forkjo/modules/markup/sanitizer.go

// Copyright 2017 The Gitea Authors. All rights reserved.
// Copyright 2017 The Gogs Authors. All rights reserved.
// Use of this source code is governed by a MIT-style
// license that can be found in the LICENSE file.

package markup

import (
	"regexp"
	"sync"

	"code.gitea.io/gitea/modules/setting"

	"github.com/microcosm-cc/bluemonday"
)

// Sanitizer is a protection wrapper of *bluemonday.Policy which does not allow
// any modification to the underlying policies once it's been created.
type Sanitizer struct {
	policy *bluemonday.Policy
	init   sync.Once
}

var sanitizer = &Sanitizer{}

// NewSanitizer initializes sanitizer with allowed attributes based on settings.
// Multiple calls to this function will only create one instance of Sanitizer during
// entire application lifecycle.
func NewSanitizer() {
	sanitizer.init.Do(func() {
		ReplaceSanitizer()
	})
}

// ReplaceSanitizer replaces the current sanitizer to account for changes in settings
func ReplaceSanitizer() {
	sanitizer.policy = bluemonday.UGCPolicy()
	// We only want to allow HighlightJS specific classes for code blocks
	sanitizer.policy.AllowAttrs("class").Matching(regexp.MustCompile(`^language-\w+$`)).OnElements("code")

	// Checkboxes
	sanitizer.policy.AllowAttrs("type").Matching(regexp.MustCompile(`^checkbox$`)).OnElements("input")
	sanitizer.policy.AllowAttrs("checked", "disabled").OnElements("input")

	// Custom URL-Schemes
	sanitizer.policy.AllowURLSchemes(setting.Markdown.CustomURLSchemes...)

	// Allow keyword markup
	sanitizer.policy.AllowAttrs("class").Matching(regexp.MustCompile(`^` + keywordClass + `$`)).OnElements("span")

	// Allow <kbd> tags for keyboard shortcut styling
	sanitizer.policy.AllowElements("kbd")

	// Custom keyword markup
	for _, rule := range setting.ExternalSanitizerRules {
		if rule.Regexp != nil {
			sanitizer.policy.AllowAttrs(rule.AllowAttr).Matching(rule.Regexp).OnElements(rule.Element)
		} else {
			sanitizer.policy.AllowAttrs(rule.AllowAttr).OnElements(rule.Element)
		}
	}
}

// Sanitize takes a string that contains a HTML fragment or document and applies policy whitelist.
func Sanitize(s string) string {
	NewSanitizer()
	return sanitizer.policy.Sanitize(s)
}

// SanitizeBytes takes a []byte slice that contains a HTML fragment or document and applies policy whitelist.
func SanitizeBytes(b []byte) []byte {
	if len(b) == 0 {
		// nothing to sanitize
		return b
	}
	NewSanitizer()
	return sanitizer.policy.SanitizeBytes(b)
}
Sanitation fix from Gogs (#1461) * Santiation fix from Gogs * Linting * Fix build-errors * still not working * Fix all the things! * gofmt * Add code-injection checks 2017-04-13 04:52:24 +02:00			`// Copyright 2017 The Gitea Authors. All rights reserved.`
			`// Copyright 2017 The Gogs Authors. All rights reserved.`
			`// Use of this source code is governed by a MIT-style`
			`// license that can be found in the LICENSE file.`

Restructure markup & markdown to prepare for multiple markup language… (#2411) * restructure markup & markdown to prepare for multiple markup languages support * adjust some functions between markdown and markup * fix tests * improve the comments 2017-09-16 19:17:57 +02:00			`package markup`
Sanitation fix from Gogs (#1461) * Santiation fix from Gogs * Linting * Fix build-errors * still not working * Fix all the things! * gofmt * Add code-injection checks 2017-04-13 04:52:24 +02:00
			`import (`
			`"regexp"`
			`"sync"`

			`"code.gitea.io/gitea/modules/setting"`

			`"github.com/microcosm-cc/bluemonday"`
			`)`

			`// Sanitizer is a protection wrapper of *bluemonday.Policy which does not allow`
			`// any modification to the underlying policies once it's been created.`
			`type Sanitizer struct {`
			`policy *bluemonday.Policy`
			`init sync.Once`
			`}`

			`var sanitizer = &Sanitizer{}`

			`// NewSanitizer initializes sanitizer with allowed attributes based on settings.`
			`// Multiple calls to this function will only create one instance of Sanitizer during`
			`// entire application lifecycle.`
			`func NewSanitizer() {`
			`sanitizer.init.Do(func() {`
Support inline rendering of CUSTOM_URL_SCHEMES (#8496) * Support inline rendering of CUSTOM_URL_SCHEMES * Fix lint * Add tests * Fix lint 2019-10-15 03:31:09 +02:00			`ReplaceSanitizer()`
			`})`
			`}`
Sanitation fix from Gogs (#1461) * Santiation fix from Gogs * Linting * Fix build-errors * still not working * Fix all the things! * gofmt * Add code-injection checks 2017-04-13 04:52:24 +02:00
Support inline rendering of CUSTOM_URL_SCHEMES (#8496) * Support inline rendering of CUSTOM_URL_SCHEMES * Fix lint * Add tests * Fix lint 2019-10-15 03:31:09 +02:00			`// ReplaceSanitizer replaces the current sanitizer to account for changes in settings`
			`func ReplaceSanitizer() {`
			`sanitizer.policy = bluemonday.UGCPolicy()`
			`// We only want to allow HighlightJS specific classes for code blocks`
			sanitizer.policy.AllowAttrs("class").Matching(regexp.MustCompile(`^language-\w+$`)).OnElements("code")
Sanitation fix from Gogs (#1461) * Santiation fix from Gogs * Linting * Fix build-errors * still not working * Fix all the things! * gofmt * Add code-injection checks 2017-04-13 04:52:24 +02:00
Support inline rendering of CUSTOM_URL_SCHEMES (#8496) * Support inline rendering of CUSTOM_URL_SCHEMES * Fix lint * Add tests * Fix lint 2019-10-15 03:31:09 +02:00			`// Checkboxes`
			sanitizer.policy.AllowAttrs("type").Matching(regexp.MustCompile(`^checkbox$`)).OnElements("input")
			`sanitizer.policy.AllowAttrs("checked", "disabled").OnElements("input")`
Rewrite reference processing code in preparation for opening/closing from comment references (#8261) * Add a markdown stripper for mentions and xrefs * Improve comments * Small code simplification * Move reference code to modules/references * Fix typo * Make MarkdownStripper return [][]byte * Implement preliminary keywords parsing * Add FIXME comment * Fix comment * make fmt * Fix permissions check * Fix text assumptions * Fix imports * Fix lint, fmt * Fix unused import * Add missing export comment * Bypass revive on implemented interface * Move mdstripper into its own package * Support alphanumeric patterns * Refactor FindAllMentions * Move mentions test to references * Parse mentions from reference package * Refactor code to implement renderizable references * Fix typo * Move patterns and tests to the references package * Fix nil reference * Preliminary rendering attempt of closing keywords * Normalize names, comments, general tidy-up * Add CSS style for action keywords * Fix permission for admin and owner * Fix golangci-lint * Fix golangci-lint 2019-10-14 00:29:10 +02:00
Support inline rendering of CUSTOM_URL_SCHEMES (#8496) * Support inline rendering of CUSTOM_URL_SCHEMES * Fix lint * Add tests * Fix lint 2019-10-15 03:31:09 +02:00			`// Custom URL-Schemes`
			`sanitizer.policy.AllowURLSchemes(setting.Markdown.CustomURLSchemes...)`

			`// Allow keyword markup`
			sanitizer.policy.AllowAttrs("class").Matching(regexp.MustCompile(`^` + keywordClass + `$`)).OnElements("span")
Allow kbd tags (#9245) * Allow kbd tags Signed-off-by: jolheiser <john.olheiser@gmail.com> * Add test Signed-off-by: jolheiser <john.olheiser@gmail.com> 2019-12-03 20:02:41 +01:00
			`// Allow <kbd> tags for keyboard shortcut styling`
			`sanitizer.policy.AllowElements("kbd")`
Markdown: Sanitizier Configuration (#9075) * Support custom sanitization policy Allowing the gitea administrator to configure sanitization policy allows them to couple external renders and custom templates to support more markup. In particular, the `pandoc` renderer allows generating KaTeX annotations, wrapping them in `<span>` elements with class `math` and either `inline` or `display` (depending on whether or not inline or block mode was requested). This iteration gives the administrator whitelisting powers; carefully crafted regexes will thus let through only the desired attributes necessary to support their custom markup. Resolves: #9054 Signed-off-by: Alexander Scheel <alexander.m.scheel@gmail.com> * Document new sanitization configuration - Adds basic documentation to app.ini.sample, - Adds an example to the Configuration Cheat Sheet, and - Adds extended information to External Renderers section. Signed-off-by: Alexander Scheel <alexander.m.scheel@gmail.com> * Drop extraneous length check in newMarkupSanitizer(...) Signed-off-by: Alexander Scheel <alexander.m.scheel@gmail.com> * Fix plural ELEMENT and ALLOW_ATTR in docs These were left over from their initial names. Make them singular to conform with the current expectations. Signed-off-by: Alexander Scheel <alexander.m.scheel@gmail.com> 2019-12-07 20:49:04 +01:00
			`// Custom keyword markup`
			`for _, rule := range setting.ExternalSanitizerRules {`
			`if rule.Regexp != nil {`
			`sanitizer.policy.AllowAttrs(rule.AllowAttr).Matching(rule.Regexp).OnElements(rule.Element)`
			`} else {`
			`sanitizer.policy.AllowAttrs(rule.AllowAttr).OnElements(rule.Element)`
			`}`
			`}`
Sanitation fix from Gogs (#1461) * Santiation fix from Gogs * Linting * Fix build-errors * still not working * Fix all the things! * gofmt * Add code-injection checks 2017-04-13 04:52:24 +02:00			`}`

			`// Sanitize takes a string that contains a HTML fragment or document and applies policy whitelist.`
			`func Sanitize(s string) string {`
fix #1501 ssh hangs caused by #1461 (#1513) 2017-04-19 13:16:36 +02:00			`NewSanitizer()`
Sanitation fix from Gogs (#1461) * Santiation fix from Gogs * Linting * Fix build-errors * still not working * Fix all the things! * gofmt * Add code-injection checks 2017-04-13 04:52:24 +02:00			`return sanitizer.policy.Sanitize(s)`
			`}`

			`// SanitizeBytes takes a []byte slice that contains a HTML fragment or document and applies policy whitelist.`
			`func SanitizeBytes(b []byte) []byte {`
			`if len(b) == 0 {`
			`// nothing to sanitize`
			`return b`
			`}`
fix #1501 ssh hangs caused by #1461 (#1513) 2017-04-19 13:16:36 +02:00			`NewSanitizer()`
Sanitation fix from Gogs (#1461) * Santiation fix from Gogs * Linting * Fix build-errors * still not working * Fix all the things! * gofmt * Add code-injection checks 2017-04-13 04:52:24 +02:00			`return sanitizer.policy.SanitizeBytes(b)`
			`}`