Remove unnecessary SanitizeHTML from code (#29575)

* "mail/issue/default.tmpl": the body is rendered by backend
`markdown.RenderString() HTML`, it has been already sanitized
* "repo/settings/webhook/base_list.tmpl": "Description" is prepared by
backend `ctx.Tr`, it doesn't need to be sanitized
pull/29576/head^2
wxiaoguang 9 months ago committed by GitHub
parent e91733468e
commit dae7f1ebdb
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
  1. 2
      docs/content/administration/mail-templates.en-us.md
  2. 2
      docs/content/administration/mail-templates.zh-cn.md
  3. 10
      modules/templates/helper.go
  4. 1
      modules/templates/helper_test.go
  5. 2
      templates/mail/issue/default.tmpl
  6. 2
      templates/repo/settings/webhook/base_list.tmpl
  7. 2
      templates/status/500.tmpl

@ -224,7 +224,7 @@ Please check [Gitea's logs](administration/logging-config.md) for error messages
{{if not (eq .Body "")}} {{if not (eq .Body "")}}
<h3>Message content</h3> <h3>Message content</h3>
<hr> <hr>
{{.Body | SanitizeHTML}} {{.Body}}
{{end}} {{end}}
</p> </p>
<hr> <hr>

@ -207,7 +207,7 @@ _主题_ 和 _邮件正文_ 由 [Golang的模板引擎](https://go.dev/pkg/text/
{{if not (eq .Body "")}} {{if not (eq .Body "")}}
<h3>消息内容:</h3> <h3>消息内容:</h3>
<hr> <hr>
{{.Body | SanitizeHTML}} {{.Body}}
{{end}} {{end}}
</p> </p>
<hr> <hr>

@ -208,14 +208,8 @@ func SafeHTML(s any) template.HTML {
} }
// SanitizeHTML sanitizes the input by pre-defined markdown rules // SanitizeHTML sanitizes the input by pre-defined markdown rules
func SanitizeHTML(s any) template.HTML { func SanitizeHTML(s string) template.HTML {
switch v := s.(type) { return template.HTML(markup.Sanitize(s))
case string:
return template.HTML(markup.Sanitize(v))
case template.HTML:
return template.HTML(markup.Sanitize(string(v)))
}
panic(fmt.Sprintf("unexpected type %T", s))
} }
func HTMLEscape(s any) template.HTML { func HTMLEscape(s any) template.HTML {

@ -64,5 +64,4 @@ func TestHTMLFormat(t *testing.T) {
func TestSanitizeHTML(t *testing.T) { func TestSanitizeHTML(t *testing.T) {
assert.Equal(t, template.HTML(`<a href="/" rel="nofollow">link</a> xss <div>inline</div>`), SanitizeHTML(`<a href="/">link</a> <a href="javascript:">xss</a> <div style="dangerous">inline</div>`)) assert.Equal(t, template.HTML(`<a href="/" rel="nofollow">link</a> xss <div>inline</div>`), SanitizeHTML(`<a href="/">link</a> <a href="javascript:">xss</a> <div style="dangerous">inline</div>`))
assert.Equal(t, template.HTML(`<a href="/" rel="nofollow">link</a> xss <div>inline</div>`), SanitizeHTML(template.HTML(`<a href="/">link</a> <a href="javascript:">xss</a> <div style="dangerous">inline</div>`)))
} }

@ -58,7 +58,7 @@
{{.locale.Tr "mail.issue.action.new" .Doer.Name .Issue.Index}} {{.locale.Tr "mail.issue.action.new" .Doer.Name .Issue.Index}}
{{end}} {{end}}
{{else}} {{else}}
{{.Body | SanitizeHTML}} {{.Body}}
{{end -}} {{end -}}
{{- range .ReviewComments}} {{- range .ReviewComments}}
<hr> <hr>

@ -10,7 +10,7 @@
<div class="ui attached segment"> <div class="ui attached segment">
<div class="ui list"> <div class="ui list">
<div class="item"> <div class="item">
{{.Description | SanitizeHTML}} {{.Description}}
</div> </div>
{{range .Webhooks}} {{range .Webhooks}}
<div class="item truncated-item-container"> <div class="item truncated-item-container">

@ -1,5 +1,5 @@
{{/* This page should only depend the minimal template functions/variables, to avoid triggering new panics. {{/* This page should only depend the minimal template functions/variables, to avoid triggering new panics.
* base template functions: AppName, AssetUrlPrefix, AssetVersion, AppSubUrl, ThemeName, SanitizeHTML * base template functions: AppName, AssetUrlPrefix, AssetVersion, AppSubUrl, ThemeName
* ctx.Locale * ctx.Locale
* .Flash * .Flash
* .ErrorMsg * .ErrorMsg

Loading…
Cancel
Save