Refactor markup render system (#32533)

Remove unmaintainable sanitizer rules. No need to add special "class" regexp rules anymore, use RenderInternal.SafeAttr instead, more details (and examples) are in the tests
2024-11-18 13:25:42 +08:00 · 2024-11-18 13:25:42 +08:00 · 8a20fba8eb
commit 8a20fba8eb
parent 4f879a00df
42 changed files with 568 additions and 508 deletions
--- a/modules/markup/sanitizer_custom.go
+++ b/modules/markup/sanitizer_custom.go
@ -4,6 +4,9 @@
 package markup

 import (
+	"regexp"
+	"strings"
+
 	"code.gitea.io/gitea/modules/setting"

 	"github.com/microcosm-cc/bluemonday"
@ -15,8 +18,11 @@ func (st *Sanitizer) addSanitizerRules(policy *bluemonday.Policy, rules []settin
 			policy.AllowDataURIImages()
 		}
 		if rule.Element != "" {
-			if rule.Regexp != nil {
-				policy.AllowAttrs(rule.AllowAttr).Matching(rule.Regexp).OnElements(rule.Element)
+			if rule.Regexp != "" {
+				if !strings.HasPrefix(rule.Regexp, "^") || !strings.HasSuffix(rule.Regexp, "$") {
+					panic("Markup sanitizer rule regexp must start with ^ and end with $ to be strict")
+				}
+				policy.AllowAttrs(rule.AllowAttr).Matching(regexp.MustCompile(rule.Regexp)).OnElements(rule.Element)
 			} else {
 				policy.AllowAttrs(rule.AllowAttr).OnElements(rule.Element)
 			}