markdown: improve filter of class attribute for code blocks

Only allow HighlightJS specific classes.

Reported by ChALkeR.

gogs.go

@@ -16,7 +16,7 @@ import (
 	"github.com/gogits/gogs/modules/setting"
 )
 
-const APP_VER = "0.10.32.0328 / 0.11 RC"
+const APP_VER = "0.10.33.0329 / 0.11 RC"
 
 func init() {
 	setting.AppVer = APP_VER

modules/markdown/markdown.go

@@ -32,8 +32,8 @@ var Sanitizer = bluemonday.UGCPolicy()
 // BuildSanitizer initializes sanitizer with allowed attributes based on settings.
 // This function should only be called once during entire application lifecycle.
 func BuildSanitizer() {
-	// Normal markdown-stuff
-	Sanitizer.AllowAttrs("class").Matching(regexp.MustCompile(`[\p{L}\p{N}\s\-_',:\[\]!\./\\\(\)&]*`)).OnElements("code")
+	// We only want to allow HighlightJS specific classes for code blocks
+	Sanitizer.AllowAttrs("class").Matching(regexp.MustCompile(`^language-\w+`)).OnElements("code")
 
 	// Checkboxes
 	Sanitizer.AllowAttrs("type").Matching(regexp.MustCompile(`^checkbox$`)).OnElements("input")

templates/.VERSION

@@ -1 +1 @@
-0.10.32.0328 / 0.11 RC
+0.10.33.0329 / 0.11 RC