diff --git a/modules/markup/markdown/markdown_test.go b/modules/markup/markdown/markdown_test.go
index 160a344bda..b9946d7d23 100644
--- a/modules/markup/markdown/markdown_test.go
+++ b/modules/markup/markdown/markdown_test.go
@@ -140,6 +140,12 @@ func testAnswers(baseURLContent, baseURLImages string) []string {
More tests
(from https://www.markdownguide.org/extended-syntax/)
+Checkboxes
+
Definition list
- First Term
@@ -207,6 +213,12 @@ Here are some links to the most important topics. You can find the full list of
(from https://www.markdownguide.org/extended-syntax/)
+### Checkboxes
+
+- [ ] unchecked
+- [x] checked
+- [ ] still unchecked
+
### Definition list
First Term
diff --git a/modules/markup/sanitizer.go b/modules/markup/sanitizer.go
index faf4163109..39e4a93dd3 100644
--- a/modules/markup/sanitizer.go
+++ b/modules/markup/sanitizer.go
@@ -58,15 +58,16 @@ func ReplaceSanitizer() {
// Allow icons
sanitizer.policy.AllowAttrs("class").Matching(regexp.MustCompile(`^icon(\s+[\p{L}\p{N}_-]+)+$`)).OnElements("i")
- sanitizer.policy.AllowAttrs("class").Matching(regexp.MustCompile(`^((icon(\s+[\p{L}\p{N}_-]+)+)|(ui checkbox)|(ui checked checkbox))$`)).OnElements("span")
// Allow unlabelled labels
sanitizer.policy.AllowNoAttrs().OnElements("label")
// Allow classes for emojis
- sanitizer.policy.AllowAttrs("class").Matching(regexp.MustCompile(`emoji`)).OnElements("span")
sanitizer.policy.AllowAttrs("class").Matching(regexp.MustCompile(`emoji`)).OnElements("img")
+ // Allow icons, checkboxes and emojis on span
+ sanitizer.policy.AllowAttrs("class").Matching(regexp.MustCompile(`^((icon(\s+[\p{L}\p{N}_-]+)+)|(ui checkbox)|(ui checked checkbox)|(emoji))$`)).OnElements("span")
+
// Allow generally safe attributes
generalSafeAttrs := []string{"abbr", "accept", "accept-charset",
"accesskey", "action", "align", "alt",
diff --git a/modules/markup/sanitizer_test.go b/modules/markup/sanitizer_test.go
index be7bdd20e7..3e8dcecd50 100644
--- a/modules/markup/sanitizer_test.go
+++ b/modules/markup/sanitizer_test.go
@@ -38,6 +38,11 @@ func Test_Sanitizer(t *testing.T) {
// tags
`Ctrl + C`, `Ctrl + C`,
+ `NAUGHTY`, `NAUGHTY`,
+ ``, ``,
+ ``, ``,
+ `NAUGHTY`, `NAUGHTY`,
+ `contents`, `contents`,
}
for i := 0; i < len(testCases); i += 2 {
diff --git a/web_src/js/index.js b/web_src/js/index.js
index 992295addf..21b9da41ad 100644
--- a/web_src/js/index.js
+++ b/web_src/js/index.js
@@ -65,7 +65,7 @@ function initEditPreviewTab($form) {
previewFileModes = $previewTab.data('preview-file-modes').split(',');
$previewTab.on('click', function () {
const $this = $(this);
- let context = `{$this.data('context')}/`;
+ let context = `${$this.data('context')}/`;
const treePathEl = $form.find('input#tree_path');
if (treePathEl.length > 0) {
context += treePathEl.val();