diff options
author | zeripath | 2021-06-16 11:35:54 +0100 |
---|---|---|
committer | GitHub | 2021-06-16 06:35:54 -0400 |
commit | 849d316d8d7498bab212dbab59caf35cf0afd5e8 (patch) | |
tree | a523f632ae0dbf036f172858af9ef1797a668de7 | |
parent | 946eb1321c620f7fc8938df130809c0522c93613 (diff) |
issue-keyword class is being incorrectly stripped off spans (#16163) (#16172)
Backport #16163
Bluemonday sanitizer regexp rules are not additive, so the addition of the icons,
emojis and chroma syntax policy has led to this being stripped.
Signed-off-by: Andrew Thornton <art27@cantab.net>
-rw-r--r-- | modules/markup/sanitizer.go | 7 |
1 files changed, 2 insertions, 5 deletions
diff --git a/modules/markup/sanitizer.go b/modules/markup/sanitizer.go index 23ea1086e..5cae1529c 100644 --- a/modules/markup/sanitizer.go +++ b/modules/markup/sanitizer.go @@ -50,9 +50,6 @@ func ReplaceSanitizer() { sanitizer.policy.AllowURLSchemes(setting.Markdown.CustomURLSchemes...) } - // Allow keyword markup - sanitizer.policy.AllowAttrs("class").Matching(regexp.MustCompile(`^` + keywordClass + `$`)).OnElements("span") - // Allow classes for anchors sanitizer.policy.AllowAttrs("class").Matching(regexp.MustCompile(`ref-issue`)).OnElements("a") @@ -68,8 +65,8 @@ func ReplaceSanitizer() { // Allow classes for emojis sanitizer.policy.AllowAttrs("class").Matching(regexp.MustCompile(`emoji`)).OnElements("img") - // Allow icons, emojis, and chroma syntax on span - sanitizer.policy.AllowAttrs("class").Matching(regexp.MustCompile(`^((icon(\s+[\p{L}\p{N}_-]+)+)|(emoji))$|^([a-z][a-z0-9]{0,2})$`)).OnElements("span") + // Allow icons, emojis, chroma syntax and keyword markup on span + sanitizer.policy.AllowAttrs("class").Matching(regexp.MustCompile(`^((icon(\s+[\p{L}\p{N}_-]+)+)|(emoji))$|^([a-z][a-z0-9]{0,2})$|^` + keywordClass + `$`)).OnElements("span") // Allow generally safe attributes generalSafeAttrs := []string{"abbr", "accept", "accept-charset", |