From a43fc9ad17d4337dd26b9b8d867470ca8c548b41 Mon Sep 17 00:00:00 2001
From: ᴜɴᴋɴᴡᴏɴ <u@gogs.io>
Date: Sat, 21 Mar 2020 00:12:38 +0800
Subject: ipynb: sanitize rendered HTML (#5996)

* ipynb: sanitize rendered HTML

Fixes #5170

* Remove hardcode URL

* Add tests
---
 internal/app/api.go | 36 ++++++++++++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)
 create mode 100644 internal/app/api.go

(limited to 'internal/app/api.go')

diff --git a/internal/app/api.go b/internal/app/api.go
new file mode 100644
index 00000000..c64e946e
--- /dev/null
+++ b/internal/app/api.go
@@ -0,0 +1,36 @@
+// Copyright 2020 The Gogs Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package app
+
+import (
+	"net/http"
+
+	"github.com/microcosm-cc/bluemonday"
+	"gopkg.in/macaron.v1"
+
+	"gogs.io/gogs/internal/context"
+)
+
+func ipynbSanitizer() *bluemonday.Policy {
+	p := bluemonday.UGCPolicy()
+	p.AllowAttrs("class", "data-prompt-number").OnElements("div")
+	p.AllowAttrs("class").OnElements("img")
+	p.AllowURLSchemes("data")
+	return p
+}
+
+func SanitizeIpynb() macaron.Handler {
+	p := ipynbSanitizer()
+
+	return func(c *context.Context) {
+		html, err := c.Req.Body().String()
+		if err != nil {
+			c.Error(err, "read body")
+			return
+		}
+
+		c.PlainText(http.StatusOK, p.Sanitize(html))
+	}
+}
-- 
cgit v1.2.3