We use cookies to ensure you get the best experience on our website
Home Explore
Sign In
egonr
/
gogs
mirror of https://github.com/gogs/gogs
1
0
Fork 0
Files
Tree: latest-com
Branches Tags
gogs
/
internal
/
markup
/
sanitizer.go

sanitizer.go 2.2 KB
Permalink History Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667 
  1. package markup
    2. 

  2. 

  3. import (
    4. 

  4. 	"net/url"
    5. 

  5. 	"strings"
    6. 

  6. 	"sync"
    7. 

  7. 

  8. 	"github.com/microcosm-cc/bluemonday"
    9. 

  9. 

  10. 	"gogs.io/gogs/internal/conf"
    11. 

  11. 	"gogs.io/gogs/internal/lazyregexp"
    12. 

  12. )
    13. 

  13. 

  14. // Sanitizer is a protection wrapper of *bluemonday.Policy which does not allow
    15. 

  15. // any modification to the underlying policies once it's been created.
    16. 

  16. type Sanitizer struct {
    17. 

  17. 	policy *bluemonday.Policy
    18. 

  18. 	init   sync.Once
    19. 

  19. }
    20. 

  20. 

  21. var sanitizer = &Sanitizer{
    22. 

  22. 	policy: bluemonday.UGCPolicy(),
    23. 

  23. }
    24. 

  24. 

  25. // NewSanitizer initializes sanitizer with allowed attributes based on settings.
    26. 

  26. // Multiple calls to this function will only create one instance of Sanitizer during
    27. 

  27. // entire application lifecycle.
    28. 

  28. func NewSanitizer() {
    29. 

  29. 	sanitizer.init.Do(func() {
    30. 

  30. 		// We only want to allow HighlightJS specific classes for code blocks
    31. 

  31. 		sanitizer.policy.AllowAttrs("class").Matching(lazyregexp.New(`^language-\w+$`).Regexp()).OnElements("code")
    32. 

  32. 

  33. 		// Checkboxes
    34. 

  34. 		sanitizer.policy.AllowAttrs("type").Matching(lazyregexp.New(`^checkbox$`).Regexp()).OnElements("input")
    35. 

  35. 		sanitizer.policy.AllowAttrs("checked", "disabled").OnElements("input")
    36. 

  36. 

  37. 		// Only allow data URIs with safe image MIME types to prevent XSS via
    38. 

  38. 		// "data:text/html" payloads.
    39. 

  39. 		sanitizer.policy.AllowURLSchemeWithCustomPolicy("data", isSafeDataURI)
    40. 

  40. 

  41. 		// Custom URL-Schemes
    42. 

  42. 		sanitizer.policy.AllowURLSchemes(conf.Markdown.CustomURLSchemes...)
    43. 

  43. 	})
    44. 

  44. }
    45. 

  45. 

  46. // isSafeDataURI returns whether the given data URI uses a safe image MIME type.
    47. 

  47. func isSafeDataURI(u *url.URL) bool {
    48. 

  48. 	// The opaque data of a data URI has the form "mediatype;base64,data" or
    49. 

  49. 	// "mediatype,data". We only allow common image MIME types.
    50. 

  50. 	mediatype, _, _ := strings.Cut(u.Opaque, ";")
    51. 

  51. 	mediatype, _, _ = strings.Cut(mediatype, ",")
    52. 

  52. 	switch strings.TrimSpace(strings.ToLower(mediatype)) {
    53. 

  53. 	case "image/png", "image/jpeg", "image/gif", "image/webp", "image/x-icon":
    54. 

  54. 		return true
    55. 

  55. 	}
    56. 

  56. 	return false
    57. 

  57. }
    58. 

  58. 

  59. // Sanitize takes a string that contains a HTML fragment or document and applies policy whitelist.
    60. 

  60. func Sanitize(s string) string {
    61. 

  61. 	return sanitizer.policy.Sanitize(s)
    62. 

  62. }
    63. 

  63. 

  64. // SanitizeBytes takes a []byte slice that contains a HTML fragment or document and applies policy whitelist.
    65. 

  65. func SanitizeBytes(b []byte) []byte {
    66. 

  66. 	return sanitizer.policy.SanitizeBytes(b)
    67. 

  67. }
    68.