| 
									
										
										
										
											2017-04-13 04:52:24 +02:00
										 |  |  | // Copyright 2017 The Gitea Authors. All rights reserved. | 
					
						
							|  |  |  | // Copyright 2017 The Gogs Authors. All rights reserved. | 
					
						
							| 
									
										
										
										
											2022-11-27 13:20:29 -05:00
										 |  |  | // SPDX-License-Identifier: MIT | 
					
						
							| 
									
										
										
										
											2017-04-13 04:52:24 +02:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2017-09-17 01:17:57 +08:00
										 |  |  | package markup | 
					
						
							| 
									
										
										
										
											2017-04-13 04:52:24 +02:00
										 |  |  | 
 | 
					
						
							|  |  |  | import ( | 
					
						
							| 
									
										
										
										
											2019-12-31 01:53:28 +00:00
										 |  |  | 	"io" | 
					
						
							| 
									
										
										
										
											2017-04-13 04:52:24 +02:00
										 |  |  | 	"regexp" | 
					
						
							|  |  |  | 	"sync" | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	"code.gitea.io/gitea/modules/setting" | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	"github.com/microcosm-cc/bluemonday" | 
					
						
							|  |  |  | ) | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | // Sanitizer is a protection wrapper of *bluemonday.Policy which does not allow | 
					
						
							|  |  |  | // any modification to the underlying policies once it's been created. | 
					
						
							|  |  |  | type Sanitizer struct { | 
					
						
							| 
									
										
										
										
											2021-06-23 23:09:51 +02:00
										 |  |  | 	defaultPolicy    *bluemonday.Policy | 
					
						
							|  |  |  | 	rendererPolicies map[string]*bluemonday.Policy | 
					
						
							|  |  |  | 	init             sync.Once | 
					
						
							| 
									
										
										
										
											2017-04-13 04:52:24 +02:00
										 |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | var sanitizer = &Sanitizer{} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | // NewSanitizer initializes sanitizer with allowed attributes based on settings. | 
					
						
							|  |  |  | // Multiple calls to this function will only create one instance of Sanitizer during | 
					
						
							|  |  |  | // entire application lifecycle. | 
					
						
							|  |  |  | func NewSanitizer() { | 
					
						
							|  |  |  | 	sanitizer.init.Do(func() { | 
					
						
							| 
									
										
										
										
											2021-06-23 23:09:51 +02:00
										 |  |  | 		InitializeSanitizer() | 
					
						
							| 
									
										
										
										
											2019-10-14 22:31:09 -03:00
										 |  |  | 	}) | 
					
						
							|  |  |  | } | 
					
						
							| 
									
										
										
										
											2017-04-13 04:52:24 +02:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-06-23 23:09:51 +02:00
										 |  |  | // InitializeSanitizer (re)initializes the current sanitizer to account for changes in settings | 
					
						
							|  |  |  | func InitializeSanitizer() { | 
					
						
							|  |  |  | 	sanitizer.rendererPolicies = map[string]*bluemonday.Policy{} | 
					
						
							|  |  |  | 	sanitizer.defaultPolicy = createDefaultPolicy() | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	for name, renderer := range renderers { | 
					
						
							|  |  |  | 		sanitizerRules := renderer.SanitizerRules() | 
					
						
							|  |  |  | 		if len(sanitizerRules) > 0 { | 
					
						
							|  |  |  | 			policy := createDefaultPolicy() | 
					
						
							|  |  |  | 			addSanitizerRules(policy, sanitizerRules) | 
					
						
							|  |  |  | 			sanitizer.rendererPolicies[name] = policy | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | func createDefaultPolicy() *bluemonday.Policy { | 
					
						
							|  |  |  | 	policy := bluemonday.UGCPolicy() | 
					
						
							| 
									
										
										
										
											2021-11-16 09:16:05 +01:00
										 |  |  | 
 | 
					
						
							|  |  |  | 	// For JS code copy and Mermaid loading state | 
					
						
							|  |  |  | 	policy.AllowAttrs("class").Matching(regexp.MustCompile(`^code-block( is-loading)?$`)).OnElements("pre") | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2022-10-21 15:00:53 +03:00
										 |  |  | 	// For color preview | 
					
						
							|  |  |  | 	policy.AllowAttrs("class").Matching(regexp.MustCompile(`^color-preview$`)).OnElements("span") | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2022-11-09 02:11:26 +02:00
										 |  |  | 	// For attention | 
					
						
							|  |  |  | 	policy.AllowAttrs("class").Matching(regexp.MustCompile(`^attention-\w+$`)).OnElements("strong") | 
					
						
							|  |  |  | 	policy.AllowAttrs("class").Matching(regexp.MustCompile(`^attention-icon attention-\w+$`)).OnElements("span", "strong") | 
					
						
							|  |  |  | 	policy.AllowAttrs("class").Matching(regexp.MustCompile(`^svg octicon-\w+$`)).OnElements("svg") | 
					
						
							|  |  |  | 	policy.AllowAttrs("viewBox", "width", "height", "aria-hidden").OnElements("svg") | 
					
						
							|  |  |  | 	policy.AllowAttrs("fill-rule", "d").OnElements("path") | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2020-06-30 17:34:03 -04:00
										 |  |  | 	// For Chroma markdown plugin | 
					
						
							| 
									
										
										
										
											2022-09-13 17:33:37 +01:00
										 |  |  | 	policy.AllowAttrs("class").Matching(regexp.MustCompile(`^(chroma )?language-[\w-]+( display)?( is-loading)?$`)).OnElements("code") | 
					
						
							| 
									
										
										
										
											2017-04-13 04:52:24 +02:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2019-10-14 22:31:09 -03:00
										 |  |  | 	// Checkboxes | 
					
						
							| 
									
										
										
										
											2021-06-23 23:09:51 +02:00
										 |  |  | 	policy.AllowAttrs("type").Matching(regexp.MustCompile(`^checkbox$`)).OnElements("input") | 
					
						
							|  |  |  | 	policy.AllowAttrs("checked", "disabled", "data-source-position").OnElements("input") | 
					
						
							| 
									
										
										
										
											2019-10-13 19:29:10 -03:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2019-10-14 22:31:09 -03:00
										 |  |  | 	// Custom URL-Schemes | 
					
						
							| 
									
										
										
										
											2021-04-05 22:38:31 +01:00
										 |  |  | 	if len(setting.Markdown.CustomURLSchemes) > 0 { | 
					
						
							| 
									
										
										
										
											2021-06-23 23:09:51 +02:00
										 |  |  | 		policy.AllowURLSchemes(setting.Markdown.CustomURLSchemes...) | 
					
						
							| 
									
										
										
										
											2021-04-05 22:38:31 +01:00
										 |  |  | 	} | 
					
						
							| 
									
										
										
										
											2019-10-14 22:31:09 -03:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2020-01-19 22:39:21 -06:00
										 |  |  | 	// Allow classes for anchors | 
					
						
							| 
									
										
										
										
											2021-09-15 09:45:27 +01:00
										 |  |  | 	policy.AllowAttrs("class").Matching(regexp.MustCompile(`ref-issue( ref-external-issue)?`)).OnElements("a") | 
					
						
							| 
									
										
										
										
											2020-01-19 22:39:21 -06:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2020-03-08 15:17:03 -04:00
										 |  |  | 	// Allow classes for task lists | 
					
						
							| 
									
										
										
										
											2021-06-23 23:09:51 +02:00
										 |  |  | 	policy.AllowAttrs("class").Matching(regexp.MustCompile(`task-list-item`)).OnElements("li") | 
					
						
							| 
									
										
										
										
											2020-03-08 15:17:03 -04:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2020-04-24 14:22:36 +01:00
										 |  |  | 	// Allow icons | 
					
						
							| 
									
										
										
										
											2021-06-23 23:09:51 +02:00
										 |  |  | 	policy.AllowAttrs("class").Matching(regexp.MustCompile(`^icon(\s+[\p{L}\p{N}_-]+)+$`)).OnElements("i") | 
					
						
							| 
									
										
										
										
											2020-04-26 06:09:08 +01:00
										 |  |  | 
 | 
					
						
							|  |  |  | 	// Allow unlabelled labels | 
					
						
							| 
									
										
										
										
											2021-06-23 23:09:51 +02:00
										 |  |  | 	policy.AllowNoAttrs().OnElements("label") | 
					
						
							| 
									
										
										
										
											2020-04-24 14:22:36 +01:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2020-04-28 14:05:39 -04:00
										 |  |  | 	// Allow classes for emojis | 
					
						
							| 
									
										
										
										
											2021-06-23 23:09:51 +02:00
										 |  |  | 	policy.AllowAttrs("class").Matching(regexp.MustCompile(`emoji`)).OnElements("img") | 
					
						
							| 
									
										
										
										
											2020-04-28 14:05:39 -04:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-06-16 02:02:03 +01:00
										 |  |  | 	// Allow icons, emojis, chroma syntax and keyword markup on span | 
					
						
							| 
									
										
										
										
											2022-09-13 17:33:37 +01:00
										 |  |  | 	policy.AllowAttrs("class").Matching(regexp.MustCompile(`^((icon(\s+[\p{L}\p{N}_-]+)+)|(emoji)|(language-math display)|(language-math inline))$|^([a-z][a-z0-9]{0,2})$|^` + keywordClass + `$`)).OnElements("span") | 
					
						
							| 
									
										
										
										
											2021-03-29 22:44:28 +02:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2022-07-15 06:38:10 +00:00
										 |  |  | 	// Allow 'style' attribute on text elements. | 
					
						
							|  |  |  | 	policy.AllowAttrs("style").OnElements("span", "p") | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2022-10-21 15:00:53 +03:00
										 |  |  | 	// Allow 'color' and 'background-color' properties for the style attribute on text elements. | 
					
						
							|  |  |  | 	policy.AllowStyles("color", "background-color").OnElements("span", "p") | 
					
						
							| 
									
										
										
										
											2022-07-15 06:38:10 +00:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2020-02-28 20:05:12 +00:00
										 |  |  | 	// Allow generally safe attributes | 
					
						
							| 
									
										
										
										
											2022-01-20 18:46:10 +01:00
										 |  |  | 	generalSafeAttrs := []string{ | 
					
						
							|  |  |  | 		"abbr", "accept", "accept-charset", | 
					
						
							| 
									
										
										
										
											2020-02-28 20:05:12 +00:00
										 |  |  | 		"accesskey", "action", "align", "alt", | 
					
						
							|  |  |  | 		"aria-describedby", "aria-hidden", "aria-label", "aria-labelledby", | 
					
						
							|  |  |  | 		"axis", "border", "cellpadding", "cellspacing", "char", | 
					
						
							|  |  |  | 		"charoff", "charset", "checked", | 
					
						
							|  |  |  | 		"clear", "cols", "colspan", "color", | 
					
						
							|  |  |  | 		"compact", "coords", "datetime", "dir", | 
					
						
							|  |  |  | 		"disabled", "enctype", "for", "frame", | 
					
						
							|  |  |  | 		"headers", "height", "hreflang", | 
					
						
							|  |  |  | 		"hspace", "ismap", "label", "lang", | 
					
						
							|  |  |  | 		"maxlength", "media", "method", | 
					
						
							|  |  |  | 		"multiple", "name", "nohref", "noshade", | 
					
						
							|  |  |  | 		"nowrap", "open", "prompt", "readonly", "rel", "rev", | 
					
						
							|  |  |  | 		"rows", "rowspan", "rules", "scope", | 
					
						
							|  |  |  | 		"selected", "shape", "size", "span", | 
					
						
							|  |  |  | 		"start", "summary", "tabindex", "target", | 
					
						
							|  |  |  | 		"title", "type", "usemap", "valign", "value", | 
					
						
							|  |  |  | 		"vspace", "width", "itemprop", | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	generalSafeElements := []string{ | 
					
						
							|  |  |  | 		"h1", "h2", "h3", "h4", "h5", "h6", "h7", "h8", "br", "b", "i", "strong", "em", "a", "pre", "code", "img", "tt", | 
					
						
							|  |  |  | 		"div", "ins", "del", "sup", "sub", "p", "ol", "ul", "table", "thead", "tbody", "tfoot", "blockquote", | 
					
						
							|  |  |  | 		"dl", "dt", "dd", "kbd", "q", "samp", "var", "hr", "ruby", "rt", "rp", "li", "tr", "td", "th", "s", "strike", "summary", | 
					
						
							|  |  |  | 		"details", "caption", "figure", "figcaption", | 
					
						
							|  |  |  | 		"abbr", "bdo", "cite", "dfn", "mark", "small", "span", "time", "wbr", | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-06-23 23:09:51 +02:00
										 |  |  | 	policy.AllowAttrs(generalSafeAttrs...).OnElements(generalSafeElements...) | 
					
						
							| 
									
										
										
										
											2020-02-28 20:05:12 +00:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-06-23 23:09:51 +02:00
										 |  |  | 	policy.AllowAttrs("itemscope", "itemtype").OnElements("div") | 
					
						
							| 
									
										
										
										
											2020-02-28 20:05:12 +00:00
										 |  |  | 
 | 
					
						
							|  |  |  | 	// FIXME: Need to handle longdesc in img but there is no easy way to do it | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2019-12-07 14:49:04 -05:00
										 |  |  | 	// Custom keyword markup | 
					
						
							| 
									
										
										
										
											2021-06-23 23:09:51 +02:00
										 |  |  | 	addSanitizerRules(policy, setting.ExternalSanitizerRules) | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	return policy | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | func addSanitizerRules(policy *bluemonday.Policy, rules []setting.MarkupSanitizerRule) { | 
					
						
							|  |  |  | 	for _, rule := range rules { | 
					
						
							|  |  |  | 		if rule.AllowDataURIImages { | 
					
						
							|  |  |  | 			policy.AllowDataURIImages() | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 		if rule.Element != "" { | 
					
						
							|  |  |  | 			if rule.Regexp != nil { | 
					
						
							|  |  |  | 				policy.AllowAttrs(rule.AllowAttr).Matching(rule.Regexp).OnElements(rule.Element) | 
					
						
							|  |  |  | 			} else { | 
					
						
							|  |  |  | 				policy.AllowAttrs(rule.AllowAttr).OnElements(rule.Element) | 
					
						
							|  |  |  | 			} | 
					
						
							| 
									
										
										
										
											2019-12-07 14:49:04 -05:00
										 |  |  | 		} | 
					
						
							|  |  |  | 	} | 
					
						
							| 
									
										
										
										
											2017-04-13 04:52:24 +02:00
										 |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | // Sanitize takes a string that contains a HTML fragment or document and applies policy whitelist. | 
					
						
							|  |  |  | func Sanitize(s string) string { | 
					
						
							| 
									
										
										
										
											2017-04-19 19:16:36 +08:00
										 |  |  | 	NewSanitizer() | 
					
						
							| 
									
										
										
										
											2021-06-23 23:09:51 +02:00
										 |  |  | 	return sanitizer.defaultPolicy.Sanitize(s) | 
					
						
							| 
									
										
										
										
											2017-04-13 04:52:24 +02:00
										 |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2019-12-31 01:53:28 +00:00
										 |  |  | // SanitizeReader sanitizes a Reader | 
					
						
							| 
									
										
										
										
											2021-11-19 11:46:47 +01:00
										 |  |  | func SanitizeReader(r io.Reader, renderer string, w io.Writer) error { | 
					
						
							| 
									
										
										
										
											2019-12-31 01:53:28 +00:00
										 |  |  | 	NewSanitizer() | 
					
						
							| 
									
										
										
										
											2021-06-23 23:09:51 +02:00
										 |  |  | 	policy, exist := sanitizer.rendererPolicies[renderer] | 
					
						
							|  |  |  | 	if !exist { | 
					
						
							|  |  |  | 		policy = sanitizer.defaultPolicy | 
					
						
							|  |  |  | 	} | 
					
						
							| 
									
										
										
										
											2021-11-19 11:46:47 +01:00
										 |  |  | 	return policy.SanitizeReaderToWriter(r, w) | 
					
						
							| 
									
										
										
										
											2019-12-31 01:53:28 +00:00
										 |  |  | } |