closed-social
/
gitea
3
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
9934 Commits
2 Branches
178 MiB
Tree: d285b5d35a
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'd285b5d35a'
${ noResults }
gitea/modules/markup/sanitizer.go

137 lines
4.9 KiB
Raw Normal View History

Sanitation fix from Gogs (#1461) * Santiation fix from Gogs * Linting * Fix build-errors * still not working * Fix all the things! * gofmt * Add code-injection checks
7 years ago
Restructure markup & markdown to prepare for multiple markup language… (#2411) * restructure markup & markdown to prepare for multiple markup languages support * adjust some functions between markdown and markup * fix tests * improve the comments
7 years ago
Sanitation fix from Gogs (#1461) * Santiation fix from Gogs * Linting * Fix build-errors * still not working * Fix all the things! * gofmt * Add code-injection checks
7 years ago
Change markdown rendering from blackfriday to goldmark (#9533) * Move to goldmark Markdown rendering moved from blackfriday to the goldmark. Multiple subtle changes required to the goldmark extensions to keep current rendering and defaults. Can go further with goldmark linkify and have this work within markdown rendering making the link processor unnecessary. Need to think about how to go about allowing extensions - at present it seems that these would be hard to do without recompilation. * linter fixes Co-authored-by: Lauris BH <lauris@nix.lv>
4 years ago
Sanitation fix from Gogs (#1461) * Santiation fix from Gogs * Linting * Fix build-errors * still not working * Fix all the things! * gofmt * Add code-injection checks
7 years ago
Support inline rendering of CUSTOM_URL_SCHEMES (#8496) * Support inline rendering of CUSTOM_URL_SCHEMES * Fix lint * Add tests * Fix lint
5 years ago
Sanitation fix from Gogs (#1461) * Santiation fix from Gogs * Linting * Fix build-errors * still not working * Fix all the things! * gofmt * Add code-injection checks
7 years ago
Support inline rendering of CUSTOM_URL_SCHEMES (#8496) * Support inline rendering of CUSTOM_URL_SCHEMES * Fix lint * Add tests * Fix lint
5 years ago
Server-side syntax highlighting for all code (#12047) * Server-side syntax hilighting for all code This PR does a few things: * Remove all traces of highlight.js * Use chroma library to provide fast syntax hilighting directly on the server * Provide syntax hilighting for diffs * Re-style both unified and split diffs views * Add custom syntax hilighting styling for both regular and arc-green Fixes #7729 Fixes #10157 Fixes #11825 Fixes #7728 Fixes #3872 Fixes #3682 And perhaps gets closer to #9553 * fix line marker * fix repo search * Fix single line select * properly load settings * npm uninstall highlight.js * review suggestion * code review * forgot to call function * fix test * Apply suggestions from code review suggestions from @silverwind thanks Co-authored-by: silverwind <me@silverwind.io> * code review * copy/paste error * Use const for highlight size limit * Update web_src/less/_repository.less Co-authored-by: Lauris BH <lauris@nix.lv> * update size limit to 1MB and other styling tweaks * fix highlighting for certain diff sections * fix test * add worker back as suggested Co-authored-by: silverwind <me@silverwind.io> Co-authored-by: Lauris BH <lauris@nix.lv>
4 years ago
Add loading spinners and mermaid error handling (#12358) - Add loading spinners on editor and mermaid renderers - Add error handling and inline error box for mermaid - Fix Mermaid rendering by using the .init api
4 years ago
Server-side syntax highlighting for all code (#12047) * Server-side syntax hilighting for all code This PR does a few things: * Remove all traces of highlight.js * Use chroma library to provide fast syntax hilighting directly on the server * Provide syntax hilighting for diffs * Re-style both unified and split diffs views * Add custom syntax hilighting styling for both regular and arc-green Fixes #7729 Fixes #10157 Fixes #11825 Fixes #7728 Fixes #3872 Fixes #3682 And perhaps gets closer to #9553 * fix line marker * fix repo search * Fix single line select * properly load settings * npm uninstall highlight.js * review suggestion * code review * forgot to call function * fix test * Apply suggestions from code review suggestions from @silverwind thanks Co-authored-by: silverwind <me@silverwind.io> * code review * copy/paste error * Use const for highlight size limit * Update web_src/less/_repository.less Co-authored-by: Lauris BH <lauris@nix.lv> * update size limit to 1MB and other styling tweaks * fix highlighting for certain diff sections * fix test * add worker back as suggested Co-authored-by: silverwind <me@silverwind.io> Co-authored-by: Lauris BH <lauris@nix.lv>
4 years ago
Sanitation fix from Gogs (#1461) * Santiation fix from Gogs * Linting * Fix build-errors * still not working * Fix all the things! * gofmt * Add code-injection checks
7 years ago
Support inline rendering of CUSTOM_URL_SCHEMES (#8496) * Support inline rendering of CUSTOM_URL_SCHEMES * Fix lint * Add tests * Fix lint
5 years ago
Make TaskCheckBox render correctly (#11214) * Fix checkbox rendering Signed-off-by: Andrew Thornton <art27@cantab.net> * Normalize checkbox rendering Signed-off-by: Andrew Thornton <art27@cantab.net> * set the checkboxes to readonly instead of disabled Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: Lauris BH <lauris@nix.lv>
4 years ago
Rewrite reference processing code in preparation for opening/closing from comment references (#8261) * Add a markdown stripper for mentions and xrefs * Improve comments * Small code simplification * Move reference code to modules/references * Fix typo * Make MarkdownStripper return [][]byte * Implement preliminary keywords parsing * Add FIXME comment * Fix comment * make fmt * Fix permissions check * Fix text assumptions * Fix imports * Fix lint, fmt * Fix unused import * Add missing export comment * Bypass revive on implemented interface * Move mdstripper into its own package * Support alphanumeric patterns * Refactor FindAllMentions * Move mentions test to references * Parse mentions from reference package * Refactor code to implement renderizable references * Fix typo * Move patterns and tests to the references package * Fix nil reference * Preliminary rendering attempt of closing keywords * Normalize names, comments, general tidy-up * Add CSS style for action keywords * Fix permission for admin and owner * Fix golangci-lint * Fix golangci-lint
5 years ago
Support inline rendering of CUSTOM_URL_SCHEMES (#8496) * Support inline rendering of CUSTOM_URL_SCHEMES * Fix lint * Add tests * Fix lint
5 years ago
Allow kbd tags (#9245) * Allow kbd tags Signed-off-by: jolheiser <john.olheiser@gmail.com> * Add test Signed-off-by: jolheiser <john.olheiser@gmail.com>
5 years ago
Issue/PR Context Popups (#9822) * Add data-index attribute to issue anchors Signed-off-by: jolheiser <john.olheiser@gmail.com> * Init JS Signed-off-by: jolheiser <john.olheiser@gmail.com> * Add required data to anchor Signed-off-by: jolheiser <john.olheiser@gmail.com> * Finish popup Signed-off-by: jolheiser <john.olheiser@gmail.com> * Revert changes to html.go Signed-off-by: jolheiser <john.olheiser@gmail.com> * Better octicon contexts Signed-off-by: jolheiser <john.olheiser@gmail.com> * Split out popup function for re-use Signed-off-by: jolheiser <john.olheiser@gmail.com> * Style changes, test fixes, and cross-reference support Signed-off-by: jolheiser <john.olheiser@gmail.com> * Prefer em to px Signed-off-by: jolheiser <john.olheiser@gmail.com> * Move label margin to base CSS Signed-off-by: jolheiser <john.olheiser@gmail.com> * Move JS to separate file. Signed-off-by: jolheiser <john.olheiser@gmail.com> * Move JS to features and fix module Signed-off-by: jolheiser <john.olheiser@gmail.com> * Remove query-string and hash Co-Authored-By: silverwind <me@silverwind.io> Co-authored-by: Lauris BH <lauris@nix.lv> Co-authored-by: Antoine GIRARD <sapk@users.noreply.github.com> Co-authored-by: silverwind <me@silverwind.io> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: zeripath <art27@cantab.net>
4 years ago
Fix task-list checkbox styling (#10668) * Fix task-list checkbox styling The pandoc renderer will append the class "task-list" to the ul element wrapping a li with one or more check-boxes. This allows us to select for them, removing their list-style-type property. However, goldmark and the gfm spec doesn't specify the "task-list" class name, so we can't use that to fix the issue there. Signed-off-by: Alexander Scheel <alexander.m.scheel@gmail.com> * Update to goldmark v1.1.25 This version adds the missing space after a checkbox. Resolves: #9656 Signed-off-by: Alexander Scheel <alexander.m.scheel@gmail.com> Co-authored-by: zeripath <art27@cantab.net>
4 years ago
Prevent 500 with badly formed task list (#11328) Fix #11317 Signed-off-by: Andrew Thornton <art27@cantab.net>
4 years ago
Fix task-list checkbox styling (#10668) * Fix task-list checkbox styling The pandoc renderer will append the class "task-list" to the ul element wrapping a li with one or more check-boxes. This allows us to select for them, removing their list-style-type property. However, goldmark and the gfm spec doesn't specify the "task-list" class name, so we can't use that to fix the issue there. Signed-off-by: Alexander Scheel <alexander.m.scheel@gmail.com> * Update to goldmark v1.1.25 This version adds the missing space after a checkbox. Resolves: #9656 Signed-off-by: Alexander Scheel <alexander.m.scheel@gmail.com> Co-authored-by: zeripath <art27@cantab.net>
4 years ago
Use markdown frontmatter to provide Table of contents, language and frontmatter rendering (#11047) * Add control for the rendering of the frontmatter * Add control to include a TOC * Add control to set language - allows control of ToC header and CJK glyph choice. Signed-off-by: Andrew Thornton art27@cantab.net
4 years ago
Make TaskCheckBox render correctly (#11214) * Fix checkbox rendering Signed-off-by: Andrew Thornton <art27@cantab.net> * Normalize checkbox rendering Signed-off-by: Andrew Thornton <art27@cantab.net> * set the checkboxes to readonly instead of disabled Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: Lauris BH <lauris@nix.lv>
4 years ago
Use markdown frontmatter to provide Table of contents, language and frontmatter rendering (#11047) * Add control for the rendering of the frontmatter * Add control to include a TOC * Add control to set language - allows control of ToC header and CJK glyph choice. Signed-off-by: Andrew Thornton art27@cantab.net
4 years ago
Support unicode emojis and remove emojify.js (#11032) * Support unicode emojis and remove emojify.js This PR replaces all use of emojify.js and adds unicode emoji support to various areas of gitea. This works in a few ways: First it adds emoji parsing support into gitea itself. This allows us to * Render emojis from valid alias (:smile:) * Detect unicode emojis and let us put them in their own class with proper aria-labels and styling * Easily allow for custom "emoji" * Support all emoji rendering and features without javascript * Uses plain unicode and lets the system render in appropriate emoji font * Doesn't leave us relying on external sources for updates/fixes/features That same list of emoji is also used to create a json file which replaces the part of emojify.js that populates the emoji search tribute. This file is about 35KB with GZIP turned on and I've set it to load after the page renders to not hinder page load time (and this removes loading emojify.js also) For custom "emoji" it uses a pretty simple scheme of just looking for /emojis/img/name.png where name is something a user has put in the "allowed reactions" setting we already have. The gitea reaction that was previously hard coded into a forked copy of emojify.js is included and works as a custom reaction under this method. The emoji data sourced here is from https://github.com/github/gemoji which is the gem library Github uses for their emoji rendering (and a data source for other sites). So we should be able to easily render any emoji and :alias: that Github can, removing any errors from migrated content. They also update it as well, so we can sync when there are new unicode emoji lists released. I've included a slimmed down and slightly modified forked copy of https://github.com/knq/emoji to make up our own emoji module. The code is pretty straight forward and again allows us to have a lot of flexibility in what happens. I had seen a few comments about performance in some of the other threads if we render this ourselves, but there doesn't seem to be any issue here. In a test it can parse, convert, and render 1,000 emojis inside of a large markdown table in about 100ms on my laptop (which is many more emojis than will ever be in any normal issue). This also prevents any flickering and other weirdness from using javascript to render some things while using go for others. Not included here are image fall back URLS. I don't really think they are necessary for anything new being written in 2020. However, managing the emoji ourselves would allow us to add these as a feature later on if it seems necessary. Fixes: https://github.com/go-gitea/gitea/issues/9182 Fixes: https://github.com/go-gitea/gitea/issues/8974 Fixes: https://github.com/go-gitea/gitea/issues/8953 Fixes: https://github.com/go-gitea/gitea/issues/6628 Fixes: https://github.com/go-gitea/gitea/issues/5130 * add new shared function emojiHTML * don't increase emoji size in issue title * Update templates/repo/issue/view_content/add_reaction.tmpl Co-Authored-By: 6543 <6543@obermui.de> * Support for emoji rendering in various templates * Render code and review comments as they should be * Better way to handle mail subjects * insert unicode from tribute selection * Add template helper for plain text when needed * Use existing replace function I forgot about * Don't include emoji greater than Unicode Version 12 Only include emoji and aliases in JSON * Update build/generate-emoji.go * Tweak regex slightly to really match everything including random invisible characters. Run tests for every emoji we have * final updates * code review * code review * hard code gitea custom emoji to match previous behavior * Update .eslintrc Co-Authored-By: silverwind <me@silverwind.io> * disable preempt Co-authored-by: silverwind <me@silverwind.io> Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: Lauris BH <lauris@nix.lv> Co-authored-by: guillep2k <18600385+guillep2k@users.noreply.github.com>
4 years ago
Server-side syntax highlighting for all code (#12047) * Server-side syntax hilighting for all code This PR does a few things: * Remove all traces of highlight.js * Use chroma library to provide fast syntax hilighting directly on the server * Provide syntax hilighting for diffs * Re-style both unified and split diffs views * Add custom syntax hilighting styling for both regular and arc-green Fixes #7729 Fixes #10157 Fixes #11825 Fixes #7728 Fixes #3872 Fixes #3682 And perhaps gets closer to #9553 * fix line marker * fix repo search * Fix single line select * properly load settings * npm uninstall highlight.js * review suggestion * code review * forgot to call function * fix test * Apply suggestions from code review suggestions from @silverwind thanks Co-authored-by: silverwind <me@silverwind.io> * code review * copy/paste error * Use const for highlight size limit * Update web_src/less/_repository.less Co-authored-by: Lauris BH <lauris@nix.lv> * update size limit to 1MB and other styling tweaks * fix highlighting for certain diff sections * fix test * add worker back as suggested Co-authored-by: silverwind <me@silverwind.io> Co-authored-by: Lauris BH <lauris@nix.lv>
4 years ago
Restore checkbox rendering and prevent poor sanitization of spans (#11277) * Add test Signed-off-by: Andrew Thornton <art27@cantab.net> * Restore checkbox rendering and prevent poor sanitization of spans Signed-off-by: Andrew Thornton <art27@cantab.net> * Also fix preview context Signed-off-by: Andrew Thornton <art27@cantab.net> * Also fix preview context Signed-off-by: Andrew Thornton <art27@cantab.net>
4 years ago
Relax sanitization as per https://github.com/jch/html-pipeline (#10527) Looking at github/markup#245 it is clear that GH uses https://github.com/jch/html-pipeline to sanitize. This PR relaxes our sanitization to more closely match this. Fixes #10471 and likely others...
4 years ago
Markdown: Sanitizier Configuration (#9075) * Support custom sanitization policy Allowing the gitea administrator to configure sanitization policy allows them to couple external renders and custom templates to support more markup. In particular, the `pandoc` renderer allows generating KaTeX annotations, wrapping them in `<span>` elements with class `math` and either `inline` or `display` (depending on whether or not inline or block mode was requested). This iteration gives the administrator whitelisting powers; carefully crafted regexes will thus let through only the desired attributes necessary to support their custom markup. Resolves: #9054 Signed-off-by: Alexander Scheel <alexander.m.scheel@gmail.com> * Document new sanitization configuration - Adds basic documentation to app.ini.sample, - Adds an example to the Configuration Cheat Sheet, and - Adds extended information to External Renderers section. Signed-off-by: Alexander Scheel <alexander.m.scheel@gmail.com> * Drop extraneous length check in newMarkupSanitizer(...) Signed-off-by: Alexander Scheel <alexander.m.scheel@gmail.com> * Fix plural ELEMENT and ALLOW_ATTR in docs These were left over from their initial names. Make them singular to conform with the current expectations. Signed-off-by: Alexander Scheel <alexander.m.scheel@gmail.com>
5 years ago
Sanitation fix from Gogs (#1461) * Santiation fix from Gogs * Linting * Fix build-errors * still not working * Fix all the things! * gofmt * Add code-injection checks
7 years ago
fix #1501 ssh hangs caused by #1461 (#1513)
7 years ago
Sanitation fix from Gogs (#1461) * Santiation fix from Gogs * Linting * Fix build-errors * still not working * Fix all the things! * gofmt * Add code-injection checks
7 years ago
Change markdown rendering from blackfriday to goldmark (#9533) * Move to goldmark Markdown rendering moved from blackfriday to the goldmark. Multiple subtle changes required to the goldmark extensions to keep current rendering and defaults. Can go further with goldmark linkify and have this work within markdown rendering making the link processor unnecessary. Need to think about how to go about allowing extensions - at present it seems that these would be hard to do without recompilation. * linter fixes Co-authored-by: Lauris BH <lauris@nix.lv>
4 years ago
Sanitation fix from Gogs (#1461) * Santiation fix from Gogs * Linting * Fix build-errors * still not working * Fix all the things! * gofmt * Add code-injection checks
7 years ago
fix #1501 ssh hangs caused by #1461 (#1513)
7 years ago
Sanitation fix from Gogs (#1461) * Santiation fix from Gogs * Linting * Fix build-errors * still not working * Fix all the things! * gofmt * Add code-injection checks
7 years ago
 
  1. // Copyright 2017 The Gitea Authors. All rights reserved.

  2. // Copyright 2017 The Gogs Authors. All rights reserved.

  3. // Use of this source code is governed by a MIT-style

  4. // license that can be found in the LICENSE file.

  5. 

  6. package markup
  7. 

  8. import (
  9. 	"bytes"
  10. 	"io"
  11. 	"regexp"
  12. 	"sync"
  13. 

  14. 	"code.gitea.io/gitea/modules/setting"
  15. 

  16. 	"github.com/microcosm-cc/bluemonday"
  17. )
  18. 

  19. // Sanitizer is a protection wrapper of *bluemonday.Policy which does not allow

  20. // any modification to the underlying policies once it's been created.

  21. type Sanitizer struct {
  22. 	policy *bluemonday.Policy
  23. 	init   sync.Once
  24. }
  25. 

  26. var sanitizer = &Sanitizer{}
  27. 

  28. // NewSanitizer initializes sanitizer with allowed attributes based on settings.

  29. // Multiple calls to this function will only create one instance of Sanitizer during

  30. // entire application lifecycle.

  31. func NewSanitizer() {
  32. 	sanitizer.init.Do(func() {
  33. 		ReplaceSanitizer()
  34. 	})
  35. }
  36. 

  37. // ReplaceSanitizer replaces the current sanitizer to account for changes in settings

  38. func ReplaceSanitizer() {
  39. 	sanitizer.policy = bluemonday.UGCPolicy()
  40. 	// For Chroma markdown plugin

  41. 	sanitizer.policy.AllowAttrs("class").Matching(regexp.MustCompile(`^is-loading$`)).OnElements("pre")
  42. 	sanitizer.policy.AllowAttrs("class").Matching(regexp.MustCompile(`^(chroma )?language-[\w-]+$`)).OnElements("code")
  43. 

  44. 	// Checkboxes

  45. 	sanitizer.policy.AllowAttrs("type").Matching(regexp.MustCompile(`^checkbox$`)).OnElements("input")
  46. 	sanitizer.policy.AllowAttrs("checked", "disabled", "readonly").OnElements("input")
  47. 

  48. 	// Custom URL-Schemes

  49. 	sanitizer.policy.AllowURLSchemes(setting.Markdown.CustomURLSchemes...)
  50. 

  51. 	// Allow keyword markup

  52. 	sanitizer.policy.AllowAttrs("class").Matching(regexp.MustCompile(`^` + keywordClass + `$`)).OnElements("span")
  53. 

  54. 	// Allow classes for anchors

  55. 	sanitizer.policy.AllowAttrs("class").Matching(regexp.MustCompile(`ref-issue`)).OnElements("a")
  56. 

  57. 	// Allow classes for task lists

  58. 	sanitizer.policy.AllowAttrs("class").Matching(regexp.MustCompile(`task-list-item`)).OnElements("li")
  59. 

  60. 	// Allow icons

  61. 	sanitizer.policy.AllowAttrs("class").Matching(regexp.MustCompile(`^icon(\s+[\p{L}\p{N}_-]+)+$`)).OnElements("i")
  62. 

  63. 	// Allow unlabelled labels

  64. 	sanitizer.policy.AllowNoAttrs().OnElements("label")
  65. 

  66. 	// Allow classes for emojis

  67. 	sanitizer.policy.AllowAttrs("class").Matching(regexp.MustCompile(`emoji`)).OnElements("img")
  68. 

  69. 	// Allow icons, checkboxes, emojis, and chroma syntax on span

  70. 	sanitizer.policy.AllowAttrs("class").Matching(regexp.MustCompile(`^((icon(\s+[\p{L}\p{N}_-]+)+)|(ui checkbox)|(ui checked checkbox)|(emoji))$|^([a-z][a-z0-9]{0,2})$`)).OnElements("span")
  71. 

  72. 	// Allow generally safe attributes

  73. 	generalSafeAttrs := []string{"abbr", "accept", "accept-charset",
  74. 		"accesskey", "action", "align", "alt",
  75. 		"aria-describedby", "aria-hidden", "aria-label", "aria-labelledby",
  76. 		"axis", "border", "cellpadding", "cellspacing", "char",
  77. 		"charoff", "charset", "checked",
  78. 		"clear", "cols", "colspan", "color",
  79. 		"compact", "coords", "datetime", "dir",
  80. 		"disabled", "enctype", "for", "frame",
  81. 		"headers", "height", "hreflang",
  82. 		"hspace", "ismap", "label", "lang",
  83. 		"maxlength", "media", "method",
  84. 		"multiple", "name", "nohref", "noshade",
  85. 		"nowrap", "open", "prompt", "readonly", "rel", "rev",
  86. 		"rows", "rowspan", "rules", "scope",
  87. 		"selected", "shape", "size", "span",
  88. 		"start", "summary", "tabindex", "target",
  89. 		"title", "type", "usemap", "valign", "value",
  90. 		"vspace", "width", "itemprop",
  91. 	}
  92. 

  93. 	generalSafeElements := []string{
  94. 		"h1", "h2", "h3", "h4", "h5", "h6", "h7", "h8", "br", "b", "i", "strong", "em", "a", "pre", "code", "img", "tt",
  95. 		"div", "ins", "del", "sup", "sub", "p", "ol", "ul", "table", "thead", "tbody", "tfoot", "blockquote",
  96. 		"dl", "dt", "dd", "kbd", "q", "samp", "var", "hr", "ruby", "rt", "rp", "li", "tr", "td", "th", "s", "strike", "summary",
  97. 		"details", "caption", "figure", "figcaption",
  98. 		"abbr", "bdo", "cite", "dfn", "mark", "small", "span", "time", "wbr",
  99. 	}
  100. 

  101. 	sanitizer.policy.AllowAttrs(generalSafeAttrs...).OnElements(generalSafeElements...)
  102. 

  103. 	sanitizer.policy.AllowAttrs("itemscope", "itemtype").OnElements("div")
  104. 

  105. 	// FIXME: Need to handle longdesc in img but there is no easy way to do it

  106. 

  107. 	// Custom keyword markup

  108. 	for _, rule := range setting.ExternalSanitizerRules {
  109. 		if rule.Regexp != nil {
  110. 			sanitizer.policy.AllowAttrs(rule.AllowAttr).Matching(rule.Regexp).OnElements(rule.Element)
  111. 		} else {
  112. 			sanitizer.policy.AllowAttrs(rule.AllowAttr).OnElements(rule.Element)
  113. 		}
  114. 	}
  115. }
  116. 

  117. // Sanitize takes a string that contains a HTML fragment or document and applies policy whitelist.

  118. func Sanitize(s string) string {
  119. 	NewSanitizer()
  120. 	return sanitizer.policy.Sanitize(s)
  121. }
  122. 

  123. // SanitizeReader sanitizes a Reader

  124. func SanitizeReader(r io.Reader) *bytes.Buffer {
  125. 	NewSanitizer()
  126. 	return sanitizer.policy.SanitizeReader(r)
  127. }
  128. 

  129. // SanitizeBytes takes a []byte slice that contains a HTML fragment or document and applies policy whitelist.

  130. func SanitizeBytes(b []byte) []byte {
  131. 	if len(b) == 0 {
  132. 		// nothing to sanitize

  133. 		return b
  134. 	}
  135. 	NewSanitizer()
  136. 	return sanitizer.policy.SanitizeBytes(b)
  137. }