Skip to content

Commit 0e03afb

Browse files
wxiaoguangwxiaoguang
committed
fix
1 parent 29b2800 commit 0e03afb

File tree

15 files changed

+20
-39
lines changed

15 files changed

+20
-39
lines changed

modules/htmlutil/html.go

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,7 @@ import (
77
"fmt"
88
"html/template"
99
"slices"
10+
"strings"
1011
)
1112

1213
// ParseSizeAndClass get size and class from string with default values
@@ -31,6 +32,9 @@ func ParseSizeAndClass(defaultSize int, defaultClass string, others ...any) (int
3132
}
3233

3334
func HTMLFormat(s template.HTML, rawArgs ...any) template.HTML {
35+
if !strings.Contains(string(s), "%") || len(rawArgs) == 0 {
36+
panic("HTMLFormat requires at least one argument, don't abuse it")
37+
}
3438
args := slices.Clone(rawArgs)
3539
for i, v := range args {
3640
switch v := v.(type) {

modules/markup/markdown/math/block_renderer.go

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -51,8 +51,8 @@ func (r *BlockRenderer) writeLines(w util.BufWriter, source []byte, n gast.Node)
5151
func (r *BlockRenderer) renderBlock(w util.BufWriter, source []byte, node gast.Node, entering bool) (gast.WalkStatus, error) {
5252
n := node.(*Block)
5353
if entering {
54-
code := giteaUtil.Iif(n.Inline, "", `<pre class="code-block is-loading">`) + `<code class="language-math display">`
55-
_ = r.renderInternal.FormatWithSafeAttrs(w, template.HTML(code))
54+
codeHTML := giteaUtil.Iif[template.HTML](n.Inline, "", `<pre class="code-block is-loading">`) + `<code class="language-math display">`
55+
_, _ = w.WriteString(string(r.renderInternal.ProtectSafeAttrs(codeHTML)))
5656
r.writeLines(w, source, n)
5757
} else {
5858
_, _ = w.WriteString(`</code>` + giteaUtil.Iif(n.Inline, "", `</pre>`) + "\n")

modules/markup/markdown/math/inline_renderer.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -28,7 +28,7 @@ func NewInlineRenderer(renderInternal *internal.RenderInternal) renderer.NodeRen
2828

2929
func (r *InlineRenderer) renderInline(w util.BufWriter, source []byte, n ast.Node, entering bool) (ast.WalkStatus, error) {
3030
if entering {
31-
_ = r.renderInternal.FormatWithSafeAttrs(w, `<code class="language-math">`)
31+
_, _ = w.WriteString(string(r.renderInternal.ProtectSafeAttrs(`<code class="language-math">`)))
3232
for c := n.FirstChild(); c != nil; c = c.NextSibling() {
3333
segment := c.(*ast.Text).Segment
3434
value := util.EscapeHTML(segment.Value(source))

modules/templates/helper.go

Lines changed: 0 additions & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,6 @@ package templates
66

77
import (
88
"fmt"
9-
"html"
109
"html/template"
1110
"net/url"
1211
"strconv"
@@ -38,9 +37,7 @@ func NewFuncMap() template.FuncMap {
3837
"dict": dict, // it's lowercase because this name has been widely used. Our other functions should have uppercase names.
3938
"Iif": iif,
4039
"Eval": evalTokens,
41-
"SafeHTML": safeHTML,
4240
"HTMLFormat": htmlFormat,
43-
"HTMLEscape": htmlEscape,
4441
"QueryEscape": queryEscape,
4542
"QueryBuild": QueryBuild,
4643
"JSEscape": jsEscapeSafe,
@@ -165,32 +162,11 @@ func NewFuncMap() template.FuncMap {
165162
}
166163
}
167164

168-
// safeHTML render raw as HTML
169-
func safeHTML(s any) template.HTML {
170-
switch v := s.(type) {
171-
case string:
172-
return template.HTML(v)
173-
case template.HTML:
174-
return v
175-
}
176-
panic(fmt.Sprintf("unexpected type %T", s))
177-
}
178-
179165
// SanitizeHTML sanitizes the input by default sanitization rules.
180166
func SanitizeHTML(s string) template.HTML {
181167
return markup.Sanitize(s)
182168
}
183169

184-
func htmlEscape(s any) template.HTML {
185-
switch v := s.(type) {
186-
case string:
187-
return template.HTML(html.EscapeString(v))
188-
case template.HTML:
189-
return v
190-
}
191-
panic(fmt.Sprintf("unexpected type %T", s))
192-
}
193-
194170
func htmlFormat(s any, args ...any) template.HTML {
195171
if len(args) == 0 {
196172
// to prevent developers from calling "HTMLFormat $userInput" by mistake which will lead to XSS

templates/admin/packages/list.tmpl

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -90,7 +90,7 @@
9090
{{ctx.Locale.Tr "packages.settings.delete"}}
9191
</div>
9292
<div class="content">
93-
{{ctx.Locale.Tr "packages.settings.delete.notice" (`<span class="name"></span>`|SafeHTML) (`<span class="dataVersion"></span>`|SafeHTML)}}
93+
{{ctx.Locale.Tr "packages.settings.delete.notice" (HTMLFormat `<span class="%s"></span>` "name") (HTMLFormat `<span class="%s"></span>` "dataVersion")}}
9494
</div>
9595
{{template "base/modal_actions_confirm" .}}
9696
</div>

templates/admin/repo/list.tmpl

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -103,7 +103,7 @@
103103
</div>
104104
<div class="content">
105105
<p>{{ctx.Locale.Tr "repo.settings.delete_desc"}}</p>
106-
{{ctx.Locale.Tr "repo.settings.delete_notices_2" (`<span class="name"></span>`|SafeHTML)}}<br>
106+
{{ctx.Locale.Tr "repo.settings.delete_notices_2" (HTMLFormat `<span class="%s"></span>` "name")}}<br>
107107
{{ctx.Locale.Tr "repo.settings.delete_notices_fork_1"}}<br>
108108
</div>
109109
{{template "base/modal_actions_confirm" .}}

templates/org/member/members.tmpl

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -73,7 +73,7 @@
7373
{{ctx.Locale.Tr "org.members.leave"}}
7474
</div>
7575
<div class="content">
76-
<p>{{ctx.Locale.Tr "org.members.leave.detail" (`<span class="dataOrganizationName"></span>`|SafeHTML)}}</p>
76+
<p>{{ctx.Locale.Tr "org.members.leave.detail" (HTMLFormat `<span class="%s"></span>` "dataOrganizationName")}}</p>
7777
</div>
7878
{{template "base/modal_actions_confirm" .}}
7979
</div>
@@ -82,7 +82,7 @@
8282
{{ctx.Locale.Tr "org.members.remove"}}
8383
</div>
8484
<div class="content">
85-
<p>{{ctx.Locale.Tr "org.members.remove.detail" (`<span class="name"></span>`|SafeHTML) (`<span class="dataOrganizationName"></span>`|SafeHTML)}}</p>
85+
<p>{{ctx.Locale.Tr "org.members.remove.detail" (HTMLFormat `<span class="%s"></span>` "name") (HTMLFormat `<span class="%s"></span>` "dataOrganizationName")}}</p>
8686
</div>
8787
{{template "base/modal_actions_confirm" .}}
8888
</div>

templates/org/team/members.tmpl

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -81,7 +81,7 @@
8181
{{ctx.Locale.Tr "org.members.remove"}}
8282
</div>
8383
<div class="content">
84-
<p>{{ctx.Locale.Tr "org.members.remove.detail" (`<span class="name"></span>`|SafeHTML) (`<span class="dataTeamName"></span>`|SafeHTML)}}</p>
84+
<p>{{ctx.Locale.Tr "org.members.remove.detail" (HTMLFormat `<span class="%s"></span>` "name") (HTMLFormat `<span class="%s"></span>` "dataTeamName")}}</p>
8585
</div>
8686
{{template "base/modal_actions_confirm" .}}
8787
</div>

templates/org/team/sidebar.tmpl

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -90,7 +90,7 @@
9090
{{ctx.Locale.Tr "org.teams.leave"}}
9191
</div>
9292
<div class="content">
93-
<p>{{ctx.Locale.Tr "org.teams.leave.detail" (`<span class="name"></span>`|SafeHTML)}}</p>
93+
<p>{{ctx.Locale.Tr "org.teams.leave.detail" (HTMLFormat `<span class="%s"></span>` "name")}}</p>
9494
</div>
9595
{{template "base/modal_actions_confirm" .}}
9696
</div>

templates/org/team/teams.tmpl

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -49,7 +49,7 @@
4949
{{ctx.Locale.Tr "org.teams.leave"}}
5050
</div>
5151
<div class="content">
52-
<p>{{ctx.Locale.Tr "org.teams.leave.detail" (`<span class="name"></span>`|SafeHTML)}}</p>
52+
<p>{{ctx.Locale.Tr "org.teams.leave.detail" (HTMLFormat `<span class="%s"></span>` "name")}}</p>
5353
</div>
5454
{{template "base/modal_actions_confirm" .}}
5555
</div>

0 commit comments

Comments
 (0)