From e194cf3291df11ddf4d9235fe0d7e18322bbd0f3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Justin=20Nu=C3=9F?= Date: Tue, 22 Jul 2014 19:52:37 +0200 Subject: [PATCH 1/2] Fix issue #259. Allow links in the repository description --- models/repo.go | 12 +++++++++++- templates/repo/nav.tmpl | 2 +- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/models/repo.go b/models/repo.go index fb7bbbd0..1cfa50f7 100644 --- a/models/repo.go +++ b/models/repo.go @@ -8,9 +8,11 @@ import ( "errors" "fmt" "io/ioutil" + "html/template" "os" "path" "path/filepath" + "regexp" "runtime" "sort" "strings" @@ -46,6 +48,10 @@ var ( LanguageIgns, Licenses []string ) +var ( + DescriptionPattern = regexp.MustCompile(`https?://\S+`) +) + // getAssetList returns corresponding asset list in 'conf'. func getAssetList(prefix string) []string { assets := make([]string, 0, 15) @@ -145,6 +151,10 @@ func (repo *Repository) GetOwner() (err error) { return err } +func (repo *Repository) DescriptionHtml() template.HTML { + return template.HTML(DescriptionPattern.ReplaceAllString(repo.Description, `$0`)) +} + // IsRepositoryExist returns true if the repository with given name under user has already existed. func IsRepositoryExist(u *User, repoName string) (bool, error) { repo := Repository{OwnerId: u.Id} @@ -1000,4 +1010,4 @@ func IsWatching(uid, rid int64) bool { func ForkRepository(repoName string, uid int64) { -} +} \ No newline at end of file diff --git a/templates/repo/nav.tmpl b/templates/repo/nav.tmpl index ea7799b3..b689e442 100644 --- a/templates/repo/nav.tmpl +++ b/templates/repo/nav.tmpl @@ -3,7 +3,7 @@

{{.Owner.Name}} / {{.Repository.Name}} {{if .Repository.IsPrivate}}Private{{else if .Repository.IsMirror}}Mirror{{end}}

-

{{.Repository.Description}}{{if .Repository.Website}} {{.Repository.Website}}{{end}}

+

{{.Repository.DescriptionHtml}}{{if .Repository.Website}} {{.Repository.Website}}{{end}}

{{if not .IsBareRepo}} From 636a78fed14a4e63317a14cdec8c4ea3cb25ff86 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Justin=20Nu=C3=9F?= Date: Tue, 22 Jul 2014 20:08:04 +0200 Subject: [PATCH 2/2] Escape tags and quotes in links. --- models/repo.go | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/models/repo.go b/models/repo.go index 1cfa50f7..845c1b75 100644 --- a/models/repo.go +++ b/models/repo.go @@ -8,6 +8,7 @@ import ( "errors" "fmt" "io/ioutil" + "html" "html/template" "os" "path" @@ -152,7 +153,13 @@ func (repo *Repository) GetOwner() (err error) { } func (repo *Repository) DescriptionHtml() template.HTML { - return template.HTML(DescriptionPattern.ReplaceAllString(repo.Description, `$0`)) + sanitize := func(s string) string { + // TODO(nuss-justin): Improve sanitization. Strip all tags? + ss := html.EscapeString(s) + + return fmt.Sprintf(`%s`, ss, ss) + } + return template.HTML(DescriptionPattern.ReplaceAllStringFunc(repo.Description, sanitize)) } // IsRepositoryExist returns true if the repository with given name under user has already existed.