9 gadi atpakaļ · 4e96a4a62b
--- a/conf/app.ini
+++ b/conf/app.ini
@@ -41,6 +41,9 @@ ORG_PAGING_NUM = 50
 
				 [markdown]
			
 
				 ; Enable hard line break extension
			
 
				 ENABLE_HARD_LINE_BREAK = false
			
 
				+; List of custom URL-Schemes that are allowed as links when rendering Markdown
			
 
				+; for example git,magnet
			
 
				+CUSTOM_URL_SCHEMES =
			
 
				 
			
 
				 [server]
			
 
				 PROTOCOL = http
			
--- a/modules/base/markdown.go
+++ b/modules/base/markdown.go
@@ -31,16 +31,10 @@ func isalnum(c byte) bool {
 
				 	return (c >= '0' && c <= '9') || isletter(c)
			
 
				 }
			
 
				 
			
 
				-var validLinks = [][]byte{[]byte("http://"), []byte("https://"), []byte("ftp://"), []byte("mailto://")}
			
 
				+var validLinksPattern = regexp.MustCompile(`^[a-z][\w-]+://`)
			
 
				 
			
 
				 func isLink(link []byte) bool {
			
 
				-	for _, prefix := range validLinks {
			
 
				-		if len(link) > len(prefix) && bytes.Equal(bytes.ToLower(link[:len(prefix)]), prefix) && isalnum(link[len(prefix)]) {
			
 
				-			return true
			
 
				-		}
			
 
				-	}
			
 
				-
			
 
				-	return false
			
 
				+	return validLinksPattern.Match(link)
			
 
				 }
			
 
				 
			
 
				 func IsMarkdownFile(name string) bool {
			
--- a/modules/base/tool.go
+++ b/modules/base/tool.go
@@ -31,16 +31,19 @@ import (
 
				 	"github.com/gogits/gogs/modules/setting"
			
 
				 )
			
 
				 
			
 
				-func BuildSanitizer() (p *bluemonday.Policy) {
			
 
				-	p = bluemonday.UGCPolicy()
			
 
				-	p.AllowAttrs("class").Matching(regexp.MustCompile(`[\p{L}\p{N}\s\-_',:\[\]!\./\\\(\)&]*`)).OnElements("code")
			
 
				+var Sanitizer = bluemonday.UGCPolicy()
			
 
				 
			
 
				-	p.AllowAttrs("type").Matching(regexp.MustCompile(`^checkbox$`)).OnElements("input")
			
 
				-	p.AllowAttrs("checked", "disabled").OnElements("input")
			
 
				-	return p
			
 
				-}
			
 
				+func BuildSanitizer() {
			
 
				+	// Normal markdown-stuff
			
 
				+	Sanitizer.AllowAttrs("class").Matching(regexp.MustCompile(`[\p{L}\p{N}\s\-_',:\[\]!\./\\\(\)&]*`)).OnElements("code")
			
 
				+
			
 
				+	// Checkboxes
			
 
				+	Sanitizer.AllowAttrs("type").Matching(regexp.MustCompile(`^checkbox$`)).OnElements("input")
			
 
				+	Sanitizer.AllowAttrs("checked", "disabled").OnElements("input")
			
 
				 
			
 
				-var Sanitizer = BuildSanitizer()
			
 
				+	// Custom URL-Schemes
			
 
				+	Sanitizer.AllowURLSchemes(setting.Markdown.CustomURLSchemes...)
			
 
				+}
			
 
				 
			
 
				 // EncodeMD5 encodes string to md5 hex value.
			
 
				 func EncodeMD5(str string) string {
			
--- a/modules/setting/setting.go
+++ b/modules/setting/setting.go
@@ -118,6 +118,7 @@ var (
 
				 	// Markdown sttings
			
 
				 	Markdown struct {
			
 
				 		EnableHardLineBreak bool
			
 
				+		CustomURLSchemes    []string `ini:"CUSTOM_URL_SCHEMES"`
			
 
				 	}
			
 
				 
			
 
				 	// Picture settings
			
--- a/routers/install.go
+++ b/routers/install.go
@@ -91,6 +91,9 @@ func GlobalInit() {
 
				 		ssh.Listen(setting.SSHPort)
			
 
				 		log.Info("SSH server started on :%v", setting.SSHPort)
			
 
				 	}
			
 
				+
			
 
				+	// Build Sanitizer
			
 
				+	base.BuildSanitizer()
			
 
				 }
			
 
				 
			
 
				 func InstallInit(ctx *middleware.Context) {