Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Don't strip HTML classes/style from custom markup #4935

Open
coreagile opened this issue Sep 14, 2018 · 3 comments

Comments

@coreagile
Copy link

commented Sep 14, 2018

  • Gitea version (or commit ref): 1.5.0
  • Git version: 2.7.4
  • Operating system: Ubuntu 16.04.5 LTS \n \l
  • Database (use [x]):
    • PostgreSQL
    • MySQL
    • MSSQL
    • SQLite
  • Can you reproduce the bug at https://try.gitea.io:
    • Yes (provide example URL)
    • No
    • Not relevant
  • Log gist:

Description

When using a custom renderer (see below), much of the HTML classes are stripped from the rendered code, removing useful style (like coloring). Can we tell the renderer not to do that?

Here's my config:

[markup.html]
ENABLED         = true
FILE_EXTENSIONS = .html
RENDER_COMMAND  = /usr/local/bin/inline-html
IS_INPUT_FILE   = false

And the contents of /usr/local/bin/inline-html:

#!/bin/bash
[ $# -ge 1 -a -f "$1" ] && input="$1" || input="-"
cat $input | pup 'body' | tail -n+2 | head -n-2

I've verified that the contents of the output of /usr/local/bin/inline-html retains the HTML classes and styles of the original document. However, by the time the markup is inlined into my gitea page, it's all stripped away.
...

Screenshots

This is what a portion of my "README.html" looks like with the current version of Gitea:
image

And this is what it looks like when I view the file directly:
image

@lunny lunny added the kind/proposal label Sep 14, 2018

@nithinphilips

This comment has been minimized.

Copy link

commented Oct 8, 2018

This also affects restructuredText rendering with rst2html, which uses pygments to generate syntax highlighted html.

Configuration:

app.ini:

[markup.restructuredText]
ENABLED         = true
FILE_EXTENSIONS = .rst
RENDER_COMMAND = "python3 /usr/local/bin/rst2html.py --leave-comments --syntax-highlight=short"
IS_INPUT_FILE   = false

I placed pygments.css (generated by running pygmentize -f html -S colorful) in <gitea>/custom/public directory and added a header.tmpl in <gitea>/custom/templates/custom with the following content:

<link rel="stylesheet" href="/pygments.css">

Output from running the command directly:

<pre class="code json literal-block">
<span class="s2">&quot;attributes&quot;</span> <span class="err">:</span> <span class="p">[</span> <span class="p">{</span>
<span class="p">}</span> <span class="p">]</span>
</pre>

Same content in the Gitea page:

<pre>
<span>&quot;attributes&quot;</span> <span>:</span> <span>[</span> <span>{</span>
<span>}</span> <span]</span>
</pre>
@lunny

This comment has been minimized.

Copy link
Member

commented Oct 9, 2018

The class attributes had been removed by this rule for security, see https://github.com/go-gitea/gitea/blob/master/modules/markup/sanitizer.go#L33 . Please send a PR to change that.

@nithinphilips

This comment has been minimized.

Copy link

commented Oct 9, 2018

I have produced a local build that solves my issue by adding this line to the sanitizer:

sanitizer.policy.AllowAttrs("class").OnElements("pre", "span")

This will allow class attributes on any pre and span elements. I could not find a way to restrict this with bluemonday based on parent-child relation (ie. only allow class on span within pre class="code"), which would be a less disruptive change.

To solve @coreagile's original issue, class attribute has to be allowed globally + allow style tags. However untrusted CSS could enable code execution/vulnerable font downloads etc. and probably not a good idea. A workaround would be to allow class attributes (it doesn't look like class attributes can have any executable code) and then specify a trusted css via header.tmpl template.

Any thoughts?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
3 participants
You can’t perform that action at this time.