From 761bb3cf53960485921ad045bae5a79340d66f97 Mon Sep 17 00:00:00 2001 From: Unknwon Date: Fri, 31 Mar 2017 16:19:10 -0400 Subject: modules/markup: protect sanitizer from possible modification Only expose public APIs for 'Sanitize' and 'SanitizeBytes' to eliminate unintentional modifications to sanitizer policy. Also use 'sync.Once' to make sure multiple calls of 'NewSanitizer' is safe (although should never happen, but this is a better way). --- modules/markup/markdown.go | 19 +------------------ 1 file changed, 1 insertion(+), 18 deletions(-) (limited to 'modules/markup/markdown.go') diff --git a/modules/markup/markdown.go b/modules/markup/markdown.go index fa91553a..51afe48e 100644 --- a/modules/markup/markdown.go +++ b/modules/markup/markdown.go @@ -14,7 +14,6 @@ import ( "strings" "github.com/Unknwon/com" - "github.com/microcosm-cc/bluemonday" "github.com/russross/blackfriday" "golang.org/x/net/html" @@ -27,22 +26,6 @@ const ( ISSUE_NAME_STYLE_ALPHANUMERIC = "alphanumeric" ) -var Sanitizer = bluemonday.UGCPolicy() - -// BuildSanitizer initializes sanitizer with allowed attributes based on settings. -// This function should only be called once during entire application lifecycle. -func BuildSanitizer() { - // We only want to allow HighlightJS specific classes for code blocks - Sanitizer.AllowAttrs("class").Matching(regexp.MustCompile(`^language-\w+`)).OnElements("code") - - // Checkboxes - Sanitizer.AllowAttrs("type").Matching(regexp.MustCompile(`^checkbox$`)).OnElements("input") - Sanitizer.AllowAttrs("checked", "disabled").OnElements("input") - - // Custom URL-Schemes - Sanitizer.AllowURLSchemes(setting.Markdown.CustomURLSchemes...) -} - var validLinksPattern = regexp.MustCompile(`^[a-z][\w-]+://|^mailto:`) // isLink reports whether link fits valid format. @@ -480,7 +463,7 @@ func Render(rawBytes []byte, urlPrefix string, metas map[string]string) []byte { urlPrefix = strings.Replace(urlPrefix, space, spaceEncoded, -1) result := RenderRaw(rawBytes, urlPrefix) result = PostProcess(result, urlPrefix, metas) - result = Sanitizer.SanitizeBytes(result) + result = SanitizeBytes(result) return result } -- cgit v1.2.3