modules/base: clean code with #838

This commit is contained in:
Unknwon 2015-01-30 18:12:30 -05:00
parent 37fcc8daf2
commit ee6786216a
4 changed files with 7 additions and 38 deletions

View file

@ -7,7 +7,6 @@ package models
import ( import (
"errors" "errors"
"fmt" "fmt"
"html"
"html/template" "html/template"
"io/ioutil" "io/ioutil"
"os" "os"
@ -218,11 +217,9 @@ func (repo *Repository) HasAccess(uname string) bool {
// DescriptionHtml does special handles to description and return HTML string. // DescriptionHtml does special handles to description and return HTML string.
func (repo *Repository) DescriptionHtml() template.HTML { func (repo *Repository) DescriptionHtml() template.HTML {
sanitize := func(s string) string { sanitize := func(s string) string {
// TODO(nuss-justin): Improve sanitization. Strip all tags? return fmt.Sprintf(`<a href="%[1]s" target="_blank">%[1]s</a>`, s)
ss := html.EscapeString(s)
return fmt.Sprintf(`<a href="%s" target="_blank">%s</a>`, ss, ss)
} }
return template.HTML(DescPattern.ReplaceAllStringFunc(base.XSSString(repo.Description), sanitize)) return template.HTML(DescPattern.ReplaceAllStringFunc(base.Sanitizer.Sanitize(repo.Description), sanitize))
} }
// IsRepositoryExist returns true if the repository with given name under user has already existed. // IsRepositoryExist returns true if the repository with given name under user has already existed.

View file

@ -212,7 +212,7 @@ func RenderRawMarkdown(body []byte, urlPrefix string) []byte {
func RenderMarkdown(rawBytes []byte, urlPrefix string) []byte { func RenderMarkdown(rawBytes []byte, urlPrefix string) []byte {
body := RenderSpecialLink(rawBytes, urlPrefix) body := RenderSpecialLink(rawBytes, urlPrefix)
body = RenderRawMarkdown(body, urlPrefix) body = RenderRawMarkdown(body, urlPrefix)
body = XSS(body) body = Sanitizer.SanitizeBytes(body)
return body return body
} }

View file

@ -13,7 +13,6 @@ import (
"strings" "strings"
"time" "time"
"github.com/microcosm-cc/bluemonday"
"golang.org/x/net/html/charset" "golang.org/x/net/html/charset"
"golang.org/x/text/transform" "golang.org/x/text/transform"
@ -21,11 +20,8 @@ import (
"github.com/gogits/gogs/modules/setting" "github.com/gogits/gogs/modules/setting"
) )
// FIXME: use me to Markdown API renders
var p = bluemonday.UGCPolicy()
func Str2html(raw string) template.HTML { func Str2html(raw string) template.HTML {
return template.HTML(p.Sanitize(raw)) return template.HTML(Sanitizer.Sanitize(raw))
} }
func Range(l int) []int { func Range(l int) []int {

View file

@ -15,17 +15,19 @@ import (
"hash" "hash"
"html/template" "html/template"
"math" "math"
"regexp"
"strings" "strings"
"time" "time"
"github.com/Unknwon/com" "github.com/Unknwon/com"
"github.com/Unknwon/i18n" "github.com/Unknwon/i18n"
"github.com/microcosm-cc/bluemonday"
"github.com/gogits/gogs/modules/avatar" "github.com/gogits/gogs/modules/avatar"
"github.com/gogits/gogs/modules/setting" "github.com/gogits/gogs/modules/setting"
) )
var Sanitizer = bluemonday.UGCPolicy()
// Encode string to md5 hex value. // Encode string to md5 hex value.
func EncodeMd5(str string) string { func EncodeMd5(str string) string {
m := md5.New() m := md5.New()
@ -473,29 +475,3 @@ func DateFormat(t time.Time, format string) string {
format = replacer.Replace(format) format = replacer.Replace(format)
return t.Format(format) return t.Format(format)
} }
type xssFilter struct {
reg *regexp.Regexp
repl []byte
}
var (
whiteSpace = []byte(" ")
xssFilters = []xssFilter{
{regexp.MustCompile(`\ [ONon]\w*=["]*`), whiteSpace},
{regexp.MustCompile(`<[SCRIPTscript]{6}`), whiteSpace},
{regexp.MustCompile(`=[` + "`" + `'"]*[JAVASCRIPTjavascript \t\0&#x0D;]*:`), whiteSpace},
}
)
// XSS goes through all the XSS filters to make user input content as safe as possible.
func XSS(in []byte) []byte {
for _, filter := range xssFilters {
in = filter.reg.ReplaceAll(in, filter.repl)
}
return in
}
func XSSString(in string) string {
return string(XSS([]byte(in)))
}