Remove unnecessary SanitizeHTML from code (#29575)
* "mail/issue/default.tmpl": the body is rendered by backend `markdown.RenderString() HTML`, it has been already sanitized * "repo/settings/webhook/base_list.tmpl": "Description" is prepared by backend `ctx.Tr`, it doesn't need to be sanitized (cherry picked from commit dae7f1ebdbe19620f40e110b285f7c0ecd0bb33b)
This commit is contained in:
parent
3c05986fcf
commit
a44805e5b3
|
@ -224,7 +224,7 @@ Please check [Gitea's logs](administration/logging-config.md) for error messages
|
||||||
{{if not (eq .Body "")}}
|
{{if not (eq .Body "")}}
|
||||||
<h3>Message content</h3>
|
<h3>Message content</h3>
|
||||||
<hr>
|
<hr>
|
||||||
{{.Body | SanitizeHTML}}
|
{{.Body}}
|
||||||
{{end}}
|
{{end}}
|
||||||
</p>
|
</p>
|
||||||
<hr>
|
<hr>
|
||||||
|
|
|
@ -207,7 +207,7 @@ _主题_ 和 _邮件正文_ 由 [Golang的模板引擎](https://go.dev/pkg/text/
|
||||||
{{if not (eq .Body "")}}
|
{{if not (eq .Body "")}}
|
||||||
<h3>消息内容:</h3>
|
<h3>消息内容:</h3>
|
||||||
<hr>
|
<hr>
|
||||||
{{.Body | SanitizeHTML}}
|
{{.Body}}
|
||||||
{{end}}
|
{{end}}
|
||||||
</p>
|
</p>
|
||||||
<hr>
|
<hr>
|
||||||
|
|
|
@ -211,14 +211,8 @@ func SafeHTML(s any) template.HTML {
|
||||||
}
|
}
|
||||||
|
|
||||||
// SanitizeHTML sanitizes the input by pre-defined markdown rules
|
// SanitizeHTML sanitizes the input by pre-defined markdown rules
|
||||||
func SanitizeHTML(s any) template.HTML {
|
func SanitizeHTML(s string) template.HTML {
|
||||||
switch v := s.(type) {
|
return template.HTML(markup.Sanitize(s))
|
||||||
case string:
|
|
||||||
return template.HTML(markup.Sanitize(v))
|
|
||||||
case template.HTML:
|
|
||||||
return template.HTML(markup.Sanitize(string(v)))
|
|
||||||
}
|
|
||||||
panic(fmt.Sprintf("unexpected type %T", s))
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func HTMLEscape(s any) template.HTML {
|
func HTMLEscape(s any) template.HTML {
|
||||||
|
|
|
@ -64,5 +64,4 @@ func TestHTMLFormat(t *testing.T) {
|
||||||
|
|
||||||
func TestSanitizeHTML(t *testing.T) {
|
func TestSanitizeHTML(t *testing.T) {
|
||||||
assert.Equal(t, template.HTML(`<a href="/" rel="nofollow">link</a> xss <div>inline</div>`), SanitizeHTML(`<a href="/">link</a> <a href="javascript:">xss</a> <div style="dangerous">inline</div>`))
|
assert.Equal(t, template.HTML(`<a href="/" rel="nofollow">link</a> xss <div>inline</div>`), SanitizeHTML(`<a href="/">link</a> <a href="javascript:">xss</a> <div style="dangerous">inline</div>`))
|
||||||
assert.Equal(t, template.HTML(`<a href="/" rel="nofollow">link</a> xss <div>inline</div>`), SanitizeHTML(template.HTML(`<a href="/">link</a> <a href="javascript:">xss</a> <div style="dangerous">inline</div>`)))
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -58,7 +58,7 @@
|
||||||
{{.locale.Tr "mail.issue.action.new" .Doer.Name .Issue.Index}}
|
{{.locale.Tr "mail.issue.action.new" .Doer.Name .Issue.Index}}
|
||||||
{{end}}
|
{{end}}
|
||||||
{{else}}
|
{{else}}
|
||||||
{{.Body | SanitizeHTML}}
|
{{.Body}}
|
||||||
{{end -}}
|
{{end -}}
|
||||||
{{- range .ReviewComments}}
|
{{- range .ReviewComments}}
|
||||||
<hr>
|
<hr>
|
||||||
|
|
|
@ -10,7 +10,7 @@
|
||||||
<div class="ui attached segment">
|
<div class="ui attached segment">
|
||||||
<div class="ui list">
|
<div class="ui list">
|
||||||
<div class="item">
|
<div class="item">
|
||||||
{{.Description | SanitizeHTML}}
|
{{.Description}}
|
||||||
</div>
|
</div>
|
||||||
{{range .Webhooks}}
|
{{range .Webhooks}}
|
||||||
<div class="item truncated-item-container">
|
<div class="item truncated-item-container">
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
{{/* This page should only depend the minimal template functions/variables, to avoid triggering new panics.
|
{{/* This page should only depend the minimal template functions/variables, to avoid triggering new panics.
|
||||||
* base template functions: AppName, AssetUrlPrefix, AssetVersion, AppSubUrl, ThemeName, SanitizeHTML
|
* base template functions: AppName, AssetUrlPrefix, AssetVersion, AppSubUrl, ThemeName
|
||||||
* ctx.Locale
|
* ctx.Locale
|
||||||
* .Flash
|
* .Flash
|
||||||
* .ErrorMsg
|
* .ErrorMsg
|
||||||
|
|
Loading…
Reference in a new issue