summaryrefslogtreecommitdiffstats
path: root/modules/markup
diff options
context:
space:
mode:
authorGusted <williamzijl7@hotmail.com>2022-07-15 08:38:10 +0200
committerGitHub <noreply@github.com>2022-07-15 08:38:10 +0200
commitedd945bca386929a0d0e5cfbc5fe1b225d64dd71 (patch)
tree2700b1d58918f3ee579b8ac5effe3d87dfef37bc /modules/markup
parent[skip ci] Updated translations via Crowdin (diff)
downloadforgejo-edd945bca386929a0d0e5cfbc5fe1b225d64dd71.tar.xz
forgejo-edd945bca386929a0d0e5cfbc5fe1b225d64dd71.zip
Allow to specify colors for text in markup (#20363)
`<span style="color: red">Hello World!</span>` will now be accepted by Bluemonday, other properties are still disallowed by Bluemonday.
Diffstat (limited to 'modules/markup')
-rw-r--r--modules/markup/sanitizer.go6
-rw-r--r--modules/markup/sanitizer_test.go8
2 files changed, 14 insertions, 0 deletions
diff --git a/modules/markup/sanitizer.go b/modules/markup/sanitizer.go
index 388af56712..57e88fdabc 100644
--- a/modules/markup/sanitizer.go
+++ b/modules/markup/sanitizer.go
@@ -85,6 +85,12 @@ func createDefaultPolicy() *bluemonday.Policy {
// Allow icons, emojis, chroma syntax and keyword markup on span
policy.AllowAttrs("class").Matching(regexp.MustCompile(`^((icon(\s+[\p{L}\p{N}_-]+)+)|(emoji))$|^([a-z][a-z0-9]{0,2})$|^` + keywordClass + `$`)).OnElements("span")
+ // Allow 'style' attribute on text elements.
+ policy.AllowAttrs("style").OnElements("span", "p")
+
+ // Allow 'color' property for the style attribute on text elements.
+ policy.AllowStyles("color").OnElements("span", "p")
+
// Allow generally safe attributes
generalSafeAttrs := []string{
"abbr", "accept", "accept-charset",
diff --git a/modules/markup/sanitizer_test.go b/modules/markup/sanitizer_test.go
index 7dfca7a468..b3b07404b4 100644
--- a/modules/markup/sanitizer_test.go
+++ b/modules/markup/sanitizer_test.go
@@ -45,6 +45,14 @@ func Test_Sanitizer(t *testing.T) {
`<input type="checkbox" disabled=""/>unchecked`, `<input type="checkbox" disabled=""/>unchecked`,
`<span class="emoji dropdown">NAUGHTY</span>`, `<span>NAUGHTY</span>`,
`<span class="emoji">contents</span>`, `<span class="emoji">contents</span>`,
+
+ // Color property
+ `<span style="color: red">Hello World</span>`, `<span style="color: red">Hello World</span>`,
+ `<p style="color: red">Hello World</p>`, `<p style="color: red">Hello World</p>`,
+ `<code style="color: red">Hello World</code>`, `<code>Hello World</code>`,
+ `<span style="bad-color: red">Hello World</span>`, `<span>Hello World</span>`,
+ `<p style="bad-color: red">Hello World</p>`, `<p>Hello World</p>`,
+ `<code style="bad-color: red">Hello World</code>`, `<code>Hello World</code>`,
}
for i := 0; i < len(testCases); i += 2 {