fix #828, may cause unintentional break in other features, but security is no.1

This commit is contained in:
Unknwon 2015-01-20 13:08:49 +08:00
parent 0e286a0ca9
commit 8e384ce46c
7 changed files with 13 additions and 10 deletions

View file

@ -23,10 +23,10 @@ github.com/macaron-contrib/oauth2 = commit:8f394c3629
github.com/macaron-contrib/session = github.com/macaron-contrib/session =
github.com/macaron-contrib/toolbox = commit:57127bcc89 github.com/macaron-contrib/toolbox = commit:57127bcc89
github.com/mattn/go-sqlite3 = commit:a80c27ba33 github.com/mattn/go-sqlite3 = commit:a80c27ba33
github.com/microcosm-cc/bluemonday =
github.com/nfnt/resize = commit:8f44931448 github.com/nfnt/resize = commit:8f44931448
github.com/russross/blackfriday = commit:05b8cefd6a github.com/russross/blackfriday = commit:05b8cefd6a
github.com/shurcooL/go = commit:48293cbc7a github.com/shurcooL/go = commit:48293cbc7a
github.com/saintfish/chardet = commit:3af4cd4741
gopkg.in/ini.v1 = commit:28ad8c408b gopkg.in/ini.v1 = commit:28ad8c408b
gopkg.in/redis.v2 = commit:e617904962 gopkg.in/redis.v2 = commit:e617904962

View file

@ -17,7 +17,7 @@ import (
"github.com/gogits/gogs/modules/setting" "github.com/gogits/gogs/modules/setting"
) )
const APP_VER = "0.5.11.0103 Beta" const APP_VER = "0.5.12.0120 Beta"
func init() { func init() {
runtime.GOMAXPROCS(runtime.NumCPU()) runtime.GOMAXPROCS(runtime.NumCPU())

View file

@ -13,15 +13,19 @@ import (
"strings" "strings"
"time" "time"
"github.com/microcosm-cc/bluemonday"
"golang.org/x/net/html/charset" "golang.org/x/net/html/charset"
"golang.org/x/text/transform" "golang.org/x/text/transform"
"github.com/gogits/gogs/modules/setting"
"github.com/gogits/chardet" "github.com/gogits/chardet"
"github.com/gogits/gogs/modules/setting"
) )
// FIXME: use me to Markdown API renders
var p = bluemonday.UGCPolicy()
func Str2html(raw string) template.HTML { func Str2html(raw string) template.HTML {
return template.HTML(raw) return template.HTML(p.Sanitize(raw))
} }
func Range(l int) []int { func Range(l int) []int {
@ -113,7 +117,6 @@ var TemplateFuncs template.FuncMap = map[string]interface{}{
return fmt.Sprint(time.Since(startTime).Nanoseconds()/1e6) + "ms" return fmt.Sprint(time.Since(startTime).Nanoseconds()/1e6) + "ms"
}, },
"AvatarLink": AvatarLink, "AvatarLink": AvatarLink,
"str2html": Str2html, // TODO: Legacy
"Str2html": Str2html, "Str2html": Str2html,
"TimeSince": TimeSince, "TimeSince": TimeSince,
"FileSize": FileSize, "FileSize": FileSize,

View file

@ -1 +1 @@
0.5.11.0103 Beta 0.5.12.0120 Beta

View file

@ -32,7 +32,7 @@
<a href="{{$.RepoLink}}/issues?milestone={{.Index}}{{if .IsClosed}}&state=closed{{end}}">Issues</a> <a href="{{$.RepoLink}}/issues?milestone={{.Index}}{{if .IsClosed}}&state=closed{{end}}">Issues</a>
</p> </p>
<hr/> <hr/>
<p class="description">{{.RenderedContent | str2html}}</p> <p class="description">{{.RenderedContent | Str2html}}</p>
</div> </div>
{{end}} {{end}}
</div> </div>

View file

@ -25,7 +25,7 @@
<div class="panel panel-default issue-content"> <div class="panel panel-default issue-content">
<div class="panel-body"> <div class="panel-body">
<div class="content markdown"> <div class="content markdown">
{{str2html .Issue.RenderedContent}} {{Str2html .Issue.RenderedContent}}
</div> </div>
<div class="issue-edit-content hidden"> <div class="issue-edit-content hidden">
<div class="form-group"> <div class="form-group">
@ -73,7 +73,7 @@
</div> </div>
<div class="panel-body markdown"> <div class="panel-body markdown">
{{if len .Content}} {{if len .Content}}
{{str2html .Content}} {{Str2html .Content}}
{{else}} {{else}}
<i>No comment entered</i> <i>No comment entered</i>
{{end}} {{end}}

View file

@ -39,7 +39,7 @@
<span class="ahead">{{$.i18n.Tr "repo.release.ahead" .NumCommitsBehind .Target | Str2html}}</span> <span class="ahead">{{$.i18n.Tr "repo.release.ahead" .NumCommitsBehind .Target | Str2html}}</span>
</p> </p>
<div class="markdown desc"> <div class="markdown desc">
{{str2html .Note}} {{Str2html .Note}}
</div> </div>
<p class="download"> <p class="download">
<a class="btn btn-gray btn-large btn-radius" href="{{$.RepoLink}}/archive/{{.TagName}}.zip" rel="nofollow"><i class="fa fa-download"></i> {{$.i18n.Tr "repo.release.source_code"}} (ZIP)</a> <a class="btn btn-gray btn-large btn-radius" href="{{$.RepoLink}}/archive/{{.TagName}}.zip" rel="nofollow"><i class="fa fa-download"></i> {{$.i18n.Tr "repo.release.source_code"}} (ZIP)</a>