loading up the forgejo repo on tangled to test page performance
0
fork

Configure Feed

Select the types of activity you want to include in your feed.

Allow all URL schemes in Markdown links by default (#24805)

- Closes #21146
- Closes #16721

## :warning: BREAKING :warning:
This changes the default behavior to now create links for any URL scheme
when the user uses the markdown form for links (`[label](URL)`), this
doesn't affect the rendering of inline links. To opt-out set the
`markdown.CUSTOM_URL_SCHEMES` setting to a list of allowed schemes, all
other schemes (except `http` and `https`) won't be allowed.

# Before

![image](https://github.com/go-gitea/gitea/assets/20454870/35fa18ce-7dda-4995-b5b3-3f360f38296d)

# After

![image](https://github.com/go-gitea/gitea/assets/20454870/0922216b-0b35-4b77-9919-21a5c21dd5d0)

---------

Signed-off-by: Yarden Shoham <git@yardenshoham.com>
Co-authored-by: Giteabot <teabot@gitea.io>

authored by

Yarden Shoham
Giteabot
and committed by
GitHub
f5ce2ed2 38cf43d0

+18 -9
+1
custom/conf/app.example.ini
··· 1327 1327 ;; Comma separated list of custom URL-Schemes that are allowed as links when rendering Markdown 1328 1328 ;; for example git,magnet,ftp (more at https://en.wikipedia.org/wiki/List_of_URI_schemes) 1329 1329 ;; URLs starting with http and https are always displayed, whatever is put in this entry. 1330 + ;; If this entry is empty, all URL schemes are allowed. 1330 1331 ;CUSTOM_URL_SCHEMES = 1331 1332 ;; 1332 1333 ;; List of file extensions that should be rendered/edited as Markdown
+1 -1
docs/content/doc/administration/config-cheat-sheet.en-us.md
··· 276 276 trailing whitespace to paragraphs is not necessary to force a line break. 277 277 - `CUSTOM_URL_SCHEMES`: Use a comma separated list (ftp,git,svn) to indicate additional 278 278 URL hyperlinks to be rendered in Markdown. URLs beginning in http and https are 279 - always displayed 279 + always displayed. If this entry is empty, all URL schemes are allowed 280 280 - `FILE_EXTENSIONS`: **.md,.markdown,.mdown,.mkd,.livemd**: List of file extensions that should be rendered/edited as Markdown. Separate the extensions with a comma. To render files without any extension as markdown, just put a comma. 281 281 - `ENABLE_MATH`: **true**: Enables detection of `\(...\)`, `\[...\]`, `$...$` and `$$...$$` blocks as math blocks. 282 282
+2 -3
go.mod
··· 76 76 github.com/mattn/go-sqlite3 v1.14.16 77 77 github.com/meilisearch/meilisearch-go v0.24.0 78 78 github.com/mholt/archiver/v3 v3.5.1 79 - github.com/microcosm-cc/bluemonday v1.0.23 79 + github.com/microcosm-cc/bluemonday v1.0.24 80 80 github.com/minio/minio-go/v7 v7.0.52 81 81 github.com/minio/sha256-simd v1.0.0 82 82 github.com/msteinert/pam v1.1.0 ··· 109 109 github.com/yuin/goldmark-meta v1.1.0 110 110 golang.org/x/crypto v0.8.0 111 111 golang.org/x/image v0.7.0 112 - golang.org/x/net v0.9.0 112 + golang.org/x/net v0.10.0 113 113 golang.org/x/oauth2 v0.7.0 114 114 golang.org/x/sys v0.8.0 115 115 golang.org/x/text v0.9.0 ··· 288 288 go.uber.org/zap v1.24.0 // indirect 289 289 golang.org/x/mod v0.10.0 // indirect 290 290 golang.org/x/sync v0.2.0 // indirect 291 - golang.org/x/term v0.8.0 // indirect 292 291 golang.org/x/time v0.3.0 // indirect 293 292 google.golang.org/appengine v1.6.7 // indirect 294 293 google.golang.org/genproto v0.0.0-20230306155012-7f2fa6fef1f4 // indirect
+4 -4
go.sum
··· 876 876 github.com/mholt/acmez v1.1.0/go.mod h1:zwo5+fbLLTowAX8o8ETfQzbDtwGEXnPhkmGdKIP+bgs= 877 877 github.com/mholt/archiver/v3 v3.5.1 h1:rDjOBX9JSF5BvoJGvjqK479aL70qh9DIpZCl+k7Clwo= 878 878 github.com/mholt/archiver/v3 v3.5.1/go.mod h1:e3dqJ7H78uzsRSEACH1joayhuSyhnonssnDhppzS1L4= 879 - github.com/microcosm-cc/bluemonday v1.0.23 h1:SMZe2IGa0NuHvnVNAZ+6B38gsTbi5e4sViiWJyDDqFY= 880 - github.com/microcosm-cc/bluemonday v1.0.23/go.mod h1:mN70sk7UkkF8TUr2IGBpNN0jAgStuPzlK76QuruE/z4= 879 + github.com/microcosm-cc/bluemonday v1.0.24 h1:NGQoPtwGVcbGkKfvyYk1yRqknzBuoMiUrO6R7uFTPlw= 880 + github.com/microcosm-cc/bluemonday v1.0.24/go.mod h1:ArQySAMps0790cHSkdPEJ7bGkF2VePWH773hsJNSHf8= 881 881 github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg= 882 882 github.com/miekg/dns v1.1.54 h1:5jon9mWcb0sFJGpnI99tOMhCPyJ+RPVz5b63MQG0VWI= 883 883 github.com/miekg/dns v1.1.54/go.mod h1:uInx36IzPl7FYnDcMeVWxj9byh7DutNykX4G9Sj60FY= ··· 1418 1418 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= 1419 1419 golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= 1420 1420 golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc= 1421 - golang.org/x/net v0.9.0 h1:aWJ/m6xSmxWBx+V0XRHTlrYrPG56jKsLdTFmsSsCzOM= 1422 1421 golang.org/x/net v0.9.0/go.mod h1:d48xBJpPfHeWQsugry2m+kC02ZBRGRgulfHnEXEuWns= 1422 + golang.org/x/net v0.10.0 h1:X2//UzNDwYmtCLn7To6G58Wr6f5ahEAQgKNzv9Y951M= 1423 + golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= 1423 1424 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= 1424 1425 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= 1425 1426 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= ··· 1543 1544 golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U= 1544 1545 golang.org/x/term v0.7.0/go.mod h1:P32HKFT3hSsZrRxla30E9HqToFYAQPCMs/zFMBUFqPY= 1545 1546 golang.org/x/term v0.8.0 h1:n5xxQn2i3PC0yLAbjTpNT85q/Kgzcr2gIoX9OrJUols= 1546 - golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= 1547 1547 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= 1548 1548 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= 1549 1549 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+6 -1
modules/markup/sanitizer.go
··· 22 22 init sync.Once 23 23 } 24 24 25 - var sanitizer = &Sanitizer{} 25 + var ( 26 + sanitizer = &Sanitizer{} 27 + allowAllRegex = regexp.MustCompile(".+") 28 + ) 26 29 27 30 // NewSanitizer initializes sanitizer with allowed attributes based on settings. 28 31 // Multiple calls to this function will only create one instance of Sanitizer during ··· 74 77 // Custom URL-Schemes 75 78 if len(setting.Markdown.CustomURLSchemes) > 0 { 76 79 policy.AllowURLSchemes(setting.Markdown.CustomURLSchemes...) 80 + } else { 81 + policy.AllowURLSchemesMatching(allowAllRegex) 77 82 } 78 83 79 84 // Allow classes for anchors
+4
modules/markup/sanitizer_test.go
··· 52 52 `<span style="bad-color: red">Hello World</span>`, `<span>Hello World</span>`, 53 53 `<p style="bad-color: red">Hello World</p>`, `<p>Hello World</p>`, 54 54 `<code style="bad-color: red">Hello World</code>`, `<code>Hello World</code>`, 55 + 56 + // URLs 57 + `[my custom URL scheme](cbthunderlink://somebase64string)`, `[my custom URL scheme](cbthunderlink://somebase64string)`, 58 + `[my custom URL scheme](matrix:roomid/psumPMeAfzgAeQpXMG:feneas.org?action=join)`, `[my custom URL scheme](matrix:roomid/psumPMeAfzgAeQpXMG:feneas.org?action=join)`, 55 59 } 56 60 57 61 for i := 0; i < len(testCases); i += 2 {