tangled.org
oppi.li
+2
-1
appview/pages/funcmap.go
+2
-1
appview/pages/funcmap.go
···
13
13
"time"
14
14
15
15
"github.com/dustin/go-humanize"
16
+
"github.com/microcosm-cc/bluemonday"
16
17
"tangled.sh/tangled.sh/core/appview/filetree"
17
18
"tangled.sh/tangled.sh/core/appview/pages/markup"
18
19
)
···
144
145
},
145
146
"markdown": func(text string) template.HTML {
146
147
rctx := &markup.RenderContext{RendererType: markup.RendererTypeDefault}
147
-
return template.HTML(rctx.RenderMarkdown(text))
148
+
return template.HTML(bluemonday.UGCPolicy().Sanitize(rctx.RenderMarkdown(text)))
148
149
},
149
150
"isNil": func(t any) bool {
150
151
// returns false for other "zero" values
+2
appview/pages/markup/markdown.go
+2
appview/pages/markup/markdown.go
···
10
10
"github.com/yuin/goldmark/ast"
11
11
"github.com/yuin/goldmark/extension"
12
12
"github.com/yuin/goldmark/parser"
13
+
"github.com/yuin/goldmark/renderer/html"
13
14
"github.com/yuin/goldmark/text"
14
15
"github.com/yuin/goldmark/util"
15
16
"tangled.sh/tangled.sh/core/appview/pages/repoinfo"
···
41
42
goldmark.WithParserOptions(
42
43
parser.WithAutoHeadingID(),
43
44
),
45
+
goldmark.WithRendererOptions(html.WithUnsafe()),
44
46
)
45
47
46
48
if rctx != nil {
+1
-1
appview/pages/pages.go
+1
-1
appview/pages/pages.go
···
562
562
case markup.FormatMarkdown:
563
563
p.rctx.RepoInfo = params.RepoInfo
564
564
p.rctx.RendererType = markup.RendererTypeRepoMarkdown
565
-
params.RenderedContents = template.HTML(p.rctx.RenderMarkdown(params.Contents))
565
+
params.RenderedContents = template.HTML(bluemonday.UGCPolicy().Sanitize(p.rctx.RenderMarkdown(params.Contents)))
566
566
}
567
567
}
568
568