fix #828, may cause unintentional break in other features, but security is no.1
This commit is contained in:
Unknwon
parent
0e286a0ca9
commit
8e384ce46c
7 changed files with 13 additions and 10 deletions
|
|
@ -13,15 +13,19 @@ import (
|
|||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/microcosm-cc/bluemonday"
|
||||
"golang.org/x/net/html/charset"
|
||||
"golang.org/x/text/transform"
|
||||
|
||||
"github.com/gogits/gogs/modules/setting"
|
||||
"github.com/gogits/chardet"
|
||||
"github.com/gogits/gogs/modules/setting"
|
||||
)
|
||||
|
||||
// FIXME: use me to Markdown API renders
|
||||
var p = bluemonday.UGCPolicy()
|
||||
|
||||
func Str2html(raw string) template.HTML {
|
||||
return template.HTML(raw)
|
||||
return template.HTML(p.Sanitize(raw))
|
||||
}
|
||||
|
||||
func Range(l int) []int {
|
||||
|
|
@ -113,7 +117,6 @@ var TemplateFuncs template.FuncMap = map[string]interface{}{
|
|||
return fmt.Sprint(time.Since(startTime).Nanoseconds()/1e6) + "ms"
|
||||
},
|
||||
"AvatarLink": AvatarLink,
|
||||
"str2html": Str2html, // TODO: Legacy
|
||||
"Str2html": Str2html,
|
||||
"TimeSince": TimeSince,
|
||||
"FileSize": FileSize,
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue