mirror of
https://github.com/go-gitea/gitea.git
synced 2025-10-28 10:04:49 +01:00
626b27bea5
Update all go tool dependencies to latest version. WIP because I think there are new gopls errors, would like to confirm them on CI first. Here is from a local run: ``` modules/markup/markdown/goldmark.go:115:37-53: unnecessary type arguments modules/markup/html.go:45:32-49: unnecessary type arguments modules/markup/internal/renderinternal.go:20:33-49: unnecessary type arguments modules/markup/common/linkify.go:27:32-49: unnecessary type arguments modules/util/time_str.go:28:39-63: unnecessary type arguments routers/web/repo/pull.go:704:19: impossible condition: non-nil == nil modules/util/util_test.go:248:14-23: unused parameter: other ``` ~~Backport because the `gxz` update might have security benefits.~~
83 lines
2.1 KiB
Go
83 lines
2.1 KiB
Go
// Copyright 2024 The Gitea Authors. All rights reserved.
|
|
// SPDX-License-Identifier: MIT
|
|
|
|
package internal
|
|
|
|
import (
|
|
"crypto/rand"
|
|
"encoding/base64"
|
|
"html/template"
|
|
"io"
|
|
"regexp"
|
|
"strings"
|
|
"sync"
|
|
|
|
"code.gitea.io/gitea/modules/htmlutil"
|
|
|
|
"golang.org/x/net/html"
|
|
)
|
|
|
|
var reAttrClass = sync.OnceValue(func() *regexp.Regexp {
|
|
// TODO: it isn't a problem at the moment because our HTML contents are always well constructed
|
|
return regexp.MustCompile(`(<[^>]+)\s+class="([^"]+)"([^>]*>)`)
|
|
})
|
|
|
|
// RenderInternal also works without initialization
|
|
// If no initialization (no secureID), it will not protect any attributes and return the original name&value
|
|
type RenderInternal struct {
|
|
secureID string
|
|
secureIDPrefix string
|
|
}
|
|
|
|
func (r *RenderInternal) Init(output io.Writer) io.WriteCloser {
|
|
buf := make([]byte, 12)
|
|
_, err := rand.Read(buf)
|
|
if err != nil {
|
|
panic("unable to generate secure id")
|
|
}
|
|
return r.init(base64.URLEncoding.EncodeToString(buf), output)
|
|
}
|
|
|
|
func (r *RenderInternal) init(secID string, output io.Writer) io.WriteCloser {
|
|
r.secureID = secID
|
|
r.secureIDPrefix = r.secureID + ":"
|
|
return &finalProcessor{renderInternal: r, output: output}
|
|
}
|
|
|
|
func (r *RenderInternal) RecoverProtectedValue(v string) (string, bool) {
|
|
if !strings.HasPrefix(v, r.secureIDPrefix) {
|
|
return "", false
|
|
}
|
|
return v[len(r.secureIDPrefix):], true
|
|
}
|
|
|
|
func (r *RenderInternal) SafeAttr(name string) string {
|
|
if r.secureID == "" {
|
|
return name
|
|
}
|
|
return "data-attr-" + name
|
|
}
|
|
|
|
func (r *RenderInternal) SafeValue(val string) string {
|
|
if r.secureID == "" {
|
|
return val
|
|
}
|
|
return r.secureID + ":" + val
|
|
}
|
|
|
|
func (r *RenderInternal) NodeSafeAttr(attr, val string) html.Attribute {
|
|
return html.Attribute{Key: r.SafeAttr(attr), Val: r.SafeValue(val)}
|
|
}
|
|
|
|
func (r *RenderInternal) ProtectSafeAttrs(content template.HTML) template.HTML {
|
|
if r.secureID == "" {
|
|
return content
|
|
}
|
|
return template.HTML(reAttrClass().ReplaceAllString(string(content), `$1 data-attr-class="`+r.secureIDPrefix+`$2"$3`))
|
|
}
|
|
|
|
func (r *RenderInternal) FormatWithSafeAttrs(w io.Writer, fmt string, a ...any) error {
|
|
_, err := w.Write([]byte(r.ProtectSafeAttrs(htmlutil.HTMLFormat(fmt, a...))))
|
|
return err
|
|
}
|