From 9d06ebd01a07b51ab2513e171dcfb79183c4997c Mon Sep 17 00:00:00 2001
From: Unknwon <u@gogs.io>
Date: Wed, 29 Mar 2017 19:52:53 -0400
Subject: markdown: improve filter of class attribute for code blocks

Only allow HighlightJS specific classes.

Reported by ChALkeR.
---
 modules/markdown/markdown.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'modules/markdown')

diff --git a/modules/markdown/markdown.go b/modules/markdown/markdown.go
index 0af0d908..6101670c 100644
--- a/modules/markdown/markdown.go
+++ b/modules/markdown/markdown.go
@@ -32,8 +32,8 @@ var Sanitizer = bluemonday.UGCPolicy()
 // BuildSanitizer initializes sanitizer with allowed attributes based on settings.
 // This function should only be called once during entire application lifecycle.
 func BuildSanitizer() {
-	// Normal markdown-stuff
-	Sanitizer.AllowAttrs("class").Matching(regexp.MustCompile(`[\p{L}\p{N}\s\-_',:\[\]!\./\\\(\)&]*`)).OnElements("code")
+	// We only want to allow HighlightJS specific classes for code blocks
+	Sanitizer.AllowAttrs("class").Matching(regexp.MustCompile(`^language-\w+`)).OnElements("code")
 
 	// Checkboxes
 	Sanitizer.AllowAttrs("type").Matching(regexp.MustCompile(`^checkbox$`)).OnElements("input")
-- 
cgit v1.2.3