finn/forgejo
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Rename Str2html to SanitizeHTML and clarify its behavior (#29516)

Browse source 
Str2html was abused a lot. So use a proper name for it: SanitizeHTML

And add some tests to show its behavior.

(cherry picked from commit fb42972c057364a1dc99dfb528554e7a94415be7)

Conflicts:
	docs/content/administration/mail-templates.en-us.md
	docs/content/administration/mail-templates.zh-cn.md
	prefer their version always
This commit is contained in:
wxiaoguang 2024-03-01 18:16:19 +08:00 committed by Earl Warren
parent 58bc3af08d
commit 2892aaab02
No known key found for this signature in database
GPG key ID: 0579CB2928A78A00
14 changed files with 52 additions and 47 deletions
Download patch file Download diff file Expand all files Collapse all files

24
modules/templates/helper.go
View file

@ -33,16 +33,16 @@ func NewFuncMap() template.FuncMap {
// -----------------------------------------------------------------
// html/template related functions
"dict": dict, // it's lowercase because this name has been widely used. Our other functions should have uppercase names.
"Eval": Eval,
"SafeHTML": SafeHTML,
"HTMLFormat": HTMLFormat,
"HTMLEscape": HTMLEscape,
"QueryEscape": url.QueryEscape,
"JSEscape": JSEscapeSafe,
"Str2html": Str2html, // TODO: rename it to SanitizeHTML
"URLJoin": util.URLJoin,
"DotEscape": DotEscape,
"dict": dict, // it's lowercase because this name has been widely used. Our other functions should have uppercase names.
"Eval": Eval,
"SafeHTML": SafeHTML,
"HTMLFormat": HTMLFormat,
"HTMLEscape": HTMLEscape,
"QueryEscape": url.QueryEscape,
"JSEscape": JSEscapeSafe,
"SanitizeHTML": SanitizeHTML,
"URLJoin": util.URLJoin,
"DotEscape": DotEscape,
"PathEscape": url.PathEscape,
"PathEscapeSegments": util.PathEscapeSegments,
@ -210,8 +210,8 @@ func SafeHTML(s any) template.HTML {
panic(fmt.Sprintf("unexpected type %T", s))
}
// Str2html sanitizes the input by pre-defined markdown rules
func Str2html(s any) template.HTML {
// SanitizeHTML sanitizes the input by pre-defined markdown rules
func SanitizeHTML(s any) template.HTML {
switch v := s.(type) {
case string:
return template.HTML(markup.Sanitize(v))

5
modules/templates/helper_test.go
View file

@ -61,3 +61,8 @@ func TestJSEscapeSafe(t *testing.T) {
func TestHTMLFormat(t *testing.T) {
assert.Equal(t, template.HTML("<a>&lt; < 1</a>"), HTMLFormat("<a>%s %s %d</a>", "<", template.HTML("<"), 1))
}
func TestSanitizeHTML(t *testing.T) {
assert.Equal(t, template.HTML(`<a href="/" rel="nofollow">link</a> xss <div>inline</div>`), SanitizeHTML(`<a href="/">link</a> <a href="javascript:">xss</a> <div style="dangerous">inline</div>`))
assert.Equal(t, template.HTML(`<a href="/" rel="nofollow">link</a> xss <div>inline</div>`), SanitizeHTML(template.HTML(`<a href="/">link</a> <a href="javascript:">xss</a> <div style="dangerous">inline</div>`)))
}