From f97b250509f579f62e2ce846adb89a400da88f8f Mon Sep 17 00:00:00 2001
From: Unknwon <u@gogs.io>
Date: Wed, 15 Feb 2017 18:05:02 -0500
Subject: Security: prevent XSS attach on wiki page
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Reported by Miguel Ángel Jimeno.
---
 modules/template/template.go | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'modules/template')

diff --git a/modules/template/template.go b/modules/template/template.go
index d5d9804d..f7ce7dca 100644
--- a/modules/template/template.go
+++ b/modules/template/template.go
@@ -15,6 +15,7 @@ import (
 	"strings"
 	"time"
 
+	"github.com/microcosm-cc/bluemonday"
 	"golang.org/x/net/html/charset"
 	"golang.org/x/text/transform"
 	log "gopkg.in/clog.v1"
@@ -60,6 +61,7 @@ func NewFuncMap() []template.FuncMap {
 		},
 		"AvatarLink":   base.AvatarLink,
 		"Safe":         Safe,
+		"Sanitize":     bluemonday.UGCPolicy().Sanitize,
 		"Str2html":     Str2html,
 		"TimeSince":    base.TimeSince,
 		"RawTimeSince": base.RawTimeSince,
-- 
cgit v1.2.3