issue-keyword class is being incorrectly stripped off spans (#16163) (#16172)

Backport #16163 Bluemonday sanitizer regexp rules are not additive, so the addition of the icons, emojis and chroma syntax policy has led to this being stripped. Signed-off-by: Andrew Thornton <art27@cantab.net>
1 year ago · 849d316d8d
1 changed files with 2 additions and 5 deletions
--- a/modules/markup/sanitizer.go
+++ b/modules/markup/sanitizer.go
@ -50,9 +50,6 @@ func ReplaceSanitizer() {
 		sanitizer.policy.AllowURLSchemes(setting.Markdown.CustomURLSchemes...)
 	}

-	// Allow keyword markup
-	sanitizer.policy.AllowAttrs("class").Matching(regexp.MustCompile(`^` + keywordClass + `$`)).OnElements("span")
-
 	// Allow classes for anchors
 	sanitizer.policy.AllowAttrs("class").Matching(regexp.MustCompile(`ref-issue`)).OnElements("a")

@ -68,8 +65,8 @@ func ReplaceSanitizer() {
 	// Allow classes for emojis
 	sanitizer.policy.AllowAttrs("class").Matching(regexp.MustCompile(`emoji`)).OnElements("img")

-	// Allow icons, emojis, and chroma syntax on span
-	sanitizer.policy.AllowAttrs("class").Matching(regexp.MustCompile(`^((icon(\s+[\p{L}\p{N}_-]+)+)|(emoji))$|^([a-z][a-z0-9]{0,2})$`)).OnElements("span")
+	// Allow icons, emojis, chroma syntax and keyword markup on span
+	sanitizer.policy.AllowAttrs("class").Matching(regexp.MustCompile(`^((icon(\s+[\p{L}\p{N}_-]+)+)|(emoji))$|^([a-z][a-z0-9]{0,2})$|^` + keywordClass + `$`)).OnElements("span")

 	// Allow generally safe attributes
 	generalSafeAttrs := []string{"abbr", "accept", "accept-charset",