Browse Source

Prevent 500 with badly formed task list (#11328)

Fix #11317

Signed-off-by: Andrew Thornton <art27@cantab.net>
for-closed-social
zeripath 4 years ago
committed by GitHub
parent
commit
742e26f5a5
No known key found for this signature in database GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 29 additions and 23 deletions
  1. +22
    -16
      modules/markup/markdown/goldmark.go
  2. +4
    -4
      modules/markup/markdown/markdown_test.go
  3. +1
    -1
      modules/markup/sanitizer.go
  4. +2
    -2
      web_src/less/_markdown.less

+ 22
- 16
modules/markup/markdown/goldmark.go View File

@ -125,24 +125,30 @@ func (g *ASTTransformer) Transform(node *ast.Document, reader text.Reader, pc pa
}
v.Destination = link
case *ast.List:
if v.HasChildren() && v.FirstChild().HasChildren() && v.FirstChild().FirstChild().HasChildren() {
if _, ok := v.FirstChild().FirstChild().FirstChild().(*east.TaskCheckBox); ok {
v.SetAttributeString("class", []byte("task-list"))
children := make([]ast.Node, 0, v.ChildCount())
child := v.FirstChild()
for child != nil {
children = append(children, child)
child = child.NextSibling()
if v.HasChildren() {
children := make([]ast.Node, 0, v.ChildCount())
child := v.FirstChild()
for child != nil {
children = append(children, child)
child = child.NextSibling()
}
v.RemoveChildren(v)
for _, child := range children {
listItem := child.(*ast.ListItem)
if !child.HasChildren() || !child.FirstChild().HasChildren() {
v.AppendChild(v, child)
continue
}
v.RemoveChildren(v)
for _, child := range children {
listItem := child.(*ast.ListItem)
newChild := NewTaskCheckBoxListItem(listItem)
taskCheckBox := child.FirstChild().FirstChild().(*east.TaskCheckBox)
newChild.IsChecked = taskCheckBox.IsChecked
v.AppendChild(v, newChild)
taskCheckBox, ok := child.FirstChild().FirstChild().(*east.TaskCheckBox)
if !ok {
v.AppendChild(v, child)
continue
}
newChild := NewTaskCheckBoxListItem(listItem)
newChild.IsChecked = taskCheckBox.IsChecked
newChild.SetAttributeString("class", []byte("task-list-item"))
v.AppendChild(v, newChild)
}
}
}

+ 4
- 4
modules/markup/markdown/markdown_test.go View File

@ -141,10 +141,10 @@ func testAnswers(baseURLContent, baseURLImages string) []string {
<h2 id="user-content-custom-id">More tests</h2>
<p>(from <a href="https://www.markdownguide.org/extended-syntax/" rel="nofollow">https://www.markdownguide.org/extended-syntax/</a>)</p>
<h3 id="user-content-checkboxes">Checkboxes</h3>
<ul class="task-list">
<li><span class="ui checkbox"><input type="checkbox" readonly="readonly"/><label>unchecked</label></span></li>
<li><span class="ui checked checkbox"><input type="checkbox" checked="" readonly="readonly"/><label>checked</label></span></li>
<li><span class="ui checkbox"><input type="checkbox" readonly="readonly"/><label>still unchecked</label></span></li>
<ul>
<li class="task-list-item"><span class="ui checkbox"><input type="checkbox" readonly="readonly"/><label>unchecked</label></span></li>
<li class="task-list-item"><span class="ui checked checkbox"><input type="checkbox" checked="" readonly="readonly"/><label>checked</label></span></li>
<li class="task-list-item"><span class="ui checkbox"><input type="checkbox" readonly="readonly"/><label>still unchecked</label></span></li>
</ul>
<h3 id="user-content-definition-list">Definition list</h3>
<dl>

+ 1
- 1
modules/markup/sanitizer.go View File

@ -54,7 +54,7 @@ func ReplaceSanitizer() {
sanitizer.policy.AllowAttrs("class").Matching(regexp.MustCompile(`ref-issue`)).OnElements("a")
// Allow classes for task lists
sanitizer.policy.AllowAttrs("class").Matching(regexp.MustCompile(`task-list`)).OnElements("ul")
sanitizer.policy.AllowAttrs("class").Matching(regexp.MustCompile(`task-list-item`)).OnElements("li")
// Allow icons
sanitizer.policy.AllowAttrs("class").Matching(regexp.MustCompile(`^icon(\s+[\p{L}\p{N}_-]+)+$`)).OnElements("i")

+ 2
- 2
web_src/less/_markdown.less View File

@ -192,9 +192,9 @@
list-style-type: none;
}
ul.task-list,
ol.task-list {
li.task-list-item {
list-style-type: none;
margin-left: calc(-2em + 2px);
}
ul ul,

Loading…
Cancel
Save