Merge branch 'main' into feat-32257-add-comments-unchanged-lines-and-show

2025-02-21 21:51:26 +01:00 · 2024-11-28 01:20:28 +05:30 · 2024-11-28 01:20:28 +05:30 · 7d0c8e30e0
commit 7d0c8e30e0
parent 40826ddf9c 5a50b271e7
46 changed files with 1869 additions and 623 deletions
--- a/models/auth/webauthn.go
+++ b/models/auth/webauthn.go
@ -12,6 +12,7 @@ import (
 	"code.gitea.io/gitea/modules/timeutil"
 	"code.gitea.io/gitea/modules/util"

+	"github.com/go-webauthn/webauthn/protocol"
 	"github.com/go-webauthn/webauthn/webauthn"
 )

@ -89,14 +90,33 @@ func (cred *WebAuthnCredential) AfterLoad() {
 // WebAuthnCredentialList is a list of *WebAuthnCredential
 type WebAuthnCredentialList []*WebAuthnCredential

+// newCredentialFlagsFromAuthenticatorFlags is copied from https://github.com/go-webauthn/webauthn/pull/337
+// to convert protocol.AuthenticatorFlags to webauthn.CredentialFlags
+func newCredentialFlagsFromAuthenticatorFlags(flags protocol.AuthenticatorFlags) webauthn.CredentialFlags {
+	return webauthn.CredentialFlags{
+		UserPresent:    flags.HasUserPresent(),
+		UserVerified:   flags.HasUserVerified(),
+		BackupEligible: flags.HasBackupEligible(),
+		BackupState:    flags.HasBackupState(),
+	}
+}
+
 // ToCredentials will convert all WebAuthnCredentials to webauthn.Credentials
-func (list WebAuthnCredentialList) ToCredentials() []webauthn.Credential {
+func (list WebAuthnCredentialList) ToCredentials(defaultAuthFlags ...protocol.AuthenticatorFlags) []webauthn.Credential {
+	// TODO: at the moment, Gitea doesn't store or check the flags
+	// so we need to use the default flags from the authenticator to make the login validation pass
+	// In the future, we should:
+	// 1. store the flags when registering the credential
+	// 2. provide the stored flags when converting the credentials (for login)
+	// 3. for old users, still use this fallback to the default flags
+	defAuthFlags := util.OptionalArg(defaultAuthFlags)
 	creds := make([]webauthn.Credential, 0, len(list))
 	for _, cred := range list {
 		creds = append(creds, webauthn.Credential{
 			ID:              cred.CredentialID,
 			PublicKey:       cred.PublicKey,
 			AttestationType: cred.AttestationType,
+			Flags:           newCredentialFlagsFromAuthenticatorFlags(defAuthFlags),
 			Authenticator: webauthn.Authenticator{
 				AAGUID:       cred.AAGUID,
 				SignCount:    cred.SignCount,
--- a/models/db/engine.go
+++ b/models/db/engine.go
@ -134,6 +134,9 @@ func SyncAllTables() error {
 func InitEngine(ctx context.Context) error {
 	xormEngine, err := newXORMEngine()
 	if err != nil {
+		if strings.Contains(err.Error(), "SQLite3 support") {
+			return fmt.Errorf(`sqlite3 requires: -tags sqlite,sqlite_unlock_notify%s%w`, "\n", err)
+		}
 		return fmt.Errorf("failed to connect to database: %w", err)
 	}

--- a/models/git/protected_branch.go
+++ b/models/git/protected_branch.go
@ -34,6 +34,7 @@ type ProtectedBranch struct {
 	RepoID                        int64                  `xorm:"UNIQUE(s)"`
 	Repo                          *repo_model.Repository `xorm:"-"`
 	RuleName                      string                 `xorm:"'branch_name' UNIQUE(s)"` // a branch name or a glob match to branch name
+	Priority                      int64                  `xorm:"NOT NULL DEFAULT 0"`
 	globRule                      glob.Glob              `xorm:"-"`
 	isPlainName                   bool                   `xorm:"-"`
 	CanPush                       bool                   `xorm:"NOT NULL DEFAULT false"`
@ -413,14 +414,27 @@ func UpdateProtectBranch(ctx context.Context, repo *repo_model.Repository, prote
 	}
 	protectBranch.ApprovalsWhitelistTeamIDs = whitelist

-	// Make sure protectBranch.ID is not 0 for whitelists
+	// Looks like it's a new rule
 	if protectBranch.ID == 0 {
+		// as it's a new rule and if priority was not set, we need to calc it.
+		if protectBranch.Priority == 0 {
+			var lowestPrio int64
+			// because of mssql we can not use builder or save xorm syntax, so raw sql it is
+			if _, err := db.GetEngine(ctx).SQL(`SELECT MAX(priority) FROM protected_branch WHERE repo_id = ?`, protectBranch.RepoID).
+				Get(&lowestPrio); err != nil {
+				return err
+			}
+			log.Trace("Create new ProtectedBranch at repo[%d] and detect current lowest priority '%d'", protectBranch.RepoID, lowestPrio)
+			protectBranch.Priority = lowestPrio + 1
+		}
+
 		if _, err = db.GetEngine(ctx).Insert(protectBranch); err != nil {
 			return fmt.Errorf("Insert: %v", err)
 		}
 		return nil
 	}

+	// update the rule
 	if _, err = db.GetEngine(ctx).ID(protectBranch.ID).AllCols().Update(protectBranch); err != nil {
 		return fmt.Errorf("Update: %v", err)
 	}
@ -428,6 +442,24 @@ func UpdateProtectBranch(ctx context.Context, repo *repo_model.Repository, prote
 	return nil
 }

+func UpdateProtectBranchPriorities(ctx context.Context, repo *repo_model.Repository, ids []int64) error {
+	prio := int64(1)
+	return db.WithTx(ctx, func(ctx context.Context) error {
+		for _, id := range ids {
+			if _, err := db.GetEngine(ctx).
+				ID(id).Where("repo_id = ?", repo.ID).
+				Cols("priority").
+				Update(&ProtectedBranch{
+					Priority: prio,
+				}); err != nil {
+				return err
+			}
+			prio++
+		}
+		return nil
+	})
+}
+
 // updateApprovalWhitelist checks whether the user whitelist changed and returns a whitelist with
 // the users from newWhitelist which have explicit read or write access to the repo.
 func updateApprovalWhitelist(ctx context.Context, repo *repo_model.Repository, currentWhitelist, newWhitelist []int64) (whitelist []int64, err error) {
--- a/models/git/protected_branch_list.go
+++ b/models/git/protected_branch_list.go
@ -28,6 +28,13 @@ func (rules ProtectedBranchRules) sort() {
 	sort.Slice(rules, func(i, j int) bool {
 		rules[i].loadGlob()
 		rules[j].loadGlob()
+
+		// if priority differ, use that to sort
+		if rules[i].Priority != rules[j].Priority {
+			return rules[i].Priority < rules[j].Priority
+		}
+
+		// now we sort the old way
 		if rules[i].isPlainName != rules[j].isPlainName {
 			return rules[i].isPlainName // plain name comes first, so plain name means "less"
 		}
--- a/models/git/protected_branch_list_test.go
+++ b/models/git/protected_branch_list_test.go
@ -75,7 +75,7 @@ func TestBranchRuleMatchPriority(t *testing.T) {
 	}
 }

-func TestBranchRuleSort(t *testing.T) {
+func TestBranchRuleSortLegacy(t *testing.T) {
 	in := []*ProtectedBranch{{
 		RuleName:    "b",
 		CreatedUnix: 1,
@ -103,3 +103,37 @@ func TestBranchRuleSort(t *testing.T) {
 	}
 	assert.Equal(t, expect, got)
 }
+
+func TestBranchRuleSortPriority(t *testing.T) {
+	in := []*ProtectedBranch{{
+		RuleName:    "b",
+		CreatedUnix: 1,
+		Priority:    4,
+	}, {
+		RuleName:    "b/*",
+		CreatedUnix: 3,
+		Priority:    2,
+	}, {
+		RuleName:    "a/*",
+		CreatedUnix: 2,
+		Priority:    1,
+	}, {
+		RuleName:    "c",
+		CreatedUnix: 0,
+		Priority:    0,
+	}, {
+		RuleName:    "a",
+		CreatedUnix: 4,
+		Priority:    3,
+	}}
+	expect := []string{"c", "a/*", "b/*", "a", "b"}
+
+	pbr := ProtectedBranchRules(in)
+	pbr.sort()
+
+	var got []string
+	for i := range pbr {
+		got = append(got, pbr[i].RuleName)
+	}
+	assert.Equal(t, expect, got)
+}
--- a/models/git/protected_branch_test.go
+++ b/models/git/protected_branch_test.go
@ -7,6 +7,10 @@ import (
 	"fmt"
 	"testing"

+	"code.gitea.io/gitea/models/db"
+	repo_model "code.gitea.io/gitea/models/repo"
+	"code.gitea.io/gitea/models/unittest"
+
 	"github.com/stretchr/testify/assert"
 )

@ -76,3 +80,77 @@ func TestBranchRuleMatch(t *testing.T) {
 		)
 	}
 }
+
+func TestUpdateProtectBranchPriorities(t *testing.T) {
+	assert.NoError(t, unittest.PrepareTestDatabase())
+
+	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
+
+	// Create some test protected branches with initial priorities
+	protectedBranches := []*ProtectedBranch{
+		{
+			RepoID:   repo.ID,
+			RuleName: "master",
+			Priority: 1,
+		},
+		{
+			RepoID:   repo.ID,
+			RuleName: "develop",
+			Priority: 2,
+		},
+		{
+			RepoID:   repo.ID,
+			RuleName: "feature/*",
+			Priority: 3,
+		},
+	}
+
+	for _, pb := range protectedBranches {
+		_, err := db.GetEngine(db.DefaultContext).Insert(pb)
+		assert.NoError(t, err)
+	}
+
+	// Test updating priorities
+	newPriorities := []int64{protectedBranches[2].ID, protectedBranches[0].ID, protectedBranches[1].ID}
+	err := UpdateProtectBranchPriorities(db.DefaultContext, repo, newPriorities)
+	assert.NoError(t, err)
+
+	// Verify new priorities
+	pbs, err := FindRepoProtectedBranchRules(db.DefaultContext, repo.ID)
+	assert.NoError(t, err)
+
+	expectedPriorities := map[string]int64{
+		"feature/*": 1,
+		"master":    2,
+		"develop":   3,
+	}
+
+	for _, pb := range pbs {
+		assert.Equal(t, expectedPriorities[pb.RuleName], pb.Priority)
+	}
+}
+
+func TestNewProtectBranchPriority(t *testing.T) {
+	assert.NoError(t, unittest.PrepareTestDatabase())
+	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
+
+	err := UpdateProtectBranch(db.DefaultContext, repo, &ProtectedBranch{
+		RepoID:   repo.ID,
+		RuleName: "branch-1",
+		Priority: 1,
+	}, WhitelistOptions{})
+	assert.NoError(t, err)
+
+	newPB := &ProtectedBranch{
+		RepoID:   repo.ID,
+		RuleName: "branch-2",
+		// Priority intentionally omitted
+	}
+
+	err = UpdateProtectBranch(db.DefaultContext, repo, newPB, WhitelistOptions{})
+	assert.NoError(t, err)
+
+	savedPB2, err := GetFirstMatchProtectedBranchRule(db.DefaultContext, repo.ID, "branch-2")
+	assert.NoError(t, err)
+	assert.Equal(t, int64(2), savedPB2.Priority)
+}
--- a/models/migrations/base/tests.go
+++ b/models/migrations/base/tests.go
@ -18,7 +18,7 @@ import (
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/testlogger"

-	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 	"xorm.io/xorm"
 )

@ -33,15 +33,15 @@ func PrepareTestEnv(t *testing.T, skip int, syncModels ...any) (*xorm.Engine, fu
 	ourSkip := 2
 	ourSkip += skip
 	deferFn := testlogger.PrintCurrentTest(t, ourSkip)
-	assert.NoError(t, unittest.SyncDirs(filepath.Join(filepath.Dir(setting.AppPath), "tests/gitea-repositories-meta"), setting.RepoRootPath))
+	require.NoError(t, unittest.SyncDirs(filepath.Join(filepath.Dir(setting.AppPath), "tests/gitea-repositories-meta"), setting.RepoRootPath))

 	if err := deleteDB(); err != nil {
-		t.Errorf("unable to reset database: %v", err)
+		t.Fatalf("unable to reset database: %v", err)
 		return nil, deferFn
 	}

 	x, err := newXORMEngine()
-	assert.NoError(t, err)
+	require.NoError(t, err)
 	if x != nil {
 		oldDefer := deferFn
 		deferFn = func() {
--- a/models/migrations/migrations.go
+++ b/models/migrations/migrations.go
@ -367,6 +367,7 @@ func prepareMigrationTasks() []*migration {
 		newMigration(307, "Fix milestone deadline_unix when there is no due date", v1_23.FixMilestoneNoDueDate),
 		newMigration(308, "Add index(user_id, is_deleted) for action table", v1_23.AddNewIndexForUserDashboard),
 		newMigration(309, "Improve Notification table indices", v1_23.ImproveNotificationTableIndices),
+		newMigration(310, "Add Priority to ProtectedBranch", v1_23.AddPriorityToProtectedBranch),
 	}
 	return preparedMigrations
 }
--- a/models/migrations/v1_23/v310.go
+++ b/models/migrations/v1_23/v310.go
@ -0,0 +1,16 @@
+// Copyright 2024 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package v1_23 //nolint
+
+import (
+	"xorm.io/xorm"
+)
+
+func AddPriorityToProtectedBranch(x *xorm.Engine) error {
+	type ProtectedBranch struct {
+		Priority int64 `xorm:"NOT NULL DEFAULT 0"`
+	}
+
+	return x.Sync(new(ProtectedBranch))
+}
--- a/models/organization/org_list.go
+++ b/models/organization/org_list.go
@ -16,6 +16,31 @@ import (
 	"xorm.io/builder"
 )

+type OrgList []*Organization
+
+func (orgs OrgList) LoadTeams(ctx context.Context) (map[int64]TeamList, error) {
+	if len(orgs) == 0 {
+		return map[int64]TeamList{}, nil
+	}
+
+	orgIDs := make([]int64, len(orgs))
+	for i, org := range orgs {
+		orgIDs[i] = org.ID
+	}
+
+	teams, err := GetTeamsByOrgIDs(ctx, orgIDs)
+	if err != nil {
+		return nil, err
+	}
+
+	teamMap := make(map[int64]TeamList, len(orgs))
+	for _, team := range teams {
+		teamMap[team.OrgID] = append(teamMap[team.OrgID], team)
+	}
+
+	return teamMap, nil
+}
+
 // SearchOrganizationsOptions options to filter organizations
 type SearchOrganizationsOptions struct {
 	db.ListOptions
--- a/models/organization/org_list_test.go
+++ b/models/organization/org_list_test.go
@ -60,3 +60,14 @@ func TestGetUserOrgsList(t *testing.T) {
 		assert.EqualValues(t, 2, orgs[0].NumRepos)
 	}
 }
+
+func TestLoadOrgListTeams(t *testing.T) {
+	assert.NoError(t, unittest.PrepareTestDatabase())
+	orgs, err := organization.GetUserOrgsList(db.DefaultContext, &user_model.User{ID: 4})
+	assert.NoError(t, err)
+	assert.Len(t, orgs, 1)
+	teamsMap, err := organization.OrgList(orgs).LoadTeams(db.DefaultContext)
+	assert.NoError(t, err)
+	assert.Len(t, teamsMap, 1)
+	assert.Len(t, teamsMap[3], 5)
+}
--- a/models/organization/team_list.go
+++ b/models/organization/team_list.go
@ -126,3 +126,8 @@ func GetUserRepoTeams(ctx context.Context, orgID, userID, repoID int64) (teams T
 		And("team_repo.repo_id=?", repoID).
 		Find(&teams)
 }
+
+func GetTeamsByOrgIDs(ctx context.Context, orgIDs []int64) (TeamList, error) {
+	teams := make([]*Team, 0, 10)
+	return teams, db.GetEngine(ctx).Where(builder.In("org_id", orgIDs)).Find(&teams)
+}
--- a/modules/auth/webauthn/webauthn.go
+++ b/modules/auth/webauthn/webauthn.go
@ -4,13 +4,14 @@
 package webauthn

 import (
+	"context"
 	"encoding/binary"
 	"encoding/gob"

 	"code.gitea.io/gitea/models/auth"
-	"code.gitea.io/gitea/models/db"
 	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/modules/util"

 	"github.com/go-webauthn/webauthn/protocol"
 	"github.com/go-webauthn/webauthn/webauthn"
@ -38,40 +39,42 @@ func Init() {
 	}
 }

-// User represents an implementation of webauthn.User based on User model
-type User user_model.User
+// user represents an implementation of webauthn.User based on User model
+type user struct {
+	ctx  context.Context
+	User *user_model.User
+
+	defaultAuthFlags protocol.AuthenticatorFlags
+}
+
+var _ webauthn.User = (*user)(nil)
+
+func NewWebAuthnUser(ctx context.Context, u *user_model.User, defaultAuthFlags ...protocol.AuthenticatorFlags) webauthn.User {
+	return &user{ctx: ctx, User: u, defaultAuthFlags: util.OptionalArg(defaultAuthFlags)}
+}

 // WebAuthnID implements the webauthn.User interface
-func (u *User) WebAuthnID() []byte {
+func (u *user) WebAuthnID() []byte {
 	id := make([]byte, 8)
-	binary.PutVarint(id, u.ID)
+	binary.PutVarint(id, u.User.ID)
 	return id
 }

 // WebAuthnName implements the webauthn.User interface
-func (u *User) WebAuthnName() string {
-	if u.LoginName == "" {
-		return u.Name
-	}
-	return u.LoginName
+func (u *user) WebAuthnName() string {
+	return util.IfZero(u.User.LoginName, u.User.Name)
 }

 // WebAuthnDisplayName implements the webauthn.User interface
-func (u *User) WebAuthnDisplayName() string {
-	return (*user_model.User)(u).DisplayName()
-}
-
-// WebAuthnIcon implements the webauthn.User interface
-func (u *User) WebAuthnIcon() string {
-	return (*user_model.User)(u).AvatarLink(db.DefaultContext)
+func (u *user) WebAuthnDisplayName() string {
+	return u.User.DisplayName()
 }

 // WebAuthnCredentials implements the webauthn.User interface
-func (u *User) WebAuthnCredentials() []webauthn.Credential {
-	dbCreds, err := auth.GetWebAuthnCredentialsByUID(db.DefaultContext, u.ID)
+func (u *user) WebAuthnCredentials() []webauthn.Credential {
+	dbCreds, err := auth.GetWebAuthnCredentialsByUID(u.ctx, u.User.ID)
 	if err != nil {
 		return nil
 	}
-
-	return dbCreds.ToCredentials()
+	return dbCreds.ToCredentials(u.defaultAuthFlags)
 }
--- a/modules/markup/html.go
+++ b/modules/markup/html.go
@ -5,9 +5,9 @@ package markup

 import (
 	"bytes"
+	"fmt"
 	"io"
 	"regexp"
-	"slices"
 	"strings"
 	"sync"

@ -133,75 +133,49 @@ func CustomLinkURLSchemes(schemes []string) {
 	common.GlobalVars().LinkRegex, _ = xurls.StrictMatchingScheme(strings.Join(withAuth, "|"))
 }

-type postProcessError struct {
-	context string
-	err     error
-}
-
-func (p *postProcessError) Error() string {
-	return "PostProcess: " + p.context + ", " + p.err.Error()
-}
-
 type processor func(ctx *RenderContext, node *html.Node)

-var defaultProcessors = []processor{
-	fullIssuePatternProcessor,
-	comparePatternProcessor,
-	codePreviewPatternProcessor,
-	fullHashPatternProcessor,
-	shortLinkProcessor,
-	linkProcessor,
-	mentionProcessor,
-	issueIndexPatternProcessor,
-	commitCrossReferencePatternProcessor,
-	hashCurrentPatternProcessor,
-	emailAddressProcessor,
-	emojiProcessor,
-	emojiShortCodeProcessor,
-}
-
-// PostProcess does the final required transformations to the passed raw HTML
+// PostProcessDefault does the final required transformations to the passed raw HTML
 // data, and ensures its validity. Transformations include: replacing links and
 // emails with HTML links, parsing shortlinks in the format of [[Link]], like
 // MediaWiki, linking issues in the format #ID, and mentions in the format
 // @user, and others.
-func PostProcess(ctx *RenderContext, input io.Reader, output io.Writer) error {
-	return postProcess(ctx, defaultProcessors, input, output)
-}
-
-var commitMessageProcessors = []processor{
-	fullIssuePatternProcessor,
-	comparePatternProcessor,
-	fullHashPatternProcessor,
-	linkProcessor,
-	mentionProcessor,
-	issueIndexPatternProcessor,
-	commitCrossReferencePatternProcessor,
-	hashCurrentPatternProcessor,
-	emailAddressProcessor,
-	emojiProcessor,
-	emojiShortCodeProcessor,
+func PostProcessDefault(ctx *RenderContext, input io.Reader, output io.Writer) error {
+	procs := []processor{
+		fullIssuePatternProcessor,
+		comparePatternProcessor,
+		codePreviewPatternProcessor,
+		fullHashPatternProcessor,
+		shortLinkProcessor,
+		linkProcessor,
+		mentionProcessor,
+		issueIndexPatternProcessor,
+		commitCrossReferencePatternProcessor,
+		hashCurrentPatternProcessor,
+		emailAddressProcessor,
+		emojiProcessor,
+		emojiShortCodeProcessor,
+	}
+	return postProcess(ctx, procs, input, output)
 }

 // RenderCommitMessage will use the same logic as PostProcess, but will disable
-// the shortLinkProcessor and will add a defaultLinkProcessor if defaultLink is
-// set, which changes every text node into a link to the passed default link.
+// the shortLinkProcessor.
 func RenderCommitMessage(ctx *RenderContext, content string) (string, error) {
-	procs := commitMessageProcessors
-	return renderProcessString(ctx, procs, content)
-}
-
-var commitMessageSubjectProcessors = []processor{
-	fullIssuePatternProcessor,
-	comparePatternProcessor,
-	fullHashPatternProcessor,
-	linkProcessor,
-	mentionProcessor,
-	issueIndexPatternProcessor,
-	commitCrossReferencePatternProcessor,
-	hashCurrentPatternProcessor,
-	emojiShortCodeProcessor,
-	emojiProcessor,
+	procs := []processor{
+		fullIssuePatternProcessor,
+		comparePatternProcessor,
+		fullHashPatternProcessor,
+		linkProcessor,
+		mentionProcessor,
+		issueIndexPatternProcessor,
+		commitCrossReferencePatternProcessor,
+		hashCurrentPatternProcessor,
+		emailAddressProcessor,
+		emojiProcessor,
+		emojiShortCodeProcessor,
+	}
+	return postProcessString(ctx, procs, content)
 }

 var emojiProcessors = []processor{
@ -214,7 +188,18 @@ var emojiProcessors = []processor{
 // emailAddressProcessor, will add a defaultLinkProcessor if defaultLink is set,
 // which changes every text node into a link to the passed default link.
 func RenderCommitMessageSubject(ctx *RenderContext, defaultLink, content string) (string, error) {
-	procs := slices.Clone(commitMessageSubjectProcessors)
+	procs := []processor{
+		fullIssuePatternProcessor,
+		comparePatternProcessor,
+		fullHashPatternProcessor,
+		linkProcessor,
+		mentionProcessor,
+		issueIndexPatternProcessor,
+		commitCrossReferencePatternProcessor,
+		hashCurrentPatternProcessor,
+		emojiShortCodeProcessor,
+		emojiProcessor,
+	}
 	procs = append(procs, func(ctx *RenderContext, node *html.Node) {
 		ch := &html.Node{Parent: node, Type: html.TextNode, Data: node.Data}
 		node.Type = html.ElementNode
@ -223,19 +208,19 @@ func RenderCommitMessageSubject(ctx *RenderContext, defaultLink, content string)
 		node.Attr = []html.Attribute{{Key: "href", Val: defaultLink}, {Key: "class", Val: "muted"}}
 		node.FirstChild, node.LastChild = ch, ch
 	})
-	return renderProcessString(ctx, procs, content)
+	return postProcessString(ctx, procs, content)
 }

 // RenderIssueTitle to process title on individual issue/pull page
 func RenderIssueTitle(ctx *RenderContext, title string) (string, error) {
 	// do not render other issue/commit links in an issue's title - which in most cases is already a link.
-	return renderProcessString(ctx, []processor{
+	return postProcessString(ctx, []processor{
 		emojiShortCodeProcessor,
 		emojiProcessor,
 	}, title)
 }

-func renderProcessString(ctx *RenderContext, procs []processor, content string) (string, error) {
+func postProcessString(ctx *RenderContext, procs []processor, content string) (string, error) {
 	var buf strings.Builder
 	if err := postProcess(ctx, procs, strings.NewReader(content), &buf); err != nil {
 		return "", err
@ -246,7 +231,7 @@ func renderProcessString(ctx *RenderContext, procs []processor, content string)
 // RenderDescriptionHTML will use similar logic as PostProcess, but will
 // use a single special linkProcessor.
 func RenderDescriptionHTML(ctx *RenderContext, content string) (string, error) {
-	return renderProcessString(ctx, []processor{
+	return postProcessString(ctx, []processor{
 		descriptionLinkProcessor,
 		emojiShortCodeProcessor,
 		emojiProcessor,
@ -256,7 +241,7 @@ func RenderDescriptionHTML(ctx *RenderContext, content string) (string, error) {
 // RenderEmoji for when we want to just process emoji and shortcodes
 // in various places it isn't already run through the normal markdown processor
 func RenderEmoji(ctx *RenderContext, content string) (string, error) {
-	return renderProcessString(ctx, emojiProcessors, content)
+	return postProcessString(ctx, emojiProcessors, content)
 }

 func postProcess(ctx *RenderContext, procs []processor, input io.Reader, output io.Writer) error {
@ -276,7 +261,7 @@ func postProcess(ctx *RenderContext, procs []processor, input io.Reader, output
 		strings.NewReader("</body></html>"),
 	))
 	if err != nil {
-		return &postProcessError{"invalid HTML", err}
+		return fmt.Errorf("markup.postProcess: invalid HTML: %w", err)
 	}

 	if node.Type == html.DocumentNode {
@ -308,7 +293,7 @@ func postProcess(ctx *RenderContext, procs []processor, input io.Reader, output
 	// Render everything to buf.
 	for _, node := range newNodes {
 		if err := html.Render(output, node); err != nil {
-			return &postProcessError{"error rendering processed HTML", err}
+			return fmt.Errorf("markup.postProcess: html.Render: %w", err)
 		}
 	}
 	return nil
--- a/modules/markup/html_internal_test.go
+++ b/modules/markup/html_internal_test.go
@ -277,12 +277,12 @@ func TestRender_AutoLink(t *testing.T) {

 	test := func(input, expected string) {
 		var buffer strings.Builder
-		err := PostProcess(NewTestRenderContext(localMetas), strings.NewReader(input), &buffer)
+		err := PostProcessDefault(NewTestRenderContext(localMetas), strings.NewReader(input), &buffer)
 		assert.Equal(t, err, nil)
 		assert.Equal(t, strings.TrimSpace(expected), strings.TrimSpace(buffer.String()))

 		buffer.Reset()
-		err = PostProcess(NewTestRenderContext(localMetas), strings.NewReader(input), &buffer)
+		err = PostProcessDefault(NewTestRenderContext(localMetas), strings.NewReader(input), &buffer)
 		assert.Equal(t, err, nil)
 		assert.Equal(t, strings.TrimSpace(expected), strings.TrimSpace(buffer.String()))
 	}
--- a/modules/markup/html_test.go
+++ b/modules/markup/html_test.go
@ -445,14 +445,14 @@ func Test_ParseClusterFuzz(t *testing.T) {
 	data := "<A><maTH><tr><MN><bodY ÿ><temPlate></template><tH><tr></A><tH><d<bodY "

 	var res strings.Builder
-	err := markup.PostProcess(markup.NewTestRenderContext(localMetas), strings.NewReader(data), &res)
+	err := markup.PostProcessDefault(markup.NewTestRenderContext(localMetas), strings.NewReader(data), &res)
 	assert.NoError(t, err)
 	assert.NotContains(t, res.String(), "<html")

 	data = "<!DOCTYPE html>\n<A><maTH><tr><MN><bodY ÿ><temPlate></template><tH><tr></A><tH><d<bodY "

 	res.Reset()
-	err = markup.PostProcess(markup.NewTestRenderContext(localMetas), strings.NewReader(data), &res)
+	err = markup.PostProcessDefault(markup.NewTestRenderContext(localMetas), strings.NewReader(data), &res)

 	assert.NoError(t, err)
 	assert.NotContains(t, res.String(), "<html")
@ -464,7 +464,7 @@ func TestPostProcess_RenderDocument(t *testing.T) {

 	test := func(input, expected string) {
 		var res strings.Builder
-		err := markup.PostProcess(markup.NewTestRenderContext(markup.TestAppURL, map[string]string{"user": "go-gitea", "repo": "gitea"}), strings.NewReader(input), &res)
+		err := markup.PostProcessDefault(markup.NewTestRenderContext(markup.TestAppURL, map[string]string{"user": "go-gitea", "repo": "gitea"}), strings.NewReader(input), &res)
 		assert.NoError(t, err)
 		assert.Equal(t, strings.TrimSpace(expected), strings.TrimSpace(res.String()))
 	}
@ -501,7 +501,7 @@ func TestIssue16020(t *testing.T) {
 	data := `<img src="data:image/png;base64,i//V"/>`

 	var res strings.Builder
-	err := markup.PostProcess(markup.NewTestRenderContext(localMetas), strings.NewReader(data), &res)
+	err := markup.PostProcessDefault(markup.NewTestRenderContext(localMetas), strings.NewReader(data), &res)
 	assert.NoError(t, err)
 	assert.Equal(t, data, res.String())
 }
@ -514,7 +514,7 @@ func BenchmarkEmojiPostprocess(b *testing.B) {
 	b.ResetTimer()
 	for i := 0; i < b.N; i++ {
 		var res strings.Builder
-		err := markup.PostProcess(markup.NewTestRenderContext(localMetas), strings.NewReader(data), &res)
+		err := markup.PostProcessDefault(markup.NewTestRenderContext(localMetas), strings.NewReader(data), &res)
 		assert.NoError(b, err)
 	}
 }
@ -522,7 +522,7 @@ func BenchmarkEmojiPostprocess(b *testing.B) {
 func TestFuzz(t *testing.T) {
 	s := "t/l/issues/8#/../../a"
 	renderContext := markup.NewTestRenderContext()
-	err := markup.PostProcess(renderContext, strings.NewReader(s), io.Discard)
+	err := markup.PostProcessDefault(renderContext, strings.NewReader(s), io.Discard)
 	assert.NoError(t, err)
 }

@ -530,7 +530,7 @@ func TestIssue18471(t *testing.T) {
 	data := `http://domain/org/repo/compare/783b039...da951ce`

 	var res strings.Builder
-	err := markup.PostProcess(markup.NewTestRenderContext(localMetas), strings.NewReader(data), &res)
+	err := markup.PostProcessDefault(markup.NewTestRenderContext(localMetas), strings.NewReader(data), &res)

 	assert.NoError(t, err)
 	assert.Equal(t, `<a href="http://domain/org/repo/compare/783b039...da951ce" class="compare"><code class="nohighlight">783b039...da951ce</code></a>`, res.String())
--- a/modules/markup/markdown/goldmark.go
+++ b/modules/markup/markdown/goldmark.go
@ -80,9 +80,7 @@ func (g *ASTTransformer) Transform(node *ast.Document, reader text.Reader, pc pa
 				// many places render non-comment contents with no mode=document, then these contents also use comment's hard line break setting
 				// especially in many tests.
 				markdownLineBreakStyle := ctx.RenderOptions.Metas["markdownLineBreakStyle"]
-				if markup.RenderBehaviorForTesting.ForceHardLineBreak {
-					v.SetHardLineBreak(true)
-				} else if markdownLineBreakStyle == "comment" {
+				if markdownLineBreakStyle == "comment" {
 					v.SetHardLineBreak(setting.Markdown.EnableHardLineBreakInComments)
 				} else if markdownLineBreakStyle == "document" {
 					v.SetHardLineBreak(setting.Markdown.EnableHardLineBreakInDocuments)
--- a/modules/markup/markdown/markdown_test.go
+++ b/modules/markup/markdown/markdown_test.go
@ -85,94 +85,13 @@ func TestRender_Images(t *testing.T) {
 		`<p><a href="`+href+`" rel="nofollow"><img src="`+result+`" alt="`+title+`"/></a></p>`)
 }

-func testAnswers(baseURL string) []string {
-	return []string{
-		`<p>Wiki! Enjoy :)</p>
-<ul>
-<li><a href="` + baseURL + `/Links" rel="nofollow">Links, Language bindings, Engine bindings</a></li>
-<li><a href="` + baseURL + `/Tips" rel="nofollow">Tips</a></li>
-</ul>
-<p>See commit <a href="/` + testRepoOwnerName + `/` + testRepoName + `/commit/65f1bf27bc" rel="nofollow"><code>65f1bf27bc</code></a></p>
-<p>Ideas and codes</p>
-<ul>
-<li>Bezier widget (by <a href="/r-lyeh" rel="nofollow">@r-lyeh</a>) <a href="http://localhost:3000/ocornut/imgui/issues/786" class="ref-issue" rel="nofollow">ocornut/imgui#786</a></li>
-<li>Bezier widget (by <a href="/r-lyeh" rel="nofollow">@r-lyeh</a>) <a href="` + FullURL + `issues/786" class="ref-issue" rel="nofollow">#786</a></li>
-<li>Node graph editors <a href="https://github.com/ocornut/imgui/issues/306" rel="nofollow">https://github.com/ocornut/imgui/issues/306</a></li>
-<li><a href="` + baseURL + `/memory_editor_example" rel="nofollow">Memory Editor</a></li>
-<li><a href="` + baseURL + `/plot_var_example" rel="nofollow">Plot var helper</a></li>
-</ul>
-`,
-		`<h2 id="user-content-what-is-wine-staging">What is Wine Staging?</h2>
-<p><strong>Wine Staging</strong> on website <a href="http://wine-staging.com" rel="nofollow">wine-staging.com</a>.</p>
-<h2 id="user-content-quick-links">Quick Links</h2>
-<p>Here are some links to the most important topics. You can find the full list of pages at the sidebar.</p>
-<table>
-<thead>
-<tr>
-<th><a href="` + baseURL + `/images/icon-install.png" rel="nofollow"><img src="` + baseURL + `/images/icon-install.png" title="icon-install.png" alt="images/icon-install.png"/></a></th>
-<th><a href="` + baseURL + `/Installation" rel="nofollow">Installation</a></th>
-</tr>
-</thead>
-<tbody>
-<tr>
-<td><a href="` + baseURL + `/images/icon-usage.png" rel="nofollow"><img src="` + baseURL + `/images/icon-usage.png" title="icon-usage.png" alt="images/icon-usage.png"/></a></td>
-<td><a href="` + baseURL + `/Usage" rel="nofollow">Usage</a></td>
-</tr>
-</tbody>
-</table>
-`,
-		`<p><a href="http://www.excelsiorjet.com/" rel="nofollow">Excelsior JET</a> allows you to create native executables for Windows, Linux and Mac OS X.</p>
-<ol>
-<li><a href="https://github.com/libgdx/libgdx/wiki/Gradle-on-the-Commandline#packaging-for-the-desktop" rel="nofollow">Package your libGDX application</a><br/>
-<a href="` + baseURL + `/images/1.png" rel="nofollow"><img src="` + baseURL + `/images/1.png" title="1.png" alt="images/1.png"/></a></li>
-<li>Perform a test run by hitting the Run! button.<br/>
-<a href="` + baseURL + `/images/2.png" rel="nofollow"><img src="` + baseURL + `/images/2.png" title="2.png" alt="images/2.png"/></a></li>
-</ol>
-<h2 id="user-content-custom-id">More tests</h2>
-<p>(from <a href="https://www.markdownguide.org/extended-syntax/" rel="nofollow">https://www.markdownguide.org/extended-syntax/</a>)</p>
-<h3 id="user-content-checkboxes">Checkboxes</h3>
-<ul>
-<li class="task-list-item"><input type="checkbox" disabled="" data-source-position="434"/>unchecked</li>
-<li class="task-list-item"><input type="checkbox" disabled="" data-source-position="450" checked=""/>checked</li>
-<li class="task-list-item"><input type="checkbox" disabled="" data-source-position="464"/>still unchecked</li>
-</ul>
-<h3 id="user-content-definition-list">Definition list</h3>
-<dl>
-<dt>First Term</dt>
-<dd>This is the definition of the first term.</dd>
-<dt>Second Term</dt>
-<dd>This is one definition of the second term.</dd>
-<dd>This is another definition of the second term.</dd>
-</dl>
-<h3 id="user-content-footnotes">Footnotes</h3>
-<p>Here is a simple footnote,<sup id="fnref:user-content-1"><a href="#fn:user-content-1" rel="nofollow">1</a></sup> and here is a longer one.<sup id="fnref:user-content-bignote"><a href="#fn:user-content-bignote" rel="nofollow">2</a></sup></p>
-<div>
-<hr/>
-<ol>
-<li id="fn:user-content-1">
-<p>This is the first footnote. <a href="#fnref:user-content-1" rel="nofollow">↩︎</a></p>
-</li>
-<li id="fn:user-content-bignote">
-<p>Here is one with multiple paragraphs and code.</p>
-<p>Indent paragraphs to include them in the footnote.</p>
-<p><code>{ my code }</code></p>
-<p>Add as many paragraphs as you like. <a href="#fnref:user-content-bignote" rel="nofollow">↩︎</a></p>
-</li>
-</ol>
-</div>
-`, `<ul>
-<li class="task-list-item"><input type="checkbox" disabled="" data-source-position="3"/> If you want to rebase/retry this PR, click this checkbox.</li>
-</ul>
-<hr/>
-<p>This PR has been generated by <a href="https://github.com/renovatebot/renovate" rel="nofollow">Renovate Bot</a>.</p>
-`,
-	}
-}
+func TestTotal_RenderString(t *testing.T) {
+	defer test.MockVariableValue(&markup.RenderBehaviorForTesting.DisableAdditionalAttributes, true)()

-// Test cases without ambiguous links
-var sameCases = []string{
-	// dear imgui wiki markdown extract: special wiki syntax
-	`Wiki! Enjoy :)
+	// Test cases without ambiguous links (It is not right to copy a whole file here, instead it should clearly test what is being tested)
+	sameCases := []string{
+		// dear imgui wiki markdown extract: special wiki syntax
+		`Wiki! Enjoy :)
 - [[Links, Language bindings, Engine bindings|Links]]
 - [[Tips]]

@ -185,8 +104,8 @@ Ideas and codes
 - Node graph editors https://github.com/ocornut/imgui/issues/306
 - [[Memory Editor|memory_editor_example]]
 - [[Plot var helper|plot_var_example]]`,
-	// wine-staging wiki home extract: tables, special wiki syntax, images
-	`## What is Wine Staging?
+		// wine-staging wiki home extract: tables, special wiki syntax, images
+		`## What is Wine Staging?
 **Wine Staging** on website [wine-staging.com](http://wine-staging.com).

 ## Quick Links
@ -196,8 +115,8 @@ Here are some links to the most important topics. You can find the full list of
 |--------------------------------|----------------------------------------------------------|
 | [[images/icon-usage.png]]      | [[Usage]]                                                |
 `,
-	// libgdx wiki page: inline images with special syntax
-	`[Excelsior JET](http://www.excelsiorjet.com/) allows you to create native executables for Windows, Linux and Mac OS X.
+		// libgdx wiki page: inline images with special syntax
+		`[Excelsior JET](http://www.excelsiorjet.com/) allows you to create native executables for Windows, Linux and Mac OS X.

 1. [Package your libGDX application](https://github.com/libgdx/libgdx/wiki/Gradle-on-the-Commandline#packaging-for-the-desktop)
 [[images/1.png]]
@ -237,7 +156,7 @@ Here is a simple footnote,[^1] and here is a longer one.[^bignote]

    Add as many paragraphs as you like.
 `,
-	`
+		`
 - [ ] <!-- rebase-check --> If you want to rebase/retry this PR, click this checkbox.

 ---
@ -245,21 +164,101 @@ Here is a simple footnote,[^1] and here is a longer one.[^bignote]
 This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).

 <!-- test-comment -->`,
-}
+	}
+
+	baseURL := ""
+	testAnswers := []string{
+		`<p>Wiki! Enjoy :)</p>
+<ul>
+<li><a href="` + baseURL + `/Links" rel="nofollow">Links, Language bindings, Engine bindings</a></li>
+<li><a href="` + baseURL + `/Tips" rel="nofollow">Tips</a></li>
+</ul>
+<p>See commit <a href="/` + testRepoOwnerName + `/` + testRepoName + `/commit/65f1bf27bc" rel="nofollow"><code>65f1bf27bc</code></a></p>
+<p>Ideas and codes</p>
+<ul>
+<li>Bezier widget (by <a href="/r-lyeh" rel="nofollow">@r-lyeh</a>) <a href="http://localhost:3000/ocornut/imgui/issues/786" class="ref-issue" rel="nofollow">ocornut/imgui#786</a></li>
+<li>Bezier widget (by <a href="/r-lyeh" rel="nofollow">@r-lyeh</a>) <a href="` + FullURL + `issues/786" class="ref-issue" rel="nofollow">#786</a></li>
+<li>Node graph editors <a href="https://github.com/ocornut/imgui/issues/306" rel="nofollow">https://github.com/ocornut/imgui/issues/306</a></li>
+<li><a href="` + baseURL + `/memory_editor_example" rel="nofollow">Memory Editor</a></li>
+<li><a href="` + baseURL + `/plot_var_example" rel="nofollow">Plot var helper</a></li>
+</ul>
+`,
+		`<h2 id="user-content-what-is-wine-staging">What is Wine Staging?</h2>
+<p><strong>Wine Staging</strong> on website <a href="http://wine-staging.com" rel="nofollow">wine-staging.com</a>.</p>
+<h2 id="user-content-quick-links">Quick Links</h2>
+<p>Here are some links to the most important topics. You can find the full list of pages at the sidebar.</p>
+<table>
+<thead>
+<tr>
+<th><a href="` + baseURL + `/images/icon-install.png" rel="nofollow"><img src="` + baseURL + `/images/icon-install.png" title="icon-install.png" alt="images/icon-install.png"/></a></th>
+<th><a href="` + baseURL + `/Installation" rel="nofollow">Installation</a></th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td><a href="` + baseURL + `/images/icon-usage.png" rel="nofollow"><img src="` + baseURL + `/images/icon-usage.png" title="icon-usage.png" alt="images/icon-usage.png"/></a></td>
+<td><a href="` + baseURL + `/Usage" rel="nofollow">Usage</a></td>
+</tr>
+</tbody>
+</table>
+`,
+		`<p><a href="http://www.excelsiorjet.com/" rel="nofollow">Excelsior JET</a> allows you to create native executables for Windows, Linux and Mac OS X.</p>
+<ol>
+<li><a href="https://github.com/libgdx/libgdx/wiki/Gradle-on-the-Commandline#packaging-for-the-desktop" rel="nofollow">Package your libGDX application</a>
+<a href="` + baseURL + `/images/1.png" rel="nofollow"><img src="` + baseURL + `/images/1.png" title="1.png" alt="images/1.png"/></a></li>
+<li>Perform a test run by hitting the Run! button.
+<a href="` + baseURL + `/images/2.png" rel="nofollow"><img src="` + baseURL + `/images/2.png" title="2.png" alt="images/2.png"/></a></li>
+</ol>
+<h2 id="user-content-custom-id">More tests</h2>
+<p>(from <a href="https://www.markdownguide.org/extended-syntax/" rel="nofollow">https://www.markdownguide.org/extended-syntax/</a>)</p>
+<h3 id="user-content-checkboxes">Checkboxes</h3>
+<ul>
+<li class="task-list-item"><input type="checkbox" disabled="" data-source-position="434"/>unchecked</li>
+<li class="task-list-item"><input type="checkbox" disabled="" data-source-position="450" checked=""/>checked</li>
+<li class="task-list-item"><input type="checkbox" disabled="" data-source-position="464"/>still unchecked</li>
+</ul>
+<h3 id="user-content-definition-list">Definition list</h3>
+<dl>
+<dt>First Term</dt>
+<dd>This is the definition of the first term.</dd>
+<dt>Second Term</dt>
+<dd>This is one definition of the second term.</dd>
+<dd>This is another definition of the second term.</dd>
+</dl>
+<h3 id="user-content-footnotes">Footnotes</h3>
+<p>Here is a simple footnote,<sup id="fnref:user-content-1"><a href="#fn:user-content-1" rel="nofollow">1</a></sup> and here is a longer one.<sup id="fnref:user-content-bignote"><a href="#fn:user-content-bignote" rel="nofollow">2</a></sup></p>
+<div>
+<hr/>
+<ol>
+<li id="fn:user-content-1">
+<p>This is the first footnote. <a href="#fnref:user-content-1" rel="nofollow">↩︎</a></p>
+</li>
+<li id="fn:user-content-bignote">
+<p>Here is one with multiple paragraphs and code.</p>
+<p>Indent paragraphs to include them in the footnote.</p>
+<p><code>{ my code }</code></p>
+<p>Add as many paragraphs as you like. <a href="#fnref:user-content-bignote" rel="nofollow">↩︎</a></p>
+</li>
+</ol>
+</div>
+`,
+		`<ul>
+<li class="task-list-item"><input type="checkbox" disabled="" data-source-position="3"/> If you want to rebase/retry this PR, click this checkbox.</li>
+</ul>
+<hr/>
+<p>This PR has been generated by <a href="https://github.com/renovatebot/renovate" rel="nofollow">Renovate Bot</a>.</p>
+`,
+	}

-func TestTotal_RenderString(t *testing.T) {
-	defer test.MockVariableValue(&markup.RenderBehaviorForTesting.ForceHardLineBreak, true)()
-	defer test.MockVariableValue(&markup.RenderBehaviorForTesting.DisableAdditionalAttributes, true)()
 	markup.Init(&markup.RenderHelperFuncs{
 		IsUsernameMentionable: func(ctx context.Context, username string) bool {
 			return username == "r-lyeh"
 		},
 	})
-	answers := testAnswers("")
 	for i := 0; i < len(sameCases); i++ {
 		line, err := markdown.RenderString(markup.NewTestRenderContext(localMetas), sameCases[i])
 		assert.NoError(t, err)
-		assert.Equal(t, answers[i], string(line))
+		assert.Equal(t, testAnswers[i], string(line))
 	}
 }

@ -312,10 +311,9 @@ func TestRenderSiblingImages_Issue12925(t *testing.T) {
 	testcase := `![image1](/image1)
 ![image2](/image2)
 `
-	expected := `<p><a href="/image1" target="_blank" rel="nofollow noopener"><img src="/image1" alt="image1"></a><br>
+	expected := `<p><a href="/image1" target="_blank" rel="nofollow noopener"><img src="/image1" alt="image1"></a>
 <a href="/image2" target="_blank" rel="nofollow noopener"><img src="/image2" alt="image2"></a></p>
 `
-	defer test.MockVariableValue(&markup.RenderBehaviorForTesting.ForceHardLineBreak, true)()
 	res, err := markdown.RenderRawString(markup.NewTestRenderContext(), testcase)
 	assert.NoError(t, err)
 	assert.Equal(t, expected, res)
@ -525,43 +523,33 @@ mail@domain.com
  space${SPACE}${SPACE}
 `
 	input = strings.ReplaceAll(input, "${SPACE}", " ") // replace ${SPACE} with " ", to avoid some editor's auto-trimming
-	cases := []struct {
-		Expected string
-	}{
-		{
-			Expected: `<p>space @mention-user<br/>
-/just/a/path.bin<br/>
-<a href="https://example.com/file.bin" rel="nofollow">https://example.com/file.bin</a><br/>
-<a href="/file.bin" rel="nofollow">local link</a><br/>
-<a href="https://example.com" rel="nofollow">remote link</a><br/>
-<a href="/file.bin" rel="nofollow">local link</a><br/>
-<a href="https://example.com" rel="nofollow">remote link</a><br/>
-<a href="/image.jpg" target="_blank" rel="nofollow noopener"><img src="/image.jpg" alt="local image"/></a><br/>
-<a href="/path/file" target="_blank" rel="nofollow noopener"><img src="/path/file" alt="local image"/></a><br/>
-<a href="/path/file" target="_blank" rel="nofollow noopener"><img src="/path/file" alt="local image"/></a><br/>
-<a href="https://example.com/image.jpg" target="_blank" rel="nofollow noopener"><img src="https://example.com/image.jpg" alt="remote image"/></a><br/>
-<a href="/image.jpg" rel="nofollow"><img src="/image.jpg" title="local image" alt="local image"/></a><br/>
-<a href="https://example.com/image.jpg" rel="nofollow"><img src="https://example.com/image.jpg" title="remote link" alt="remote link"/></a><br/>
-<a href="https://example.com/user/repo/compare/88fc37a3c0a4dda553bdcfc80c178a58247f42fb...12fc37a3c0a4dda553bdcfc80c178a58247f42fb#hash" rel="nofollow"><code>88fc37a3c0...12fc37a3c0 (hash)</code></a><br/>
-com 88fc37a3c0a4dda553bdcfc80c178a58247f42fb...12fc37a3c0a4dda553bdcfc80c178a58247f42fb pare<br/>
-<a href="https://example.com/user/repo/commit/88fc37a3c0a4dda553bdcfc80c178a58247f42fb" rel="nofollow"><code>88fc37a3c0</code></a><br/>
-com 88fc37a3c0a4dda553bdcfc80c178a58247f42fb mit<br/>
-<span class="emoji" aria-label="thumbs up">👍</span><br/>
-<a href="mailto:mail@domain.com" rel="nofollow">mail@domain.com</a><br/>
-@mention-user test<br/>
-#123<br/>
+	expected := `<p>space @mention-user<br/>
+/just/a/path.bin
+<a href="https://example.com/file.bin" rel="nofollow">https://example.com/file.bin</a>
+<a href="/file.bin" rel="nofollow">local link</a>
+<a href="https://example.com" rel="nofollow">remote link</a>
+<a href="/file.bin" rel="nofollow">local link</a>
+<a href="https://example.com" rel="nofollow">remote link</a>
+<a href="/image.jpg" target="_blank" rel="nofollow noopener"><img src="/image.jpg" alt="local image"/></a>
+<a href="/path/file" target="_blank" rel="nofollow noopener"><img src="/path/file" alt="local image"/></a>
+<a href="/path/file" target="_blank" rel="nofollow noopener"><img src="/path/file" alt="local image"/></a>
+<a href="https://example.com/image.jpg" target="_blank" rel="nofollow noopener"><img src="https://example.com/image.jpg" alt="remote image"/></a>
+<a href="/image.jpg" rel="nofollow"><img src="/image.jpg" title="local image" alt="local image"/></a>
+<a href="https://example.com/image.jpg" rel="nofollow"><img src="https://example.com/image.jpg" title="remote link" alt="remote link"/></a>
+<a href="https://example.com/user/repo/compare/88fc37a3c0a4dda553bdcfc80c178a58247f42fb...12fc37a3c0a4dda553bdcfc80c178a58247f42fb#hash" rel="nofollow"><code>88fc37a3c0...12fc37a3c0 (hash)</code></a>
+com 88fc37a3c0a4dda553bdcfc80c178a58247f42fb...12fc37a3c0a4dda553bdcfc80c178a58247f42fb pare
+<a href="https://example.com/user/repo/commit/88fc37a3c0a4dda553bdcfc80c178a58247f42fb" rel="nofollow"><code>88fc37a3c0</code></a>
+com 88fc37a3c0a4dda553bdcfc80c178a58247f42fb mit
+<span class="emoji" aria-label="thumbs up">👍</span>
+<a href="mailto:mail@domain.com" rel="nofollow">mail@domain.com</a>
+@mention-user test
+#123
 space</p>
-`,
-		},
-	}
-
-	defer test.MockVariableValue(&markup.RenderBehaviorForTesting.ForceHardLineBreak, true)()
+`
 	defer test.MockVariableValue(&markup.RenderBehaviorForTesting.DisableAdditionalAttributes, true)()
-	for i, c := range cases {
-		result, err := markdown.RenderString(markup.NewTestRenderContext(localMetas), input)
-		assert.NoError(t, err, "Unexpected error in testcase: %v", i)
-		assert.Equal(t, c.Expected, string(result), "Unexpected result in testcase %v", i)
-	}
+	result, err := markdown.RenderString(markup.NewTestRenderContext(localMetas), input)
+	assert.NoError(t, err)
+	assert.Equal(t, expected, string(result))
 }

 func TestAttention(t *testing.T) {
--- a/modules/markup/render.go
+++ b/modules/markup/render.go
@ -28,14 +28,6 @@ const (
 )

 var RenderBehaviorForTesting struct {
-	// Markdown line break rendering has 2 default behaviors:
-	// * Use hard: replace "\n" with "<br>" for comments, setting.Markdown.EnableHardLineBreakInComments=true
-	// * Keep soft: "\n" for non-comments (a.k.a. documents), setting.Markdown.EnableHardLineBreakInDocuments=false
-	// In history, there was a mess:
-	// * The behavior was controlled by `Metas["mode"] != "document",
-	// * However, many places render the content without setting "mode" in Metas, all these places used comment line break setting incorrectly
-	ForceHardLineBreak bool
-
 	// Gitea will emit some additional attributes for various purposes, these attributes don't affect rendering.
 	// But there are too many hard-coded test cases, to avoid changing all of them again and again, we can disable emitting these internal attributes.
 	DisableAdditionalAttributes bool
@ -218,7 +210,7 @@ func render(ctx *RenderContext, renderer Renderer, input io.Reader, output io.Wr

 	eg.Go(func() (err error) {
 		if r, ok := renderer.(PostProcessRenderer); ok && r.NeedPostProcess() {
-			err = PostProcess(ctx, pr1, pw2)
+			err = PostProcessDefault(ctx, pr1, pw2)
 		} else {
 			_, err = io.Copy(pw2, pr1)
 		}
--- a/modules/structs/repo_branch.go
+++ b/modules/structs/repo_branch.go
@ -25,6 +25,7 @@ type BranchProtection struct {
 	// Deprecated: true
 	BranchName                    string   `json:"branch_name"`
 	RuleName                      string   `json:"rule_name"`
+	Priority                      int64    `json:"priority"`
 	EnablePush                    bool     `json:"enable_push"`
 	EnablePushWhitelist           bool     `json:"enable_push_whitelist"`
 	PushWhitelistUsernames        []string `json:"push_whitelist_usernames"`
@ -64,6 +65,7 @@ type CreateBranchProtectionOption struct {
 	// Deprecated: true
 	BranchName                    string   `json:"branch_name"`
 	RuleName                      string   `json:"rule_name"`
+	Priority                      int64    `json:"priority"`
 	EnablePush                    bool     `json:"enable_push"`
 	EnablePushWhitelist           bool     `json:"enable_push_whitelist"`
 	PushWhitelistUsernames        []string `json:"push_whitelist_usernames"`
@ -96,6 +98,7 @@ type CreateBranchProtectionOption struct {

 // EditBranchProtectionOption options for editing a branch protection
 type EditBranchProtectionOption struct {
+	Priority                      *int64   `json:"priority"`
 	EnablePush                    *bool    `json:"enable_push"`
 	EnablePushWhitelist           *bool    `json:"enable_push_whitelist"`
 	PushWhitelistUsernames        []string `json:"push_whitelist_usernames"`
@ -125,3 +128,8 @@ type EditBranchProtectionOption struct {
 	UnprotectedFilePatterns       *string  `json:"unprotected_file_patterns"`
 	BlockAdminMergeOverride       *bool    `json:"block_admin_merge_override"`
 }
+
+// UpdateBranchProtectionPriories a list to update the branch protection rule priorities
+type UpdateBranchProtectionPriories struct {
+	IDs []int64 `json:"ids"`
+}
--- a/routers/api/v1/api.go
+++ b/routers/api/v1/api.go
@ -1204,6 +1204,7 @@ func Routes() *web.Router {
 						m.Patch("", bind(api.EditBranchProtectionOption{}), mustNotBeArchived, repo.EditBranchProtection)
 						m.Delete("", repo.DeleteBranchProtection)
 					})
+					m.Post("/priority", bind(api.UpdateBranchProtectionPriories{}), mustNotBeArchived, repo.UpdateBranchProtectionPriories)
 				}, reqToken(), reqAdmin())
 				m.Group("/tags", func() {
 					m.Get("", repo.ListTags)
--- a/routers/api/v1/repo/branch.go
+++ b/routers/api/v1/repo/branch.go
@ -618,6 +618,7 @@ func CreateBranchProtection(ctx *context.APIContext) {
 	protectBranch = &git_model.ProtectedBranch{
 		RepoID:                        ctx.Repo.Repository.ID,
 		RuleName:                      ruleName,
+		Priority:                      form.Priority,
 		CanPush:                       form.EnablePush,
 		EnableWhitelist:               form.EnablePush && form.EnablePushWhitelist,
 		WhitelistDeployKeys:           form.EnablePush && form.EnablePushWhitelist && form.PushWhitelistDeployKeys,
@ -640,7 +641,7 @@ func CreateBranchProtection(ctx *context.APIContext) {
 		BlockAdminMergeOverride:       form.BlockAdminMergeOverride,
 	}

-	err = git_model.UpdateProtectBranch(ctx, ctx.Repo.Repository, protectBranch, git_model.WhitelistOptions{
+	if err := git_model.UpdateProtectBranch(ctx, ctx.Repo.Repository, protectBranch, git_model.WhitelistOptions{
 		UserIDs:          whitelistUsers,
 		TeamIDs:          whitelistTeams,
 		ForcePushUserIDs: forcePushAllowlistUsers,
@ -649,14 +650,13 @@ func CreateBranchProtection(ctx *context.APIContext) {
 		MergeTeamIDs:     mergeWhitelistTeams,
 		ApprovalsUserIDs: approvalsWhitelistUsers,
 		ApprovalsTeamIDs: approvalsWhitelistTeams,
-	})
-	if err != nil {
+	}); err != nil {
 		ctx.Error(http.StatusInternalServerError, "UpdateProtectBranch", err)
 		return
 	}

 	if isBranchExist {
-		if err = pull_service.CheckPRsForBaseBranch(ctx, ctx.Repo.Repository, ruleName); err != nil {
+		if err := pull_service.CheckPRsForBaseBranch(ctx, ctx.Repo.Repository, ruleName); err != nil {
 			ctx.Error(http.StatusInternalServerError, "CheckPRsForBaseBranch", err)
 			return
 		}
@ -796,6 +796,10 @@ func EditBranchProtection(ctx *context.APIContext) {
 		}
 	}

+	if form.Priority != nil {
+		protectBranch.Priority = *form.Priority
+	}
+
 	if form.EnableMergeWhitelist != nil {
 		protectBranch.EnableMergeWhitelist = *form.EnableMergeWhitelist
 	}
@ -1080,3 +1084,47 @@ func DeleteBranchProtection(ctx *context.APIContext) {

 	ctx.Status(http.StatusNoContent)
 }
+
+// UpdateBranchProtectionPriories updates the priorities of branch protections for a repo
+func UpdateBranchProtectionPriories(ctx *context.APIContext) {
+	// swagger:operation POST /repos/{owner}/{repo}/branch_protections/priority repository repoUpdateBranchProtectionPriories
+	// ---
+	// summary: Update the priorities of branch protections for a repository.
+	// consumes:
+	// - application/json
+	// produces:
+	// - application/json
+	// parameters:
+	// - name: owner
+	//   in: path
+	//   description: owner of the repo
+	//   type: string
+	//   required: true
+	// - name: repo
+	//   in: path
+	//   description: name of the repo
+	//   type: string
+	//   required: true
+	// - name: body
+	//   in: body
+	//   schema:
+	//     "$ref": "#/definitions/UpdateBranchProtectionPriories"
+	// responses:
+	//   "204":
+	//     "$ref": "#/responses/empty"
+	//   "404":
+	//     "$ref": "#/responses/notFound"
+	//   "422":
+	//     "$ref": "#/responses/validationError"
+	//   "423":
+	//     "$ref": "#/responses/repoArchivedError"
+	form := web.GetForm(ctx).(*api.UpdateBranchProtectionPriories)
+	repo := ctx.Repo.Repository
+
+	if err := git_model.UpdateProtectBranchPriorities(ctx, repo, form.IDs); err != nil {
+		ctx.Error(http.StatusInternalServerError, "UpdateProtectBranchPriorities", err)
+		return
+	}
+
+	ctx.Status(http.StatusNoContent)
+}
--- a/routers/api/v1/swagger/options.go
+++ b/routers/api/v1/swagger/options.go
@ -146,6 +146,9 @@ type swaggerParameterBodies struct {
 	// in:body
 	EditBranchProtectionOption api.EditBranchProtectionOption

+	// in:body
+	UpdateBranchProtectionPriories api.UpdateBranchProtectionPriories
+
 	// in:body
 	CreateOAuth2ApplicationOptions api.CreateOAuth2ApplicationOptions

--- a/routers/web/auth/webauthn.go
+++ b/routers/web/auth/webauthn.go
@ -76,8 +76,17 @@ func WebAuthnPasskeyLogin(ctx *context.Context) {
 	}()

 	// Validate the parsed response.
+
+	// ParseCredentialRequestResponse+ValidateDiscoverableLogin equals to FinishDiscoverableLogin, but we need to ParseCredentialRequestResponse first to get flags
 	var user *user_model.User
-	cred, err := wa.WebAuthn.FinishDiscoverableLogin(func(rawID, userHandle []byte) (webauthn.User, error) {
+	parsedResponse, err := protocol.ParseCredentialRequestResponse(ctx.Req)
+	if err != nil {
+		// Failed authentication attempt.
+		log.Info("Failed authentication attempt for %s from %s: %v", user.Name, ctx.RemoteAddr(), err)
+		ctx.Status(http.StatusForbidden)
+		return
+	}
+	cred, err := wa.WebAuthn.ValidateDiscoverableLogin(func(rawID, userHandle []byte) (webauthn.User, error) {
 		userID, n := binary.Varint(userHandle)
 		if n <= 0 {
 			return nil, errors.New("invalid rawID")
@ -89,8 +98,8 @@ func WebAuthnPasskeyLogin(ctx *context.Context) {
 			return nil, err
 		}

-		return (*wa.User)(user), nil
-	}, *sessionData, ctx.Req)
+		return wa.NewWebAuthnUser(ctx, user, parsedResponse.Response.AuthenticatorData.Flags), nil
+	}, *sessionData, parsedResponse)
 	if err != nil {
 		// Failed authentication attempt.
 		log.Info("Failed authentication attempt for passkey from %s: %v", ctx.RemoteAddr(), err)
@ -171,7 +180,8 @@ func WebAuthnLoginAssertion(ctx *context.Context) {
 		return
 	}

-	assertion, sessionData, err := wa.WebAuthn.BeginLogin((*wa.User)(user))
+	webAuthnUser := wa.NewWebAuthnUser(ctx, user)
+	assertion, sessionData, err := wa.WebAuthn.BeginLogin(webAuthnUser)
 	if err != nil {
 		ctx.ServerError("webauthn.BeginLogin", err)
 		return
@ -216,7 +226,8 @@ func WebAuthnLoginAssertionPost(ctx *context.Context) {
 	}

 	// Validate the parsed response.
-	cred, err := wa.WebAuthn.ValidateLogin((*wa.User)(user), *sessionData, parsedResponse)
+	webAuthnUser := wa.NewWebAuthnUser(ctx, user, parsedResponse.Response.AuthenticatorData.Flags)
+	cred, err := wa.WebAuthn.ValidateLogin(webAuthnUser, *sessionData, parsedResponse)
 	if err != nil {
 		// Failed authentication attempt.
 		log.Info("Failed authentication attempt for %s from %s: %v", user.Name, ctx.RemoteAddr(), err)
--- a/routers/web/repo/setting/protected_branch.go
+++ b/routers/web/repo/setting/protected_branch.go
@ -322,6 +322,16 @@ func DeleteProtectedBranchRulePost(ctx *context.Context) {
 	ctx.JSONRedirect(fmt.Sprintf("%s/settings/branches", ctx.Repo.RepoLink))
 }

+func UpdateBranchProtectionPriories(ctx *context.Context) {
+	form := web.GetForm(ctx).(*forms.ProtectBranchPriorityForm)
+	repo := ctx.Repo.Repository
+
+	if err := git_model.UpdateProtectBranchPriorities(ctx, repo, form.IDs); err != nil {
+		ctx.ServerError("UpdateProtectBranchPriorities", err)
+		return
+	}
+}
+
 // RenameBranchPost responses for rename a branch
 func RenameBranchPost(ctx *context.Context) {
 	form := web.GetForm(ctx).(*forms.RenameBranchForm)
--- a/routers/web/user/setting/security/webauthn.go
+++ b/routers/web/user/setting/security/webauthn.go
@ -51,7 +51,8 @@ func WebAuthnRegister(ctx *context.Context) {
 		return
 	}

-	credentialOptions, sessionData, err := wa.WebAuthn.BeginRegistration((*wa.User)(ctx.Doer), webauthn.WithAuthenticatorSelection(protocol.AuthenticatorSelection{
+	webAuthnUser := wa.NewWebAuthnUser(ctx, ctx.Doer)
+	credentialOptions, sessionData, err := wa.WebAuthn.BeginRegistration(webAuthnUser, webauthn.WithAuthenticatorSelection(protocol.AuthenticatorSelection{
 		ResidentKey: protocol.ResidentKeyRequirementRequired,
 	}))
 	if err != nil {
@ -92,7 +93,8 @@ func WebauthnRegisterPost(ctx *context.Context) {
 	}()

 	// Verify that the challenge succeeded
-	cred, err := wa.WebAuthn.FinishRegistration((*wa.User)(ctx.Doer), *sessionData, ctx.Req)
+	webAuthnUser := wa.NewWebAuthnUser(ctx, ctx.Doer)
+	cred, err := wa.WebAuthn.FinishRegistration(webAuthnUser, *sessionData, ctx.Req)
 	if err != nil {
 		if pErr, ok := err.(*protocol.Error); ok {
 			log.Error("Unable to finish registration due to error: %v\nDevInfo: %s", pErr, pErr.DevInfo)
--- a/routers/web/web.go
+++ b/routers/web/web.go
@ -1081,6 +1081,7 @@ func registerRoutes(m *web.Router) {
 			m.Combo("/edit").Get(repo_setting.SettingsProtectedBranch).
 				Post(web.Bind(forms.ProtectBranchForm{}), context.RepoMustNotBeArchived(), repo_setting.SettingsProtectedBranchPost)
 			m.Post("/{id}/delete", repo_setting.DeleteProtectedBranchRulePost)
+			m.Post("/priority", web.Bind(forms.ProtectBranchPriorityForm{}), context.RepoMustNotBeArchived(), repo_setting.UpdateBranchProtectionPriories)
 		})

 		m.Group("/tags", func() {
--- a/services/convert/convert.go
+++ b/services/convert/convert.go
@ -158,6 +158,7 @@ func ToBranchProtection(ctx context.Context, bp *git_model.ProtectedBranch, repo
 	return &api.BranchProtection{
 		BranchName:                    branchName,
 		RuleName:                      bp.RuleName,
+		Priority:                      bp.Priority,
 		EnablePush:                    bp.CanPush,
 		EnablePushWhitelist:           bp.EnableWhitelist,
 		PushWhitelistUsernames:        pushWhitelistUsernames,
--- a/services/forms/repo_form.go
+++ b/services/forms/repo_form.go
@ -228,6 +228,10 @@ func (f *ProtectBranchForm) Validate(req *http.Request, errs binding.Errors) bin
 	return middleware.Validate(errs, ctx.Data, f, ctx.Locale)
 }

+type ProtectBranchPriorityForm struct {
+	IDs []int64
+}
+
 //  __      __      ___.   .__                   __
 // /  \    /  \ ____\_ |__ |  |__   ____   ____ |  | __
 // \   \/\/   // __ \| __ \|  |  \ /  _ \ /  _ \|  |/ /
--- a/services/oauth2_provider/access_token.go
+++ b/services/oauth2_provider/access_token.go
@ -241,14 +241,15 @@ func GetOAuthGroupsForUser(ctx context.Context, user *user_model.User, onlyPubli
 		return nil, fmt.Errorf("GetUserOrgList: %w", err)
 	}

+	orgTeams, err := org_model.OrgList(orgs).LoadTeams(ctx)
+	if err != nil {
+		return nil, fmt.Errorf("LoadTeams: %w", err)
+	}
+
 	var groups []string
 	for _, org := range orgs {
 		groups = append(groups, org.Name)
-		teams, err := org.LoadTeams(ctx)
-		if err != nil {
-			return nil, fmt.Errorf("LoadTeams: %w", err)
-		}
-		for _, team := range teams {
+		for _, team := range orgTeams[org.ID] {
 			if team.IsMember(ctx, user.ID) {
 				groups = append(groups, org.Name+":"+team.LowerName)
 			}
--- a/templates/repo/settings/branches.tmpl
+++ b/templates/repo/settings/branches.tmpl
@ -37,9 +37,12 @@
 			</h4>

 			<div class="ui attached segment">
-				<div class="flex-list">
+				<div class="flex-list" id="protected-branches-list" data-update-priority-url="{{$.Repository.Link}}/settings/branches/priority">
 					{{range .ProtectedBranches}}
-						<div class="flex-item tw-items-center">
+						<div class="flex-item tw-items-center item" data-id="{{.ID}}" >
+							<div class="drag-handle tw-cursor-grab">
+								{{svg "octicon-grabber" 16}}
+							</div>
 							<div class="flex-item-main">
 								<div class="flex-item-title">
 									<div class="ui basic primary label">{{.RuleName}}</div>
--- a/templates/swagger/v1_json.tmpl
+++ b/templates/swagger/v1_json.tmpl
@ -4666,6 +4666,58 @@
        }
      }
    },
+    "/repos/{owner}/{repo}/branch_protections/priority": {
+      "post": {
+        "consumes": [
+          "application/json"
+        ],
+        "produces": [
+          "application/json"
+        ],
+        "tags": [
+          "repository"
+        ],
+        "summary": "Update the priorities of branch protections for a repository.",
+        "operationId": "repoUpdateBranchProtectionPriories",
+        "parameters": [
+          {
+            "type": "string",
+            "description": "owner of the repo",
+            "name": "owner",
+            "in": "path",
+            "required": true
+          },
+          {
+            "type": "string",
+            "description": "name of the repo",
+            "name": "repo",
+            "in": "path",
+            "required": true
+          },
+          {
+            "name": "body",
+            "in": "body",
+            "schema": {
+              "$ref": "#/definitions/UpdateBranchProtectionPriories"
+            }
+          }
+        ],
+        "responses": {
+          "204": {
+            "$ref": "#/responses/empty"
+          },
+          "404": {
+            "$ref": "#/responses/notFound"
+          },
+          "422": {
+            "$ref": "#/responses/validationError"
+          },
+          "423": {
+            "$ref": "#/responses/repoArchivedError"
+          }
+        }
+      }
+    },
    "/repos/{owner}/{repo}/branch_protections/{name}": {
      "get": {
        "produces": [
@ -18874,6 +18926,11 @@
          },
          "x-go-name": "MergeWhitelistUsernames"
        },
+        "priority": {
+          "type": "integer",
+          "format": "int64",
+          "x-go-name": "Priority"
+        },
        "protected_file_patterns": {
          "type": "string",
          "x-go-name": "ProtectedFilePatterns"
@ -19568,6 +19625,11 @@
          },
          "x-go-name": "MergeWhitelistUsernames"
        },
+        "priority": {
+          "type": "integer",
+          "format": "int64",
+          "x-go-name": "Priority"
+        },
        "protected_file_patterns": {
          "type": "string",
          "x-go-name": "ProtectedFilePatterns"
@ -20800,6 +20862,11 @@
          },
          "x-go-name": "MergeWhitelistUsernames"
        },
+        "priority": {
+          "type": "integer",
+          "format": "int64",
+          "x-go-name": "Priority"
+        },
        "protected_file_patterns": {
          "type": "string",
          "x-go-name": "ProtectedFilePatterns"
@ -24886,6 +24953,21 @@
      },
      "x-go-package": "code.gitea.io/gitea/modules/structs"
    },
+    "UpdateBranchProtectionPriories": {
+      "description": "UpdateBranchProtectionPriories a list to update the branch protection rule priorities",
+      "type": "object",
+      "properties": {
+        "ids": {
+          "type": "array",
+          "items": {
+            "type": "integer",
+            "format": "int64"
+          },
+          "x-go-name": "IDs"
+        }
+      },
+      "x-go-package": "code.gitea.io/gitea/modules/structs"
+    },
    "UpdateFileOptions": {
      "description": "UpdateFileOptions options for updating files\nNote: `author` and `committer` are optional (if only one is given, it will be used for the other, otherwise the authenticated user will be used)",
      "type": "object",
--- a/tests/fuzz/fuzz_test.go
+++ b/tests/fuzz/fuzz_test.go
@ -27,6 +27,6 @@ func FuzzMarkdownRenderRaw(f *testing.F) {
 func FuzzMarkupPostProcess(f *testing.F) {
 	f.Fuzz(func(t *testing.T, data []byte) {
 		setting.AppURL = "http://localhost:3000/"
-		markup.PostProcess(newFuzzRenderContext(), bytes.NewReader(data), io.Discard)
+		markup.PostProcessDefault(newFuzzRenderContext(), bytes.NewReader(data), io.Discard)
 	})
 }
--- a/tests/integration/api_branch_test.go
+++ b/tests/integration/api_branch_test.go
@ -49,7 +49,7 @@ func testAPIGetBranchProtection(t *testing.T, branchName string, expectedHTTPSta
 	return nil
 }

-func testAPICreateBranchProtection(t *testing.T, branchName string, expectedHTTPStatus int) {
+func testAPICreateBranchProtection(t *testing.T, branchName string, expectedPriority, expectedHTTPStatus int) {
 	token := getUserToken(t, "user2", auth_model.AccessTokenScopeWriteRepository)
 	req := NewRequestWithJSON(t, "POST", "/api/v1/repos/user2/repo1/branch_protections", &api.BranchProtection{
 		RuleName: branchName,
@ -60,6 +60,7 @@ func testAPICreateBranchProtection(t *testing.T, branchName string, expectedHTTP
 		var branchProtection api.BranchProtection
 		DecodeJSON(t, resp, &branchProtection)
 		assert.EqualValues(t, branchName, branchProtection.RuleName)
+		assert.EqualValues(t, expectedPriority, branchProtection.Priority)
 	}
 }

@ -189,13 +190,13 @@ func TestAPIBranchProtection(t *testing.T) {
 	defer tests.PrepareTestEnv(t)()

 	// Branch protection  on branch that not exist
-	testAPICreateBranchProtection(t, "master/doesnotexist", http.StatusCreated)
+	testAPICreateBranchProtection(t, "master/doesnotexist", 1, http.StatusCreated)
 	// Get branch protection on branch that exist but not branch protection
 	testAPIGetBranchProtection(t, "master", http.StatusNotFound)

-	testAPICreateBranchProtection(t, "master", http.StatusCreated)
+	testAPICreateBranchProtection(t, "master", 2, http.StatusCreated)
 	// Can only create once
-	testAPICreateBranchProtection(t, "master", http.StatusForbidden)
+	testAPICreateBranchProtection(t, "master", 0, http.StatusForbidden)

 	// Can't delete a protected branch
 	testAPIDeleteBranch(t, "master", http.StatusForbidden)
--- a/web_src/fomantic/package-lock.json
+++ b/web_src/fomantic/package-lock.json
--- a/web_src/js/features/common-fetch-action.ts
+++ b/web_src/js/features/common-fetch-action.ts
@ -122,6 +122,6 @@ async function linkAction(el: HTMLElement, e: Event) {
 }

 export function initGlobalFetchAction() {
-  addDelegatedEventListener(document, 'click', '.form-fetch-action', formFetchAction);
+  addDelegatedEventListener(document, 'submit', '.form-fetch-action', formFetchAction);
  addDelegatedEventListener(document, 'click', '.link-action', linkAction);
 }
--- a/web_src/js/features/repo-issue-list.ts
+++ b/web_src/js/features/repo-issue-list.ts
@ -196,7 +196,11 @@ async function initIssuePinSort() {

  createSortable(pinDiv, {
    group: 'shared',
-    onEnd: pinMoveEnd, // eslint-disable-line @typescript-eslint/no-misused-promises
+    onEnd: (e) => {
+      (async () => {
+        await pinMoveEnd(e);
+      })();
+    },
  });
 }

--- a/web_src/js/features/repo-settings-branches.test.ts
+++ b/web_src/js/features/repo-settings-branches.test.ts
@ -0,0 +1,71 @@
+import {beforeEach, describe, expect, test, vi} from 'vitest';
+import {initRepoBranchesSettings} from './repo-settings-branches.ts';
+import {POST} from '../modules/fetch.ts';
+import {createSortable} from '../modules/sortable.ts';
+
+vi.mock('../modules/fetch.ts', () => ({
+  POST: vi.fn(),
+}));
+
+vi.mock('../modules/sortable.ts', () => ({
+  createSortable: vi.fn(),
+}));
+
+describe('Repository Branch Settings', () => {
+  beforeEach(() => {
+    document.body.innerHTML = `
+      <div id="protected-branches-list" data-update-priority-url="some/repo/branches/priority">
+        <div class="flex-item tw-items-center item" data-id="1" >
+          <div class="drag-handle"></div>
+        </div>
+        <div class="flex-item tw-items-center item" data-id="2" >
+          <div class="drag-handle"></div>
+        </div>
+        <div class="flex-item tw-items-center item" data-id="3" >
+          <div class="drag-handle"></div>
+        </div>
+      </div>
+    `;
+
+    vi.clearAllMocks();
+  });
+
+  test('should initialize sortable for protected branches list', () => {
+    initRepoBranchesSettings();
+
+    expect(createSortable).toHaveBeenCalledWith(
+      document.querySelector('#protected-branches-list'),
+      expect.objectContaining({
+        handle: '.drag-handle',
+        animation: 150,
+      }),
+    );
+  });
+
+  test('should not initialize if protected branches list is not present', () => {
+    document.body.innerHTML = '';
+
+    initRepoBranchesSettings();
+
+    expect(createSortable).not.toHaveBeenCalled();
+  });
+
+  test('should post new order after sorting', async () => {
+    vi.mocked(POST).mockResolvedValue({ok: true} as Response);
+
+    // Mock createSortable to capture and execute the onEnd callback
+    vi.mocked(createSortable).mockImplementation((_el, options) => {
+      options.onEnd();
+      return {destroy: vi.fn()};
+    });
+
+    initRepoBranchesSettings();
+
+    expect(POST).toHaveBeenCalledWith(
+      'some/repo/branches/priority',
+      expect.objectContaining({
+        data: {ids: [1, 2, 3]},
+      }),
+    );
+  });
+});
--- a/web_src/js/features/repo-settings-branches.ts
+++ b/web_src/js/features/repo-settings-branches.ts
@ -0,0 +1,32 @@
+import {createSortable} from '../modules/sortable.ts';
+import {POST} from '../modules/fetch.ts';
+import {showErrorToast} from '../modules/toast.ts';
+import {queryElemChildren} from '../utils/dom.ts';
+
+export function initRepoBranchesSettings() {
+  const protectedBranchesList = document.querySelector('#protected-branches-list');
+  if (!protectedBranchesList) return;
+
+  createSortable(protectedBranchesList, {
+    handle: '.drag-handle',
+    animation: 150,
+
+    onEnd: () => {
+      (async () => {
+        const itemElems = queryElemChildren(protectedBranchesList, '.item[data-id]');
+        const itemIds = Array.from(itemElems, (el) => parseInt(el.getAttribute('data-id')));
+
+        try {
+          await POST(protectedBranchesList.getAttribute('data-update-priority-url'), {
+            data: {
+              ids: itemIds,
+            },
+          });
+        } catch (err) {
+          const errorMessage = String(err);
+          showErrorToast(`Failed to update branch protection rule priority:, error: ${errorMessage}`);
+        }
+      })();
+    },
+  });
+}
--- a/web_src/js/features/repo-settings.ts
+++ b/web_src/js/features/repo-settings.ts
@ -3,6 +3,7 @@ import {minimatch} from 'minimatch';
 import {createMonaco} from './codeeditor.ts';
 import {onInputDebounce, queryElems, toggleElem} from '../utils/dom.ts';
 import {POST} from '../modules/fetch.ts';
+import {initRepoBranchesSettings} from './repo-settings-branches.ts';

 const {appSubUrl, csrfToken} = window.config;

@ -154,4 +155,5 @@ export function initRepoSettings() {
  initRepoSettingsCollaboration();
  initRepoSettingsSearchTeamBox();
  initRepoSettingsGitHook();
+  initRepoBranchesSettings();
 }
--- a/web_src/js/features/user-auth-webauthn.ts
+++ b/web_src/js/features/user-auth-webauthn.ts
@ -40,14 +40,15 @@ async function loginPasskey() {
  try {
    const credential = await navigator.credentials.get({
      publicKey: options.publicKey,
-    });
+    }) as PublicKeyCredential;
+    const credResp = credential.response as AuthenticatorAssertionResponse;

    // Move data into Arrays in case it is super long
-    const authData = new Uint8Array(credential.response.authenticatorData);
-    const clientDataJSON = new Uint8Array(credential.response.clientDataJSON);
+    const authData = new Uint8Array(credResp.authenticatorData);
+    const clientDataJSON = new Uint8Array(credResp.clientDataJSON);
    const rawId = new Uint8Array(credential.rawId);
-    const sig = new Uint8Array(credential.response.signature);
-    const userHandle = new Uint8Array(credential.response.userHandle);
+    const sig = new Uint8Array(credResp.signature);
+    const userHandle = new Uint8Array(credResp.userHandle);

    const res = await POST(`${appSubUrl}/user/webauthn/passkey/login`, {
      data: {
@ -175,7 +176,7 @@ async function webauthnRegistered(newCredential) {
  window.location.reload();
 }

-function webAuthnError(errorType, message) {
+function webAuthnError(errorType: string, message:string = '') {
  const elErrorMsg = document.querySelector(`#webauthn-error-msg`);

  if (errorType === 'general') {
@ -207,10 +208,9 @@ function detectWebAuthnSupport() {
 }

 export function initUserAuthWebAuthnRegister() {
-  const elRegister = document.querySelector('#register-webauthn');
-  if (!elRegister) {
-    return;
-  }
+  const elRegister = document.querySelector<HTMLInputElement>('#register-webauthn');
+  if (!elRegister) return;
+
  if (!detectWebAuthnSupport()) {
    elRegister.disabled = true;
    return;
@ -222,7 +222,7 @@ export function initUserAuthWebAuthnRegister() {
 }

 async function webAuthnRegisterRequest() {
-  const elNickname = document.querySelector('#nickname');
+  const elNickname = document.querySelector<HTMLInputElement>('#nickname');

  const formData = new FormData();
  formData.append('name', elNickname.value);
--- a/web_src/js/modules/fetch.ts
+++ b/web_src/js/modules/fetch.ts
@ -1,5 +1,5 @@
 import {isObject} from '../utils.ts';
-import type {RequestData, RequestOpts} from '../types.ts';
+import type {RequestOpts} from '../types.ts';

 const {csrfToken} = window.config;

@ -10,7 +10,7 @@ const safeMethods = new Set(['GET', 'HEAD', 'OPTIONS', 'TRACE']);
 // which will automatically set an appropriate headers. For json content, only object
 // and array types are currently supported.
 export function request(url: string, {method = 'GET', data, headers = {}, ...other}: RequestOpts = {}): Promise<Response> {
-  let body: RequestData;
+  let body: string | FormData | URLSearchParams;
  let contentType: string;
  if (data instanceof FormData || data instanceof URLSearchParams) {
    body = data;
--- a/web_src/js/svg.ts
+++ b/web_src/js/svg.ts
@ -34,6 +34,7 @@ import octiconGitCommit from '../../public/assets/img/svg/octicon-git-commit.svg
 import octiconGitMerge from '../../public/assets/img/svg/octicon-git-merge.svg';
 import octiconGitPullRequest from '../../public/assets/img/svg/octicon-git-pull-request.svg';
 import octiconGitPullRequestDraft from '../../public/assets/img/svg/octicon-git-pull-request-draft.svg';
+import octiconGrabber from '../../public/assets/img/svg/octicon-grabber.svg';
 import octiconHeading from '../../public/assets/img/svg/octicon-heading.svg';
 import octiconHorizontalRule from '../../public/assets/img/svg/octicon-horizontal-rule.svg';
 import octiconImage from '../../public/assets/img/svg/octicon-image.svg';
@ -107,6 +108,7 @@ const svgs = {
  'octicon-git-merge': octiconGitMerge,
  'octicon-git-pull-request': octiconGitPullRequest,
  'octicon-git-pull-request-draft': octiconGitPullRequestDraft,
+  'octicon-grabber': octiconGrabber,
  'octicon-heading': octiconHeading,
  'octicon-horizontal-rule': octiconHorizontalRule,
  'octicon-image': octiconImage,
--- a/web_src/js/types.ts
+++ b/web_src/js/types.ts
@ -24,7 +24,7 @@ export type Config = {

 export type Intent = 'error' | 'warning' | 'info';

-export type RequestData = string | FormData | URLSearchParams;
+export type RequestData = string | FormData | URLSearchParams | Record<string, any>;

 export type RequestOpts = {
  data?: RequestData,
--- a/web_src/js/utils/dom.ts
+++ b/web_src/js/utils/dom.ts
@ -1,6 +1,7 @@
 import {debounce} from 'throttle-debounce';
 import type {Promisable} from 'type-fest';
 import type $ from 'jquery';
+import {isInFrontendUnitTest} from './testhelper.ts';

 type ArrayLikeIterable<T> = ArrayLike<T> & Iterable<T>; // for NodeListOf and Array
 type ElementArg = Element | string | ArrayLikeIterable<Element> | ReturnType<typeof $>;
@ -76,8 +77,8 @@ export function queryElemSiblings<T extends Element>(el: Element, selector = '*'

 // it works like jQuery.children: only the direct children are selected
 export function queryElemChildren<T extends Element>(parent: Element | ParentNode, selector = '*', fn?: ElementsCallback<T>): ArrayLikeIterable<T> {
-  if (window.vitest) {
-    // bypass the vitest bug: it doesn't support ":scope >"
+  if (isInFrontendUnitTest()) {
+    // https://github.com/capricorn86/happy-dom/issues/1620 : ":scope" doesn't work
    const selected = Array.from<T>(parent.children as any).filter((child) => child.matches(selector));
    return applyElemsCallback<T>(selected, fn);
  }
@ -357,6 +358,6 @@ export function addDelegatedEventListener<T extends HTMLElement, E extends Event
  parent.addEventListener(type, (e: Event) => {
    const elem = (e.target as HTMLElement).closest(selector);
    if (!elem) return;
-    listener(elem as T, e);
+    listener(elem as T, e as E);
  }, options);
 }
--- a/web_src/js/utils/testhelper.ts
+++ b/web_src/js/utils/testhelper.ts
@ -0,0 +1,6 @@
+// there could be different "testing" concepts, for example: backend's "setting.IsInTesting"
+// even if backend is in testing mode, frontend could be complied in production mode
+// so this function only checks if the frontend is in unit testing mode (usually from *.test.ts files)
+export function isInFrontendUnitTest() {
+  return process.env.TEST === 'true';
+}