From ce66ca7f9f20ee69739e8800a4a629abbe9d25ac Mon Sep 17 00:00:00 2001 From: zeripath Date: Sun, 3 May 2020 21:17:24 +0100 Subject: [PATCH] Restore checkbox rendering and prevent poor sanitization of spans (#11277) * Add test Signed-off-by: Andrew Thornton * Restore checkbox rendering and prevent poor sanitization of spans Signed-off-by: Andrew Thornton * Also fix preview context Signed-off-by: Andrew Thornton * Also fix preview context Signed-off-by: Andrew Thornton --- modules/markup/markdown/markdown_test.go | 12 ++++++++++++ modules/markup/sanitizer.go | 5 +++-- modules/markup/sanitizer_test.go | 5 +++++ web_src/js/index.js | 2 +- 4 files changed, 21 insertions(+), 3 deletions(-) diff --git a/modules/markup/markdown/markdown_test.go b/modules/markup/markdown/markdown_test.go index 160a344bd..b9946d7d2 100644 --- a/modules/markup/markdown/markdown_test.go +++ b/modules/markup/markdown/markdown_test.go @@ -140,6 +140,12 @@ func testAnswers(baseURLContent, baseURLImages string) []string {

More tests

(from https://www.markdownguide.org/extended-syntax/)

+

Checkboxes

+
    +
    • +
    • +
    • +

Definition list

First Term
@@ -207,6 +213,12 @@ Here are some links to the most important topics. You can find the full list of (from https://www.markdownguide.org/extended-syntax/) +### Checkboxes + +- [ ] unchecked +- [x] checked +- [ ] still unchecked + ### Definition list First Term diff --git a/modules/markup/sanitizer.go b/modules/markup/sanitizer.go index faf416310..39e4a93dd 100644 --- a/modules/markup/sanitizer.go +++ b/modules/markup/sanitizer.go @@ -58,15 +58,16 @@ func ReplaceSanitizer() { // Allow icons sanitizer.policy.AllowAttrs("class").Matching(regexp.MustCompile(`^icon(\s+[\p{L}\p{N}_-]+)+$`)).OnElements("i") - sanitizer.policy.AllowAttrs("class").Matching(regexp.MustCompile(`^((icon(\s+[\p{L}\p{N}_-]+)+)|(ui checkbox)|(ui checked checkbox))$`)).OnElements("span") // Allow unlabelled labels sanitizer.policy.AllowNoAttrs().OnElements("label") // Allow classes for emojis - sanitizer.policy.AllowAttrs("class").Matching(regexp.MustCompile(`emoji`)).OnElements("span") sanitizer.policy.AllowAttrs("class").Matching(regexp.MustCompile(`emoji`)).OnElements("img") + // Allow icons, checkboxes and emojis on span + sanitizer.policy.AllowAttrs("class").Matching(regexp.MustCompile(`^((icon(\s+[\p{L}\p{N}_-]+)+)|(ui checkbox)|(ui checked checkbox)|(emoji))$`)).OnElements("span") + // Allow generally safe attributes generalSafeAttrs := []string{"abbr", "accept", "accept-charset", "accesskey", "action", "align", "alt", diff --git a/modules/markup/sanitizer_test.go b/modules/markup/sanitizer_test.go index be7bdd20e..3e8dcecd5 100644 --- a/modules/markup/sanitizer_test.go +++ b/modules/markup/sanitizer_test.go @@ -38,6 +38,11 @@ func Test_Sanitizer(t *testing.T) { // tags `Ctrl + C`, `Ctrl + C`, + `NAUGHTY`, `NAUGHTY`, + ``, ``, + ``, ``, + `NAUGHTY`, `NAUGHTY`, + `contents`, `contents`, } for i := 0; i < len(testCases); i += 2 { diff --git a/web_src/js/index.js b/web_src/js/index.js index 992295add..21b9da41a 100644 --- a/web_src/js/index.js +++ b/web_src/js/index.js @@ -65,7 +65,7 @@ function initEditPreviewTab($form) { previewFileModes = $previewTab.data('preview-file-modes').split(','); $previewTab.on('click', function () { const $this = $(this); - let context = `{$this.data('context')}/`; + let context = `${$this.data('context')}/`; const treePathEl = $form.find('input#tree_path'); if (treePathEl.length > 0) { context += treePathEl.val();