From ee6786216a608fca2de322c90c7256577f2a500a Mon Sep 17 00:00:00 2001 From: Unknwon Date: Fri, 30 Jan 2015 18:12:30 -0500 Subject: [PATCH] modules/base: clean code with #838 --- models/repo.go | 7 ++----- modules/base/markdown.go | 2 +- modules/base/template.go | 6 +----- modules/base/tool.go | 30 +++--------------------------- 4 files changed, 7 insertions(+), 38 deletions(-) diff --git a/models/repo.go b/models/repo.go index 65689b6a1..58c099d49 100644 --- a/models/repo.go +++ b/models/repo.go @@ -7,7 +7,6 @@ package models import ( "errors" "fmt" - "html" "html/template" "io/ioutil" "os" @@ -218,11 +217,9 @@ func (repo *Repository) HasAccess(uname string) bool { // DescriptionHtml does special handles to description and return HTML string. func (repo *Repository) DescriptionHtml() template.HTML { sanitize := func(s string) string { - // TODO(nuss-justin): Improve sanitization. Strip all tags? - ss := html.EscapeString(s) - return fmt.Sprintf(`%s`, ss, ss) + return fmt.Sprintf(`%[1]s`, s) } - return template.HTML(DescPattern.ReplaceAllStringFunc(base.XSSString(repo.Description), sanitize)) + return template.HTML(DescPattern.ReplaceAllStringFunc(base.Sanitizer.Sanitize(repo.Description), sanitize)) } // IsRepositoryExist returns true if the repository with given name under user has already existed. diff --git a/modules/base/markdown.go b/modules/base/markdown.go index 2cd3617a8..c7369ab9f 100644 --- a/modules/base/markdown.go +++ b/modules/base/markdown.go @@ -212,7 +212,7 @@ func RenderRawMarkdown(body []byte, urlPrefix string) []byte { func RenderMarkdown(rawBytes []byte, urlPrefix string) []byte { body := RenderSpecialLink(rawBytes, urlPrefix) body = RenderRawMarkdown(body, urlPrefix) - body = XSS(body) + body = Sanitizer.SanitizeBytes(body) return body } diff --git a/modules/base/template.go b/modules/base/template.go index 34caa4552..f3fa13857 100644 --- a/modules/base/template.go +++ b/modules/base/template.go @@ -13,7 +13,6 @@ import ( "strings" "time" - "github.com/microcosm-cc/bluemonday" "golang.org/x/net/html/charset" "golang.org/x/text/transform" @@ -21,11 +20,8 @@ import ( "github.com/gogits/gogs/modules/setting" ) -// FIXME: use me to Markdown API renders -var p = bluemonday.UGCPolicy() - func Str2html(raw string) template.HTML { - return template.HTML(p.Sanitize(raw)) + return template.HTML(Sanitizer.Sanitize(raw)) } func Range(l int) []int { diff --git a/modules/base/tool.go b/modules/base/tool.go index ff5a4f4cd..5043364ce 100644 --- a/modules/base/tool.go +++ b/modules/base/tool.go @@ -15,17 +15,19 @@ import ( "hash" "html/template" "math" - "regexp" "strings" "time" "github.com/Unknwon/com" "github.com/Unknwon/i18n" + "github.com/microcosm-cc/bluemonday" "github.com/gogits/gogs/modules/avatar" "github.com/gogits/gogs/modules/setting" ) +var Sanitizer = bluemonday.UGCPolicy() + // Encode string to md5 hex value. func EncodeMd5(str string) string { m := md5.New() @@ -473,29 +475,3 @@ func DateFormat(t time.Time, format string) string { format = replacer.Replace(format) return t.Format(format) } - -type xssFilter struct { - reg *regexp.Regexp - repl []byte -} - -var ( - whiteSpace = []byte(" ") - xssFilters = []xssFilter{ - {regexp.MustCompile(`\ [ONon]\w*=["]*`), whiteSpace}, - {regexp.MustCompile(`<[SCRIPTscript]{6}`), whiteSpace}, - {regexp.MustCompile(`=[` + "`" + `'"]*[JAVASCRIPTjavascript \t\0 ]*:`), whiteSpace}, - } -) - -// XSS goes through all the XSS filters to make user input content as safe as possible. -func XSS(in []byte) []byte { - for _, filter := range xssFilters { - in = filter.reg.ReplaceAll(in, filter.repl) - } - return in -} - -func XSSString(in string) string { - return string(XSS([]byte(in))) -}