
diff --git a/modules/base/markdown.go b/modules/base/markdown.go
index a3db15df..cb083200 100644
--- a/modules/base/markdown.go
+++ b/modules/base/markdown.go
@@ -13,7 +13,8 @@ import (
"regexp"
"strings"
- "github.com/gogits/gfm"
+ "github.com/russross/blackfriday"
+
"github.com/gogits/gogs/modules/setting"
)
@@ -74,7 +75,7 @@ func IsReadmeFile(name string) bool {
}
type CustomRender struct {
- gfm.Renderer
+ blackfriday.Renderer
urlPrefix string
}
@@ -154,39 +155,40 @@ func RenderSpecialLink(rawBytes []byte, urlPrefix string) []byte {
func RenderRawMarkdown(body []byte, urlPrefix string) []byte {
htmlFlags := 0
- // htmlFlags |= gfm.HTML_USE_XHTML
- // htmlFlags |= gfm.HTML_USE_SMARTYPANTS
- // htmlFlags |= gfm.HTML_SMARTYPANTS_FRACTIONS
- // htmlFlags |= gfm.HTML_SMARTYPANTS_LATEX_DASHES
- // htmlFlags |= gfm.HTML_SKIP_HTML
- htmlFlags |= gfm.HTML_SKIP_STYLE
- htmlFlags |= gfm.HTML_SKIP_SCRIPT
- htmlFlags |= gfm.HTML_GITHUB_BLOCKCODE
- htmlFlags |= gfm.HTML_OMIT_CONTENTS
- // htmlFlags |= gfm.HTML_COMPLETE_PAGE
+ // htmlFlags |= blackfriday.HTML_USE_XHTML
+ // htmlFlags |= blackfriday.HTML_USE_SMARTYPANTS
+ // htmlFlags |= blackfriday.HTML_SMARTYPANTS_FRACTIONS
+ // htmlFlags |= blackfriday.HTML_SMARTYPANTS_LATEX_DASHES
+ // htmlFlags |= blackfriday.HTML_SKIP_HTML
+ htmlFlags |= blackfriday.HTML_SKIP_STYLE
+ // htmlFlags |= blackfriday.HTML_SKIP_SCRIPT
+ // htmlFlags |= blackfriday.HTML_GITHUB_BLOCKCODE
+ htmlFlags |= blackfriday.HTML_OMIT_CONTENTS
+ // htmlFlags |= blackfriday.HTML_COMPLETE_PAGE
renderer := &CustomRender{
- Renderer: gfm.HtmlRenderer(htmlFlags, "", ""),
+ Renderer: blackfriday.HtmlRenderer(htmlFlags, "", ""),
urlPrefix: urlPrefix,
}
// set up the parser
extensions := 0
- extensions |= gfm.EXTENSION_NO_INTRA_EMPHASIS
- extensions |= gfm.EXTENSION_TABLES
- extensions |= gfm.EXTENSION_FENCED_CODE
- extensions |= gfm.EXTENSION_AUTOLINK
- extensions |= gfm.EXTENSION_STRIKETHROUGH
- extensions |= gfm.EXTENSION_HARD_LINE_BREAK
- extensions |= gfm.EXTENSION_SPACE_HEADERS
- extensions |= gfm.EXTENSION_NO_EMPTY_LINE_BEFORE_BLOCK
-
- body = gfm.Markdown(body, renderer, extensions)
+ extensions |= blackfriday.EXTENSION_NO_INTRA_EMPHASIS
+ extensions |= blackfriday.EXTENSION_TABLES
+ extensions |= blackfriday.EXTENSION_FENCED_CODE
+ extensions |= blackfriday.EXTENSION_AUTOLINK
+ extensions |= blackfriday.EXTENSION_STRIKETHROUGH
+ extensions |= blackfriday.EXTENSION_HARD_LINE_BREAK
+ extensions |= blackfriday.EXTENSION_SPACE_HEADERS
+ extensions |= blackfriday.EXTENSION_NO_EMPTY_LINE_BEFORE_BLOCK
+
+ body = blackfriday.Markdown(body, renderer, extensions)
return body
}
func RenderMarkdown(rawBytes []byte, urlPrefix string) []byte {
body := RenderSpecialLink(rawBytes, urlPrefix)
body = RenderRawMarkdown(body, urlPrefix)
+ body = XSS(body)
return body
}
diff --git a/modules/base/template.go b/modules/base/template.go
index b1c8c161..6d25cd45 100644
--- a/modules/base/template.go
+++ b/modules/base/template.go
@@ -5,7 +5,6 @@
package base
import (
- "bytes"
"container/list"
"encoding/json"
"errors"
@@ -107,7 +106,6 @@ var TemplateFuncs template.FuncMap = map[string]interface{}{
return a + b
},
"ActionIcon": ActionIcon,
- "ActionDesc": ActionDesc,
"DateFormat": DateFormat,
"List": List,
"Mail2Domain": func(mail string) string {
@@ -162,19 +160,6 @@ func ActionIcon(opType int) string {
}
}
-// FIXME: Legacy
-const (
- TPL_CREATE_REPO = `<a href="%s/user/%s">%s</a> created repository <a href="%s">%s</a>`
- TPL_COMMIT_REPO = `<a href="%s/user/%s">%s</a> pushed to <a href="%s/src/%s">%s</a> at <a href="%s">%s</a>%s`
- TPL_COMMIT_REPO_LI = `<div><img src="%s?s=16" alt="user-avatar"/> <a href="%s/commit/%s" rel="nofollow">%s</a> %s</div>`
- TPL_CREATE_ISSUE = `<a href="%s/user/%s">%s</a> opened issue <a href="%s/issues/%s">%s#%s</a>
-<div><img src="%s?s=16" alt="user-avatar"/> %s</div>`
- TPL_TRANSFER_REPO = `<a href="%s/user/%s">%s</a> transfered repository <code>%s</code> to <a href="%s">%s</a>`
- TPL_PUSH_TAG = `<a href="%s/user/%s">%s</a> pushed tag <a href="%s/src/%s" rel="nofollow">%s</a> at <a href="%s">%s</a>`
- TPL_COMMENT_ISSUE = `<a href="%s/user/%s">%s</a> commented on issue <a href="%s/issues/%s">%s#%s</a>
-<div><img src="%s?s=16" alt="user-avatar"/> %s</div>`
-)
-
type PushCommit struct {
Sha1 string
Message string
@@ -183,8 +168,9 @@ type PushCommit struct {
}
type PushCommits struct {
- Len int
- Commits []*PushCommit
+ Len int
+ Commits []*PushCommit
+ CompareUrl string
}
func ActionContent2Commits(act Actioner) *PushCommits {
@@ -195,52 +181,6 @@ func ActionContent2Commits(act Actioner) *PushCommits {
return push
}
-// FIXME: Legacy
-// ActionDesc accepts int that represents action operation type
-// and returns the description.
-func ActionDesc(act Actioner) string {
- actUserName := act.GetActUserName()
- email := act.GetActEmail()
- repoUserName := act.GetRepoUserName()
- repoName := act.GetRepoName()
- repoLink := repoUserName + "/" + repoName
- branch := act.GetBranch()
- content := act.GetContent()
- switch act.GetOpType() {
- case 1: // Create repository.
- return fmt.Sprintf(TPL_CREATE_REPO, setting.AppSubUrl, actUserName, actUserName, repoLink, repoName)
- case 5: // Commit repository.
- var push *PushCommits
- if err := json.Unmarshal([]byte(content), &push); err != nil {
- return err.Error()
- }
- buf := bytes.NewBuffer([]byte("\n"))
- for _, commit := range push.Commits {
- buf.WriteString(fmt.Sprintf(TPL_COMMIT_REPO_LI, AvatarLink(commit.AuthorEmail), repoLink, commit.Sha1, commit.Sha1[:7], commit.Message) + "\n")
- }
- if push.Len > 3 {
- buf.WriteString(fmt.Sprintf(`<div><a href="{{AppRootSubUrl}}/%s/%s/commits/%s" rel="nofollow">%d other commits >></a></div>`, actUserName, repoName, branch, push.Len))
- }
- return fmt.Sprintf(TPL_COMMIT_REPO, setting.AppSubUrl, actUserName, actUserName, repoLink, branch, branch, repoLink, repoLink,
- buf.String())
- case 6: // Create issue.
- infos := strings.SplitN(content, "|", 2)
- return fmt.Sprintf(TPL_CREATE_ISSUE, setting.AppSubUrl, actUserName, actUserName, repoLink, infos[0], repoLink, infos[0],
- AvatarLink(email), infos[1])
- case 8: // Transfer repository.
- newRepoLink := content + "/" + repoName
- return fmt.Sprintf(TPL_TRANSFER_REPO, setting.AppSubUrl, actUserName, actUserName, repoLink, newRepoLink, newRepoLink)
- case 9: // Push tag.
- return fmt.Sprintf(TPL_PUSH_TAG, setting.AppSubUrl, actUserName, actUserName, repoLink, branch, branch, repoLink, repoLink)
- case 10: // Comment issue.
- infos := strings.SplitN(content, "|", 2)
- return fmt.Sprintf(TPL_COMMENT_ISSUE, setting.AppSubUrl, actUserName, actUserName, repoLink, infos[0], repoLink, infos[0],
- AvatarLink(email), infos[1])
- default:
- return "invalid type"
- }
-}
-
func DiffTypeToStr(diffType int) string {
diffTypes := map[int]string{
1: "add", 2: "modify", 3: "del",
diff --git a/modules/base/tool.go b/modules/base/tool.go
index b4083d09..38fd1e21 100644
--- a/modules/base/tool.go
+++ b/modules/base/tool.go
@@ -14,6 +14,7 @@ import (
"hash"
"html/template"
"math"
+ "regexp"
"strings"
"time"
@@ -446,3 +447,29 @@ func DateFormat(t time.Time, format string) string {
format = replacer.Replace(format)
return t.Format(format)
}
+
+type xssFilter struct {
+ reg *regexp.Regexp
+ repl []byte
+}
+
+var (
+ whiteSpace = []byte(" ")
+ xssFilters = []xssFilter{
+ {regexp.MustCompile(`\ [ONon]\w*=["]*`), whiteSpace},
+ {regexp.MustCompile(`<[SCRIPTscript]{6}`), whiteSpace},
+ {regexp.MustCompile(`=[` + "`" + `'"]*[JAVASCRIPTjavascript \t\0&#x0D;]*:`), whiteSpace},
+ }
+)
+
+// XSS goes through all the XSS filters to make user input content as safe as possible.
+func XSS(in []byte) []byte {
+ for _, filter := range xssFilters {
+ in = filter.reg.ReplaceAll(in, filter.repl)
+ }
+ return in
+}
+
+func XSSString(in string) string {
+ return string(XSS([]byte(in)))
+}
Powered by cgit, Themed by Ted Yin.