-
-
Notifications
You must be signed in to change notification settings - Fork 5.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
markup.sanitizer in app.ini does not support multiple rule entries as expected #9888
Comments
This is related to pull request #9075. After a bit investigation, the problem is related multiple value support in For the function func NewContext() {
Cfg = ini.Empty()
if len(CustomPID) > 0 {
createPIDFile(CustomPID)
}
if com.IsFile(CustomConf) {
var err error
if Cfg, err = ini.ShadowLoad(CustomConf); err != nil {
//if err := Cfg.Append(CustomConf); err != nil {
log.Fatal("Failed to load custom conf '%s': %v", CustomConf, err)
}
} else { We'll have error as follows using the example above.
|
I suspect shadowload here isn't right. We still need something that is going to append but with shadows |
I think We need to replace the Empty() here: gitea/modules/setting/setting.go Line 520 in 7d7ab1e
With: ini.ShadowLoad([]byte{}) |
The same error
for this one,
|
Sorry I hadn't read your next issue - I was sorting out the shadow. This is never gonna work. We need to represent a matched group of values. These just need to be child sections. I don't think we can workaround this it needs an actual code change. |
Ah sorry -- I just saw this. Feel free to @mention me next time or drop me an email. One idea would be a count parameter: [markup.sanitizer]
RULE_COUNT = 2
ELEMENT_1 = a
ALLOW_ATTR_1 = target
REGEXP_1 = something
ELEMENT_2 = a
ALLOW_ATTR_2 = rel
REGEXP_2 = something That'd also solve some of the clarity problems (and omitting a regex would be a blanket whitelist) and keys would now be unique. Thoughts? Happy to implement whatever gets decided. |
@cipherboy sorry it's taken me so long to reply to this. I think the best option would actually be: [markup.sanitizer.1]
ELEMENT=a
ALLOW_ATTR=target
REGEXP=something
[markup.sanitizer.2]
ELEMENT=a
ALLOW_ATTR=target
REGEXP=something We can grab all these child sections quite easily from go-ini and even map them quite nicely to objects to result in a simple |
In #9888, it was reported that my earlier pull request #9075 didn't quite function as expected. I was quite hopeful the `ValuesWithShadow()` worked as expected (and, I thought my testing showed it did) but I guess not. @zeripath proposed an alternative syntax which I like: ```ini [markup.sanitizer.1] ELEMENT=a ALLOW_ATTR=target REGEXP=something [markup.sanitizer.2] ELEMENT=a ALLOW_ATTR=target REGEXP=something ``` This was quite easy to adopt into the existing code. I've done so in a semi-backwards-compatible manner: - The value from `.Value()` is used for each element. - We parse `[markup.sanitizer]` and all `[markup.sanitizer.*]` sections and add them as rules. This means that existing configs will load one rule (not all rules). It also means people can use string identifiers (`[markup.sanitiser.KaTeX]`) if they prefer, instead of numbered ones. Co-authored-by: Andrew Thornton <[email protected]> Co-authored-by: guillep2k <[email protected]>
Fixed by #11133 |
In go-gitea#9888, it was reported that my earlier pull request go-gitea#9075 didn't quite function as expected. I was quite hopeful the `ValuesWithShadow()` worked as expected (and, I thought my testing showed it did) but I guess not. @zeripath proposed an alternative syntax which I like: ```ini [markup.sanitizer.1] ELEMENT=a ALLOW_ATTR=target REGEXP=something [markup.sanitizer.2] ELEMENT=a ALLOW_ATTR=target REGEXP=something ``` This was quite easy to adopt into the existing code. I've done so in a semi-backwards-compatible manner: - The value from `.Value()` is used for each element. - We parse `[markup.sanitizer]` and all `[markup.sanitizer.*]` sections and add them as rules. This means that existing configs will load one rule (not all rules). It also means people can use string identifiers (`[markup.sanitiser.KaTeX]`) if they prefer, instead of numbered ones. Co-authored-by: Andrew Thornton <[email protected]> Co-authored-by: guillep2k <[email protected]>
ValueWithShadows()
called in functionnewMarkupSanitizer()
(filemodules/setting/markup.go
) always returns one element.For example, the following section in
app.ini
means "rel" attribute is allowed for "a" element while "target" attribute is still ignored.The text was updated successfully, but these errors were encountered: