fix #828, may cause unintentional break in other features, but security is no.1

2025-11-04 08:30:25 +08:00 · 2015-01-20 13:08:49 +08:00
parent 0e286a0ca9
commit 8e384ce46c
7 changed files with 13 additions and 10 deletions
--- a/modules/base/template.go
+++ b/modules/base/template.go
@@ -13,15 +13,19 @@ import (
 	"strings"
 	"time"

+	"github.com/microcosm-cc/bluemonday"
 	"golang.org/x/net/html/charset"
 	"golang.org/x/text/transform"

-	"github.com/gogits/gogs/modules/setting"
 	"github.com/gogits/chardet"
+	"github.com/gogits/gogs/modules/setting"
 )

+// FIXME: use me to Markdown API renders
+var p = bluemonday.UGCPolicy()
+
 func Str2html(raw string) template.HTML {
-	return template.HTML(raw)
+	return template.HTML(p.Sanitize(raw))
 }

 func Range(l int) []int {
@@ -113,7 +117,6 @@ var TemplateFuncs template.FuncMap = map[string]interface{}{
 		return fmt.Sprint(time.Since(startTime).Nanoseconds()/1e6) + "ms"
 	},
 	"AvatarLink": AvatarLink,
-	"str2html":   Str2html, // TODO: Legacy
 	"Str2html":   Str2html,
 	"TimeSince":  TimeSince,
 	"FileSize":   FileSize,