fix

Author: wxiaoguang

modules/html/html.go

@@ -0,0 +1,81 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package htmlutil
+
+import (
+	"fmt"
+	"html"
+	"html/template"
+	"slices"
+	"strings"
+)
+
+// ParseSizeAndClass get size and class from string with default values
+// If present, "others" expects the new size first and then the classes to use
+func ParseSizeAndClass(defaultSize int, defaultClass string, others ...any) (int, string) {
+	size := defaultSize
+	if len(others) >= 1 {
+		if v, ok := others[0].(int); ok && v != 0 {
+			size = v
+		}
+	}
+	class := defaultClass
+	if len(others) >= 2 {
+		if v, ok := others[1].(string); ok && v != "" {
+			if class != "" {
+				class += " "
+			}
+			class += v
+		}
+	}
+	return size, class
+}
+
+func HTMLFormat(s string, rawArgs ...any) template.HTML {
+	args := slices.Clone(rawArgs)
+	for i, v := range args {
+		switch v := v.(type) {
+		case nil, bool, int, int8, int16, int32, int64, uint, uint8, uint16, uint32, uint64, float32, float64, template.HTML:
+			// for most basic types (including template.HTML which is safe), just do nothing and use it
+		case string:
+			args[i] = template.HTMLEscapeString(v)
+		case fmt.Stringer:
+			args[i] = template.HTMLEscapeString(v.String())
+		default:
+			args[i] = template.HTMLEscapeString(fmt.Sprint(v))
+		}
+	}
+	return template.HTML(fmt.Sprintf(s, args...))
+}
+
+func CreateElementHTML[T template.HTML | string](tag string, attributes map[string]any, content ...T) template.HTML {
+	var sb strings.Builder
+	sb.WriteString("<")
+	sb.WriteString(tag)
+	for k, v := range attributes {
+		if v == nil {
+			continue
+		}
+		sb.WriteString(" ")
+		sb.WriteString(html.EscapeString(k))
+		sb.WriteString(`="`)
+		sb.WriteString(html.EscapeString(fmt.Sprint(v)))
+		sb.WriteString(`"`)
+	}
+	sb.WriteString(">")
+	for _, c := range content {
+		switch c := any(c).(type) {
+		case template.HTML:
+			sb.WriteString(string(c))
+		case string:
+			sb.WriteString(html.EscapeString(c))
+		default:
+			panic(fmt.Sprintf("unexpected type %T", c))
+		}
+	}
+	sb.WriteString("</")
+	sb.WriteString(tag)
+	sb.WriteString(">")
+	return template.HTML(sb.String())
+}

modules/htmlutil/html.go

@@ -0,0 +1,15 @@
+// Copyright 2024 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package htmlutil
+
+import (
+	"html/template"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestHTMLFormat(t *testing.T) {
+	assert.Equal(t, template.HTML("<a>&lt; < 1</a>"), HTMLFormat("<a>%s %s %d</a>", "<", template.HTML("<"), 1))
+}

modules/htmlutil/html_test.go

@@ -25,9 +25,6 @@ const (
 	IssueNameStyleRegexp       = "regexp"
 )
 
-// CSS class for action keywords (e.g. "closes: #1")
-const keywordClass = "issue-keyword"
-
 type globalVarsType struct {
 	hashCurrentPattern      *regexp.Regexp
 	shortLinkPattern        *regexp.Regexp
@@ -39,6 +36,7 @@ type globalVarsType struct {
 	emojiShortCodeRegex     *regexp.Regexp
 	issueFullPattern        *regexp.Regexp
 	filesChangedFullPattern *regexp.Regexp
+	codePreviewPattern      *regexp.Regexp
 
 	tagCleaner *regexp.Regexp
 	nulCleaner *strings.Replacer
@@ -88,6 +86,9 @@ var globalVars = sync.OnceValue[*globalVarsType](func() *globalVarsType {
 	// example: https://domain/org/repo/pulls/27/files#hash
 	v.filesChangedFullPattern = regexp.MustCompile(`https?://(?:\S+/)[\w_.-]+/[\w_.-]+/pulls/((?:\w{1,10}-)?[1-9][0-9]*)/files([\?|#](\S+)?)?\b`)
 
+	// codePreviewPattern matches "http://domain/.../{owner}/{repo}/src/commit/{commit}/{filepath}#L10-L20"
+	v.codePreviewPattern = regexp.MustCompile(`https?://\S+/([^\s/]+)/([^\s/]+)/src/commit/([0-9a-f]{7,64})(/\S+)#(L\d+(-L\d+)?)`)
+
 	v.tagCleaner = regexp.MustCompile(`<((?:/?\w+/\w+)|(?:/[\w ]+/)|(/?[hH][tT][mM][lL]\b)|(/?[hH][eE][aA][dD]\b))`)
 	v.nulCleaner = strings.NewReplacer("\000", "")
 	return v
@@ -164,11 +165,7 @@ var defaultProcessors = []processor{
 // emails with HTML links, parsing shortlinks in the format of [[Link]], like
 // MediaWiki, linking issues in the format #ID, and mentions in the format
 // @user, and others.
-func PostProcess(
-	ctx *RenderContext,
-	input io.Reader,
-	output io.Writer,
-) error {
+func PostProcess(ctx *RenderContext, input io.Reader, output io.Writer) error {
 	return postProcess(ctx, defaultProcessors, input, output)
 }
 
@@ -189,10 +186,7 @@ var commitMessageProcessors = []processor{
 // RenderCommitMessage will use the same logic as PostProcess, but will disable
 // the shortLinkProcessor and will add a defaultLinkProcessor if defaultLink is
 // set, which changes every text node into a link to the passed default link.
-func RenderCommitMessage(
-	ctx *RenderContext,
-	content string,
-) (string, error) {
+func RenderCommitMessage(ctx *RenderContext, content string) (string, error) {
 	procs := commitMessageProcessors
 	return renderProcessString(ctx, procs, content)
 }
@@ -219,10 +213,7 @@ var emojiProcessors = []processor{
 // RenderCommitMessage, but will disable the shortLinkProcessor and
 // emailAddressProcessor, will add a defaultLinkProcessor if defaultLink is set,
 // which changes every text node into a link to the passed default link.
-func RenderCommitMessageSubject(
-	ctx *RenderContext,
-	defaultLink, content string,
-) (string, error) {
+func RenderCommitMessageSubject(ctx *RenderContext, defaultLink, content string) (string, error) {
 	procs := slices.Clone(commitMessageSubjectProcessors)
 	procs = append(procs, func(ctx *RenderContext, node *html.Node) {
 		ch := &html.Node{Parent: node, Type: html.TextNode, Data: node.Data}
@@ -236,10 +227,7 @@ func RenderCommitMessageSubject(
 }
 
 // RenderIssueTitle to process title on individual issue/pull page
-func RenderIssueTitle(
-	ctx *RenderContext,
-	title string,
-) (string, error) {
+func RenderIssueTitle(ctx *RenderContext, title string) (string, error) {
 	// do not render other issue/commit links in an issue's title - which in most cases is already a link.
 	return renderProcessString(ctx, []processor{
 		emojiShortCodeProcessor,
@@ -257,10 +245,7 @@ func renderProcessString(ctx *RenderContext, procs []processor, content string)
 
 // RenderDescriptionHTML will use similar logic as PostProcess, but will
 // use a single special linkProcessor.
-func RenderDescriptionHTML(
-	ctx *RenderContext,
-	content string,
-) (string, error) {
+func RenderDescriptionHTML(ctx *RenderContext, content string) (string, error) {
 	return renderProcessString(ctx, []processor{
 		descriptionLinkProcessor,
 		emojiShortCodeProcessor,
@@ -270,10 +255,7 @@ func RenderDescriptionHTML(
 
 // RenderEmoji for when we want to just process emoji and shortcodes
 // in various places it isn't already run through the normal markdown processor
-func RenderEmoji(
-	ctx *RenderContext,
-	content string,
-) (string, error) {
+func RenderEmoji(ctx *RenderContext, content string) (string, error) {
 	return renderProcessString(ctx, emojiProcessors, content)
 }
 
@@ -405,13 +387,16 @@ func processTextNodes(ctx *RenderContext, procs []processor, node *html.Node) {
 }
 
 // createKeyword() renders a highlighted version of an action keyword
-func createKeyword(content string) *html.Node {
+func createKeyword(ctx *RenderContext, content string) *html.Node {
+	// CSS class for action keywords (e.g. "closes: #1")
+	const keywordClass = "issue-keyword"
+
 	span := &html.Node{
 		Type: html.ElementNode,
 		Data: atom.Span.String(),
 		Attr: []html.Attribute{},
 	}
-	span.Attr = append(span.Attr, html.Attribute{Key: "class", Val: keywordClass})
+	span.Attr = append(span.Attr, ctx.RenderInternal.NodeSafeAttr("class", keywordClass))
 
 	text := &html.Node{
 		Type: html.TextNode,
@@ -422,7 +407,7 @@ func createKeyword(content string) *html.Node {
 	return span
 }
 
-func createLink(href, content, class string) *html.Node {
+func createLink(ctx *RenderContext, href, content, class string) *html.Node {
 	a := &html.Node{
 		Type: html.ElementNode,
 		Data: atom.A.String(),
@@ -432,7 +417,7 @@ func createLink(href, content, class string) *html.Node {
 		a.Attr = append(a.Attr, html.Attribute{Key: "data-markdown-generated-content"})
 	}
 	if class != "" {
-		a.Attr = append(a.Attr, html.Attribute{Key: "class", Val: class})
+		a.Attr = append(a.Attr, ctx.RenderInternal.NodeSafeAttr("class", class))
 	}
 
 	text := &html.Node{

modules/markup/html.go

@@ -6,7 +6,6 @@ package markup
 import (
 	"html/template"
 	"net/url"
-	"regexp"
 	"strconv"
 	"strings"
 
@@ -16,9 +15,6 @@ import (
 	"golang.org/x/net/html"
 )
 
-// codePreviewPattern matches "http://domain/.../{owner}/{repo}/src/commit/{commit}/{filepath}#L10-L20"
-var codePreviewPattern = regexp.MustCompile(`https?://\S+/([^\s/]+)/([^\s/]+)/src/commit/([0-9a-f]{7,64})(/\S+)#(L\d+(-L\d+)?)`)
-
 type RenderCodePreviewOptions struct {
 	FullURL   string
 	OwnerName string
@@ -30,7 +26,7 @@ type RenderCodePreviewOptions struct {
 }
 
 func renderCodeBlock(ctx *RenderContext, node *html.Node) (urlPosStart, urlPosStop int, htm template.HTML, err error) {
-	m := codePreviewPattern.FindStringSubmatchIndex(node.Data)
+	m := globalVars().codePreviewPattern.FindStringSubmatchIndex(node.Data)
 	if m == nil {
 		return 0, 0, "", nil
 	}
@@ -66,8 +62,8 @@ func codePreviewPatternProcessor(ctx *RenderContext, node *html.Node) {
 			node = node.NextSibling
 			continue
 		}
-		urlPosStart, urlPosEnd, h, err := renderCodeBlock(ctx, node)
-		if err != nil || h == "" {
+		urlPosStart, urlPosEnd, renderedCodeBlock, err := renderCodeBlock(ctx, node)
+		if err != nil || renderedCodeBlock == "" {
 			if err != nil {
 				log.Error("Unable to render code preview: %v", err)
 			}
@@ -84,7 +80,8 @@ func codePreviewPatternProcessor(ctx *RenderContext, node *html.Node) {
 		//    then it is resolved as: "<p>{TextBefore}</p><div NewNode/><p>{TextAfter}</p>",
 		//    so unless it could correctly replace the parent "p/li" node, it is very difficult to eliminate the "TextBefore" empty node.
 		node.Data = textBefore
-		node.Parent.InsertBefore(&html.Node{Type: html.RawNode, Data: string(h)}, next)
+		renderedCodeNode := &html.Node{Type: html.RawNode, Data: string(ctx.RenderInternal.ProtectSafeAttrs(renderedCodeBlock))}
+		node.Parent.InsertBefore(renderedCodeNode, next)
 		if textAfter != "" {
 			node.Parent.InsertBefore(&html.Node{Type: html.TextNode, Data: textAfter}, next)
 		}

modules/markup/html_codepreview.go

@@ -15,7 +15,7 @@ func emailAddressProcessor(ctx *RenderContext, node *html.Node) {
 		}
 
 		mail := node.Data[m[2]:m[3]]
-		replaceContent(node, m[2], m[3], createLink("mailto:"+mail, mail, "mailto"))
+		replaceContent(node, m[2], m[3], createLink(ctx, "mailto:"+mail, mail, "mailto"))
 		node = node.NextSibling.NextSibling
 	}
 }

modules/markup/html_email.go

@@ -35,13 +35,13 @@ func createEmoji(content, class, name string) *html.Node {
 	return span
 }
 
-func createCustomEmoji(alias string) *html.Node {
+func createCustomEmoji(ctx *RenderContext, alias string) *html.Node {
 	span := &html.Node{
 		Type: html.ElementNode,
 		Data: atom.Span.String(),
 		Attr: []html.Attribute{},
 	}
-	span.Attr = append(span.Attr, html.Attribute{Key: "class", Val: "emoji"})
+	span.Attr = append(span.Attr, ctx.RenderInternal.NodeSafeAttr("class", "emoji"))
 	span.Attr = append(span.Attr, html.Attribute{Key: "aria-label", Val: alias})
 
 	img := &html.Node{
@@ -77,7 +77,7 @@ func emojiShortCodeProcessor(ctx *RenderContext, node *html.Node) {
 		if converted == nil {
 			// check if this is a custom reaction
 			if _, exist := setting.UI.CustomEmojisMap[alias]; exist {
-				replaceContent(node, m[0], m[1], createCustomEmoji(alias))
+				replaceContent(node, m[0], m[1], createCustomEmoji(ctx, alias))
 				node = node.NextSibling.NextSibling
 				start = 0
 				continue

modules/markup/html_emoji.go

@@ -57,10 +57,10 @@ func fullIssuePatternProcessor(ctx *RenderContext, node *html.Node) {
 		matchRepo := linkParts[len(linkParts)-3]
 
 		if matchOrg == ctx.Metas["user"] && matchRepo == ctx.Metas["repo"] {
-			replaceContent(node, m[0], m[1], createLink(link, text, "ref-issue"))
+			replaceContent(node, m[0], m[1], createLink(ctx, link, text, "ref-issue"))
 		} else {
 			text = matchOrg + "/" + matchRepo + text
-			replaceContent(node, m[0], m[1], createLink(link, text, "ref-issue"))
+			replaceContent(node, m[0], m[1], createLink(ctx, link, text, "ref-issue"))
 		}
 		node = node.NextSibling.NextSibling
 	}
@@ -129,16 +129,16 @@ func issueIndexPatternProcessor(ctx *RenderContext, node *html.Node) {
 				log.Error("unable to expand template vars for ref %s, err: %v", ref.Issue, err)
 			}
 
-			link = createLink(res, reftext, "ref-issue ref-external-issue")
+			link = createLink(ctx, res, reftext, "ref-issue ref-external-issue")
 		} else {
 			// Path determines the type of link that will be rendered. It's unknown at this point whether
 			// the linked item is actually a PR or an issue. Luckily it's of no real consequence because
 			// Gitea will redirect on click as appropriate.
 			issuePath := util.Iif(ref.IsPull, "pulls", "issues")
 			if ref.Owner == "" {
-				link = createLink(util.URLJoin(ctx.Links.Prefix(), ctx.Metas["user"], ctx.Metas["repo"], issuePath, ref.Issue), reftext, "ref-issue")
+				link = createLink(ctx, util.URLJoin(ctx.Links.Prefix(), ctx.Metas["user"], ctx.Metas["repo"], issuePath, ref.Issue), reftext, "ref-issue")
 			} else {
-				link = createLink(util.URLJoin(ctx.Links.Prefix(), ref.Owner, ref.Name, issuePath, ref.Issue), reftext, "ref-issue")
+				link = createLink(ctx, util.URLJoin(ctx.Links.Prefix(), ref.Owner, ref.Name, issuePath, ref.Issue), reftext, "ref-issue")
 			}
 		}
 
@@ -151,7 +151,7 @@ func issueIndexPatternProcessor(ctx *RenderContext, node *html.Node) {
 		// Decorate action keywords if actionable
 		var keyword *html.Node
 		if references.IsXrefActionable(ref, hasExtTrackFormat) {
-			keyword = createKeyword(node.Data[ref.ActionLocation.Start:ref.ActionLocation.End])
+			keyword = createKeyword(ctx, node.Data[ref.ActionLocation.Start:ref.ActionLocation.End])
 		} else {
 			keyword = &html.Node{
 				Type: html.TextNode,
@@ -177,7 +177,7 @@ func commitCrossReferencePatternProcessor(ctx *RenderContext, node *html.Node) {
 		}
 
 		reftext := ref.Owner + "/" + ref.Name + "@" + base.ShortSha(ref.CommitSha)
-		link := createLink(util.URLJoin(ctx.Links.Prefix(), ref.Owner, ref.Name, "commit", ref.CommitSha), reftext, "commit")
+		link := createLink(ctx, util.URLJoin(ctx.Links.Prefix(), ref.Owner, ref.Name, "commit", ref.CommitSha), reftext, "commit")
 
 		replaceContent(node, ref.RefLocation.Start, ref.RefLocation.End, link)
 		node = node.NextSibling.NextSibling