Fix bug of link query order on markdown render (#14156)
* Fix bug of link query order on markdown render * Fix bluemonday bug and fix one wrong test Co-authored-by: 6543 <6543@obermui.de>
This commit is contained in:
		
							parent
							
								
									3175d08626
								
							
						
					
					
						commit
						11555d850b
					
				
							
								
								
									
										2
									
								
								go.mod
								
								
								
								
							
							
						
						
									
										2
									
								
								go.mod
								
								
								
								
							|  | @ -126,3 +126,5 @@ require ( | ||||||
| ) | ) | ||||||
| 
 | 
 | ||||||
| replace github.com/hashicorp/go-version => github.com/6543/go-version v1.2.4 | replace github.com/hashicorp/go-version => github.com/6543/go-version v1.2.4 | ||||||
|  | 
 | ||||||
|  | replace github.com/microcosm-cc/bluemonday => github.com/lunny/bluemonday v1.0.5-0.20201227154428-ca34796141e8 | ||||||
|  |  | ||||||
							
								
								
									
										4
									
								
								go.sum
								
								
								
								
							
							
						
						
									
										4
									
								
								go.sum
								
								
								
								
							|  | @ -743,6 +743,8 @@ github.com/lib/pq v1.8.1-0.20200908161135-083382b7e6fc h1:ERSU1OvZ6MdWhHieo2oT7x | ||||||
| github.com/lib/pq v1.8.1-0.20200908161135-083382b7e6fc/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= | github.com/lib/pq v1.8.1-0.20200908161135-083382b7e6fc/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= | ||||||
| github.com/lightstep/lightstep-tracer-common/golang/gogo v0.0.0-20190605223551-bc2310a04743/go.mod h1:qklhhLq1aX+mtWk9cPHPzaBjWImj5ULL6C7HFJtXQMM= | github.com/lightstep/lightstep-tracer-common/golang/gogo v0.0.0-20190605223551-bc2310a04743/go.mod h1:qklhhLq1aX+mtWk9cPHPzaBjWImj5ULL6C7HFJtXQMM= | ||||||
| github.com/lightstep/lightstep-tracer-go v0.18.1/go.mod h1:jlF1pusYV4pidLvZ+XD0UBX0ZE6WURAspgAczcDHrL4= | github.com/lightstep/lightstep-tracer-go v0.18.1/go.mod h1:jlF1pusYV4pidLvZ+XD0UBX0ZE6WURAspgAczcDHrL4= | ||||||
|  | github.com/lunny/bluemonday v1.0.5-0.20201227154428-ca34796141e8 h1:1omo92DLtxQu6VwVPSZAmduHaK5zssed6cvkHyl1XOg= | ||||||
|  | github.com/lunny/bluemonday v1.0.5-0.20201227154428-ca34796141e8/go.mod h1:8iwZnFn2CDDNZ0r6UXhF4xawGvzaqzCRa1n3/lO3W2w= | ||||||
| github.com/lunny/dingtalk_webhook v0.0.0-20171025031554-e3534c89ef96 h1:uNwtsDp7ci48vBTTxDuwcoTXz4lwtDTe7TjCQ0noaWY= | github.com/lunny/dingtalk_webhook v0.0.0-20171025031554-e3534c89ef96 h1:uNwtsDp7ci48vBTTxDuwcoTXz4lwtDTe7TjCQ0noaWY= | ||||||
| github.com/lunny/dingtalk_webhook v0.0.0-20171025031554-e3534c89ef96/go.mod h1:mmIfjCSQlGYXmJ95jFN84AkQFnVABtKuJL8IrzwvUKQ= | github.com/lunny/dingtalk_webhook v0.0.0-20171025031554-e3534c89ef96/go.mod h1:mmIfjCSQlGYXmJ95jFN84AkQFnVABtKuJL8IrzwvUKQ= | ||||||
| github.com/lunny/log v0.0.0-20160921050905-7887c61bf0de h1:nyxwRdWHAVxpFcDThedEgQ07DbcRc5xgNObtbTp76fk= | github.com/lunny/log v0.0.0-20160921050905-7887c61bf0de h1:nyxwRdWHAVxpFcDThedEgQ07DbcRc5xgNObtbTp76fk= | ||||||
|  | @ -801,8 +803,6 @@ github.com/mgechev/revive v1.0.3-0.20200921231451-246eac737dc7 h1:ydVkpU/M4/c45y | ||||||
| github.com/mgechev/revive v1.0.3-0.20200921231451-246eac737dc7/go.mod h1:no/hfevHbndpXR5CaJahkYCfM/FFpmM/dSOwFGU7Z1o= | github.com/mgechev/revive v1.0.3-0.20200921231451-246eac737dc7/go.mod h1:no/hfevHbndpXR5CaJahkYCfM/FFpmM/dSOwFGU7Z1o= | ||||||
| github.com/mholt/archiver/v3 v3.5.0 h1:nE8gZIrw66cu4osS/U7UW7YDuGMHssxKutU8IfWxwWE= | github.com/mholt/archiver/v3 v3.5.0 h1:nE8gZIrw66cu4osS/U7UW7YDuGMHssxKutU8IfWxwWE= | ||||||
| github.com/mholt/archiver/v3 v3.5.0/go.mod h1:qqTTPUK/HZPFgFQ/TJ3BzvTpF/dPtFVJXdQbCmeMxwc= | github.com/mholt/archiver/v3 v3.5.0/go.mod h1:qqTTPUK/HZPFgFQ/TJ3BzvTpF/dPtFVJXdQbCmeMxwc= | ||||||
| github.com/microcosm-cc/bluemonday v1.0.4 h1:p0L+CTpo/PLFdkoPcJemLXG+fpMD7pYOoDEq1axMbGg= |  | ||||||
| github.com/microcosm-cc/bluemonday v1.0.4/go.mod h1:8iwZnFn2CDDNZ0r6UXhF4xawGvzaqzCRa1n3/lO3W2w= |  | ||||||
| github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg= | github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg= | ||||||
| github.com/minio/md5-simd v1.1.0 h1:QPfiOqlZH+Cj9teu0t9b1nTBfPbyTl16Of5MeuShdK4= | github.com/minio/md5-simd v1.1.0 h1:QPfiOqlZH+Cj9teu0t9b1nTBfPbyTl16Of5MeuShdK4= | ||||||
| github.com/minio/md5-simd v1.1.0/go.mod h1:XpBqgZULrMYD3R+M28PcmP0CkI7PEMzB3U77ZrKZ0Gw= | github.com/minio/md5-simd v1.1.0/go.mod h1:XpBqgZULrMYD3R+M28PcmP0CkI7PEMzB3U77ZrKZ0Gw= | ||||||
|  |  | ||||||
|  | @ -142,7 +142,7 @@ func TestRender_links(t *testing.T) { | ||||||
| 		`<p><a href="ftp://gitea.com/file.txt" rel="nofollow">ftp://gitea.com/file.txt</a></p>`) | 		`<p><a href="ftp://gitea.com/file.txt" rel="nofollow">ftp://gitea.com/file.txt</a></p>`) | ||||||
| 	test( | 	test( | ||||||
| 		"magnet:?xt=urn:btih:5dee65101db281ac9c46344cd6b175cdcadabcde&dn=download", | 		"magnet:?xt=urn:btih:5dee65101db281ac9c46344cd6b175cdcadabcde&dn=download", | ||||||
| 		`<p><a href="magnet:?dn=download&xt=urn%3Abtih%3A5dee65101db281ac9c46344cd6b175cdcadabcde" rel="nofollow">magnet:?xt=urn:btih:5dee65101db281ac9c46344cd6b175cdcadabcde&dn=download</a></p>`) | 		`<p><a href="magnet:?xt=urn%3Abtih%3A5dee65101db281ac9c46344cd6b175cdcadabcde&dn=download" rel="nofollow">magnet:?xt=urn:btih:5dee65101db281ac9c46344cd6b175cdcadabcde&dn=download</a></p>`) | ||||||
| 
 | 
 | ||||||
| 	// Test that should *not* be turned into URL
 | 	// Test that should *not* be turned into URL
 | ||||||
| 	test( | 	test( | ||||||
|  |  | ||||||
|  | @ -122,22 +122,79 @@ func escapeUrlComponent(val string) string { | ||||||
| 	return w.String() | 	return w.String() | ||||||
| } | } | ||||||
| 
 | 
 | ||||||
| func sanitizedUrl(val string) (string, error) { | // Query represents a query
 | ||||||
|  | type Query struct { | ||||||
|  | 	Key   string | ||||||
|  | 	Value string | ||||||
|  | } | ||||||
|  | 
 | ||||||
|  | func parseQuery(query string) (values []Query, err error) { | ||||||
|  | 	for query != "" { | ||||||
|  | 		key := query | ||||||
|  | 		if i := strings.IndexAny(key, "&;"); i >= 0 { | ||||||
|  | 			key, query = key[:i], key[i+1:] | ||||||
|  | 		} else { | ||||||
|  | 			query = "" | ||||||
|  | 		} | ||||||
|  | 		if key == "" { | ||||||
|  | 			continue | ||||||
|  | 		} | ||||||
|  | 		value := "" | ||||||
|  | 		if i := strings.Index(key, "="); i >= 0 { | ||||||
|  | 			key, value = key[:i], key[i+1:] | ||||||
|  | 		} | ||||||
|  | 		key, err1 := url.QueryUnescape(key) | ||||||
|  | 		if err1 != nil { | ||||||
|  | 			if err == nil { | ||||||
|  | 				err = err1 | ||||||
|  | 			} | ||||||
|  | 			continue | ||||||
|  | 		} | ||||||
|  | 		value, err1 = url.QueryUnescape(value) | ||||||
|  | 		if err1 != nil { | ||||||
|  | 			if err == nil { | ||||||
|  | 				err = err1 | ||||||
|  | 			} | ||||||
|  | 			continue | ||||||
|  | 		} | ||||||
|  | 		values = append(values, Query{ | ||||||
|  | 			Key:   key, | ||||||
|  | 			Value: value, | ||||||
|  | 		}) | ||||||
|  | 	} | ||||||
|  | 	return values, err | ||||||
|  | } | ||||||
|  | 
 | ||||||
|  | func encodeQueries(queries []Query) string { | ||||||
|  | 	var b strings.Builder | ||||||
|  | 	for i, query := range queries { | ||||||
|  | 		b.WriteString(url.QueryEscape(query.Key)) | ||||||
|  | 		b.WriteString("=") | ||||||
|  | 		b.WriteString(url.QueryEscape(query.Value)) | ||||||
|  | 		if i < len(queries)-1 { | ||||||
|  | 			b.WriteString("&") | ||||||
|  | 		} | ||||||
|  | 	} | ||||||
|  | 	return b.String() | ||||||
|  | } | ||||||
|  | 
 | ||||||
|  | func sanitizedURL(val string) (string, error) { | ||||||
| 	u, err := url.Parse(val) | 	u, err := url.Parse(val) | ||||||
| 	if err != nil { | 	if err != nil { | ||||||
| 		return "", err | 		return "", err | ||||||
| 	} | 	} | ||||||
| 	// sanitize the url query params
 | 
 | ||||||
| 	sanitizedQueryValues := make(url.Values, 0) | 	// we use parseQuery but not u.Query to keep the order not change because
 | ||||||
| 	queryValues := u.Query() | 	// url.Values is a map which has a random order.
 | ||||||
| 	for k, vals := range queryValues { | 	queryValues, err := parseQuery(u.RawQuery) | ||||||
| 		sk := html.EscapeString(k) | 	if err != nil { | ||||||
| 		for _, v := range vals { | 		return "", err | ||||||
| 			sv := v |  | ||||||
| 			sanitizedQueryValues.Add(sk, sv) |  | ||||||
| 		} |  | ||||||
| 	} | 	} | ||||||
| 	u.RawQuery = sanitizedQueryValues.Encode() | 	// sanitize the url query params
 | ||||||
|  | 	for i, query := range queryValues { | ||||||
|  | 		queryValues[i].Key = html.EscapeString(query.Key) | ||||||
|  | 	} | ||||||
|  | 	u.RawQuery = encodeQueries(queryValues) | ||||||
| 	// u.String() will also sanitize host/scheme/user/pass
 | 	// u.String() will also sanitize host/scheme/user/pass
 | ||||||
| 	return u.String(), nil | 	return u.String(), nil | ||||||
| } | } | ||||||
|  | @ -158,7 +215,7 @@ func (p *Policy) writeLinkableBuf(buff *bytes.Buffer, token *html.Token) { | ||||||
| 				tokenBuff.WriteString(html.EscapeString(attr.Val)) | 				tokenBuff.WriteString(html.EscapeString(attr.Val)) | ||||||
| 				continue | 				continue | ||||||
| 			} | 			} | ||||||
| 			u, err := sanitizedUrl(u) | 			u, err := sanitizedURL(u) | ||||||
| 			if err == nil { | 			if err == nil { | ||||||
| 				tokenBuff.WriteString(u) | 				tokenBuff.WriteString(u) | ||||||
| 			} else { | 			} else { | ||||||
|  |  | ||||||
|  | @ -576,7 +576,7 @@ github.com/mgechev/revive/rule | ||||||
| # github.com/mholt/archiver/v3 v3.5.0 | # github.com/mholt/archiver/v3 v3.5.0 | ||||||
| ## explicit | ## explicit | ||||||
| github.com/mholt/archiver/v3 | github.com/mholt/archiver/v3 | ||||||
| # github.com/microcosm-cc/bluemonday v1.0.4 | # github.com/microcosm-cc/bluemonday v1.0.4 => github.com/lunny/bluemonday v1.0.5-0.20201227154428-ca34796141e8 | ||||||
| ## explicit | ## explicit | ||||||
| github.com/microcosm-cc/bluemonday | github.com/microcosm-cc/bluemonday | ||||||
| # github.com/minio/md5-simd v1.1.0 | # github.com/minio/md5-simd v1.1.0 | ||||||
|  | @ -998,3 +998,4 @@ xorm.io/xorm/names | ||||||
| xorm.io/xorm/schemas | xorm.io/xorm/schemas | ||||||
| xorm.io/xorm/tags | xorm.io/xorm/tags | ||||||
| # github.com/hashicorp/go-version => github.com/6543/go-version v1.2.4 | # github.com/hashicorp/go-version => github.com/6543/go-version v1.2.4 | ||||||
|  | # github.com/microcosm-cc/bluemonday => github.com/lunny/bluemonday v1.0.5-0.20201227154428-ca34796141e8 | ||||||
|  |  | ||||||
		Loading…
	
		Reference in New Issue