From 9cf7dbc37bbac8f43e952b14e74b80bf61f23a83 Mon Sep 17 00:00:00 2001 From: Andrew Thornton Date: Tue, 15 Jun 2021 21:33:54 +0100 Subject: [PATCH] issue-keyword class is being incorrectly stripped off spans Bluemonday sanitizer regexp rules are not additive, so the addition of the icons, emojis and chroma syntax policy has led to this being stripped. Signed-off-by: Andrew Thornton --- modules/markup/sanitizer.go | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/modules/markup/sanitizer.go b/modules/markup/sanitizer.go index 8d2bf5d6885fa..5611bd06ad00c 100644 --- a/modules/markup/sanitizer.go +++ b/modules/markup/sanitizer.go @@ -50,9 +50,6 @@ func ReplaceSanitizer() { sanitizer.policy.AllowURLSchemes(setting.Markdown.CustomURLSchemes...) } - // Allow keyword markup - sanitizer.policy.AllowAttrs("class").Matching(regexp.MustCompile(`^` + keywordClass + `$`)).OnElements("span") - // Allow classes for anchors sanitizer.policy.AllowAttrs("class").Matching(regexp.MustCompile(`ref-issue`)).OnElements("a") @@ -68,8 +65,8 @@ func ReplaceSanitizer() { // Allow classes for emojis sanitizer.policy.AllowAttrs("class").Matching(regexp.MustCompile(`emoji`)).OnElements("img") - // Allow icons, emojis, and chroma syntax on span - sanitizer.policy.AllowAttrs("class").Matching(regexp.MustCompile(`^((icon(\s+[\p{L}\p{N}_-]+)+)|(emoji))$|^([a-z][a-z0-9]{0,2})$`)).OnElements("span") + // Allow icons, emojis, chroma syntax and keyword markup on span + sanitizer.policy.AllowAttrs("class").Matching(regexp.MustCompile(`^((icon(\s+[\p{L}\p{N}_-]+)+)|(emoji))$|^([a-z][a-z0-9]{0,2})$|^` + keywordClass + `$`)).OnElements("span") // Allow data tables sanitizer.policy.AllowAttrs("class").Matching(regexp.MustCompile(`data-table`)).OnElements("table")