afan
/
gitea
Bevaka 1
Stjärnmärk 0
Förgrening 0
Kod Ärenden 0 Pull-förfrågningar 0 Släpp 0 Wiki Activity
gitea源码
2 Incheckningar
2 Grenar
Träd: f5d5e77162
Grenar Taggar
${ item.name }
Create branch ${ searchTerm }
from 'f5d5e77162'
${ noResults }
gitea/modules/markup/internal/renderinternal.go

renderinternal.go 2.1KB
Historik

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283 
  1. // Copyright 2024 The Gitea Authors. All rights reserved.

  2. // SPDX-License-Identifier: MIT

  3. 

  4. package internal

  5. 

  6. import (

  7. 	"crypto/rand"

  8. 	"encoding/base64"

  9. 	"html/template"

  10. 	"io"

  11. 	"regexp"

  12. 	"strings"

  13. 	"sync"

  14. 

  15. 	"code.gitea.io/gitea/modules/htmlutil"

  16. 

  17. 	"golang.org/x/net/html"

  18. )

  19. 

  20. var reAttrClass = sync.OnceValue(func() *regexp.Regexp {

  21. 	// TODO: it isn't a problem at the moment because our HTML contents are always well constructed

  22. 	return regexp.MustCompile(`(<[^>]+)\s+class="([^"]+)"([^>]*>)`)

  23. })

  24. 

  25. // RenderInternal also works without initialization

  26. // If no initialization (no secureID), it will not protect any attributes and return the original name&value

  27. type RenderInternal struct {

  28. 	secureID       string

  29. 	secureIDPrefix string

  30. }

  31. 

  32. func (r *RenderInternal) Init(output io.Writer) io.WriteCloser {

  33. 	buf := make([]byte, 12)

  34. 	_, err := rand.Read(buf)

  35. 	if err != nil {

  36. 		panic("unable to generate secure id")

  37. 	}

  38. 	return r.init(base64.URLEncoding.EncodeToString(buf), output)

  39. }

  40. 

  41. func (r *RenderInternal) init(secID string, output io.Writer) io.WriteCloser {

  42. 	r.secureID = secID

  43. 	r.secureIDPrefix = r.secureID + ":"

  44. 	return &finalProcessor{renderInternal: r, output: output}

  45. }

  46. 

  47. func (r *RenderInternal) RecoverProtectedValue(v string) (string, bool) {

  48. 	if !strings.HasPrefix(v, r.secureIDPrefix) {

  49. 		return "", false

  50. 	}

  51. 	return v[len(r.secureIDPrefix):], true

  52. }

  53. 

  54. func (r *RenderInternal) SafeAttr(name string) string {

  55. 	if r.secureID == "" {

  56. 		return name

  57. 	}

  58. 	return "data-attr-" + name

  59. }

  60. 

  61. func (r *RenderInternal) SafeValue(val string) string {

  62. 	if r.secureID == "" {

  63. 		return val

  64. 	}

  65. 	return r.secureID + ":" + val

  66. }

  67. 

  68. func (r *RenderInternal) NodeSafeAttr(attr, val string) html.Attribute {

  69. 	return html.Attribute{Key: r.SafeAttr(attr), Val: r.SafeValue(val)}

  70. }

  71. 

  72. func (r *RenderInternal) ProtectSafeAttrs(content template.HTML) template.HTML {

  73. 	if r.secureID == "" {

  74. 		return content

  75. 	}

  76. 	return template.HTML(reAttrClass().ReplaceAllString(string(content), `$1 data-attr-class="`+r.secureIDPrefix+`$2"$3`))

  77. }

  78. 

  79. func (r *RenderInternal) FormatWithSafeAttrs(w io.Writer, fmt template.HTML, a ...any) error {

  80. 	_, err := w.Write([]byte(r.ProtectSafeAttrs(htmlutil.HTMLFormat(fmt, a...))))

  81. 	return err

  82. }