From 3a9fd81f5946cbd70390b9c061bdcd1842f29735 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kim=20=22BKC=22=20Carlb=C3=A4cker?= Date: Thu, 14 Jan 2016 07:20:03 +0100 Subject: [PATCH 1/3] Custom URL-Schemas for Markdown --- modules/base/markdown.go | 12 +++--------- modules/base/tool.go | 1 + modules/setting/setting.go | 1 + modules/template/template.go | 2 +- 4 files changed, 6 insertions(+), 10 deletions(-) diff --git a/modules/base/markdown.go b/modules/base/markdown.go index 0ef379b8e..62db945a5 100644 --- a/modules/base/markdown.go +++ b/modules/base/markdown.go @@ -29,16 +29,10 @@ func isalnum(c byte) bool { return (c >= '0' && c <= '9') || isletter(c) } -var validLinks = [][]byte{[]byte("http://"), []byte("https://"), []byte("ftp://"), []byte("mailto://")} +var validLinksPattern = regexp.MustCompile(`^[a-z][\w-]+://`) func isLink(link []byte) bool { - for _, prefix := range validLinks { - if len(link) > len(prefix) && bytes.Equal(bytes.ToLower(link[:len(prefix)]), prefix) && isalnum(link[len(prefix)]) { - return true - } - } - - return false + return validLinksPattern.Match(link) } func IsMarkdownFile(name string) bool { @@ -346,7 +340,7 @@ OUTER_LOOP: func RenderMarkdown(rawBytes []byte, urlPrefix string, metas map[string]string) []byte { result := RenderRawMarkdown(rawBytes, urlPrefix) result = PostProcessMarkdown(result, urlPrefix, metas) - result = Sanitizer.SanitizeBytes(result) + result = BuildSanitizer().SanitizeBytes(result) return result } diff --git a/modules/base/tool.go b/modules/base/tool.go index f98ae28b9..5280fef20 100644 --- a/modules/base/tool.go +++ b/modules/base/tool.go @@ -37,6 +37,7 @@ func BuildSanitizer() (p *bluemonday.Policy) { p.AllowAttrs("type").Matching(regexp.MustCompile(`^checkbox$`)).OnElements("input") p.AllowAttrs("checked", "disabled").OnElements("input") + p.AllowURLSchemes(setting.Markdown.CustomURLSchemes...) return p } diff --git a/modules/setting/setting.go b/modules/setting/setting.go index fcb234add..1ef20fd3c 100644 --- a/modules/setting/setting.go +++ b/modules/setting/setting.go @@ -117,6 +117,7 @@ var ( // Markdown sttings Markdown struct { EnableHardLineBreak bool + CustomURLSchemes []string `ini:"CUSTOM_URL_SCHEMES"` } // Picture settings diff --git a/modules/template/template.go b/modules/template/template.go index 6099fcc98..d95035c35 100644 --- a/modules/template/template.go +++ b/modules/template/template.go @@ -105,7 +105,7 @@ func Safe(raw string) template.HTML { } func Str2html(raw string) template.HTML { - return template.HTML(base.Sanitizer.Sanitize(raw)) + return template.HTML(base.BuildSanitizer().Sanitize(raw)) } func Range(l int) []int { From d94342967263ab306f4726f25a726ff6091d9fbc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kim=20=22BKC=22=20Carlb=C3=A4cker?= Date: Wed, 27 Jan 2016 02:05:53 +0100 Subject: [PATCH 2/3] Added example to conf/app.ini --- conf/app.ini | 3 +++ 1 file changed, 3 insertions(+) diff --git a/conf/app.ini b/conf/app.ini index 69829fcab..34259b77b 100644 --- a/conf/app.ini +++ b/conf/app.ini @@ -41,6 +41,9 @@ ORG_PAGING_NUM = 50 [markdown] ; Enable hard line break extension ENABLE_HARD_LINE_BREAK = false +; List of custom URL-Schemes that are allowed as links when rendering Markdown +; for example git,magnet +CUSTOM_URL_SCHEMES = [server] PROTOCOL = http From 1ab8a60d737b278c176d0b6204843a79dab0e878 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kim=20=22BKC=22=20Carlb=C3=A4cker?= Date: Wed, 27 Jan 2016 21:48:57 +0100 Subject: [PATCH 3/3] Not working, but slightly better... --- modules/base/markdown.go | 2 +- modules/base/tool.go | 22 ++++++++++++---------- modules/template/template.go | 2 +- routers/install.go | 3 +++ 4 files changed, 17 insertions(+), 12 deletions(-) diff --git a/modules/base/markdown.go b/modules/base/markdown.go index 62db945a5..05ee5f4a5 100644 --- a/modules/base/markdown.go +++ b/modules/base/markdown.go @@ -340,7 +340,7 @@ OUTER_LOOP: func RenderMarkdown(rawBytes []byte, urlPrefix string, metas map[string]string) []byte { result := RenderRawMarkdown(rawBytes, urlPrefix) result = PostProcessMarkdown(result, urlPrefix, metas) - result = BuildSanitizer().SanitizeBytes(result) + result = Sanitizer.SanitizeBytes(result) return result } diff --git a/modules/base/tool.go b/modules/base/tool.go index 5280fef20..ad39db892 100644 --- a/modules/base/tool.go +++ b/modules/base/tool.go @@ -31,17 +31,19 @@ import ( "github.com/gogits/gogs/modules/setting" ) -func BuildSanitizer() (p *bluemonday.Policy) { - p = bluemonday.UGCPolicy() - p.AllowAttrs("class").Matching(regexp.MustCompile(`[\p{L}\p{N}\s\-_',:\[\]!\./\\\(\)&]*`)).OnElements("code") - - p.AllowAttrs("type").Matching(regexp.MustCompile(`^checkbox$`)).OnElements("input") - p.AllowAttrs("checked", "disabled").OnElements("input") - p.AllowURLSchemes(setting.Markdown.CustomURLSchemes...) - return p -} +var Sanitizer = bluemonday.UGCPolicy() + +func BuildSanitizer() { + // Normal markdown-stuff + Sanitizer.AllowAttrs("class").Matching(regexp.MustCompile(`[\p{L}\p{N}\s\-_',:\[\]!\./\\\(\)&]*`)).OnElements("code") -var Sanitizer = BuildSanitizer() + // Checkboxes + Sanitizer.AllowAttrs("type").Matching(regexp.MustCompile(`^checkbox$`)).OnElements("input") + Sanitizer.AllowAttrs("checked", "disabled").OnElements("input") + + // Custom URL-Schemes + Sanitizer.AllowURLSchemes(setting.Markdown.CustomURLSchemes...) +} // EncodeMD5 encodes string to md5 hex value. func EncodeMD5(str string) string { diff --git a/modules/template/template.go b/modules/template/template.go index d95035c35..6099fcc98 100644 --- a/modules/template/template.go +++ b/modules/template/template.go @@ -105,7 +105,7 @@ func Safe(raw string) template.HTML { } func Str2html(raw string) template.HTML { - return template.HTML(base.BuildSanitizer().Sanitize(raw)) + return template.HTML(base.Sanitizer.Sanitize(raw)) } func Range(l int) []int { diff --git a/routers/install.go b/routers/install.go index 120aa4685..b311355bf 100644 --- a/routers/install.go +++ b/routers/install.go @@ -91,6 +91,9 @@ func GlobalInit() { ssh.Listen(setting.SSHPort) log.Info("SSH server started on :%v", setting.SSHPort) } + + // Build Sanitizer + base.BuildSanitizer() } func InstallInit(ctx *middleware.Context) {