mirror of
https://github.com/go-gitea/gitea
synced 2024-12-23 00:47:57 +01:00
8a20fba8eb
Remove unmaintainable sanitizer rules. No need to add special "class" regexp rules anymore, use RenderInternal.SafeAttr instead, more details (and examples) are in the tests
290 lines
8.7 KiB
Go
290 lines
8.7 KiB
Go
// Copyright 2018 The Gitea Authors. All rights reserved.
|
|
// Copyright 2014 The Gogs Authors. All rights reserved.
|
|
// SPDX-License-Identifier: MIT
|
|
|
|
package templates
|
|
|
|
import (
|
|
"fmt"
|
|
"html"
|
|
"html/template"
|
|
"net/url"
|
|
"reflect"
|
|
"strings"
|
|
"time"
|
|
|
|
user_model "code.gitea.io/gitea/models/user"
|
|
"code.gitea.io/gitea/modules/base"
|
|
"code.gitea.io/gitea/modules/htmlutil"
|
|
"code.gitea.io/gitea/modules/markup"
|
|
"code.gitea.io/gitea/modules/setting"
|
|
"code.gitea.io/gitea/modules/svg"
|
|
"code.gitea.io/gitea/modules/templates/eval"
|
|
"code.gitea.io/gitea/modules/util"
|
|
"code.gitea.io/gitea/services/gitdiff"
|
|
"code.gitea.io/gitea/services/webtheme"
|
|
)
|
|
|
|
// NewFuncMap returns functions for injecting to templates
|
|
func NewFuncMap() template.FuncMap {
|
|
return map[string]any{
|
|
"ctx": func() any { return nil }, // template context function
|
|
|
|
"DumpVar": dumpVar,
|
|
"NIL": func() any { return nil },
|
|
|
|
// -----------------------------------------------------------------
|
|
// html/template related functions
|
|
"dict": dict, // it's lowercase because this name has been widely used. Our other functions should have uppercase names.
|
|
"Iif": iif,
|
|
"Eval": evalTokens,
|
|
"SafeHTML": safeHTML,
|
|
"HTMLFormat": htmlutil.HTMLFormat,
|
|
"HTMLEscape": htmlEscape,
|
|
"QueryEscape": queryEscape,
|
|
"JSEscape": jsEscapeSafe,
|
|
"SanitizeHTML": SanitizeHTML,
|
|
"URLJoin": util.URLJoin,
|
|
"DotEscape": dotEscape,
|
|
|
|
"PathEscape": url.PathEscape,
|
|
"PathEscapeSegments": util.PathEscapeSegments,
|
|
|
|
// utils
|
|
"StringUtils": NewStringUtils,
|
|
"SliceUtils": NewSliceUtils,
|
|
"JsonUtils": NewJsonUtils,
|
|
"DateUtils": NewDateUtils,
|
|
|
|
// -----------------------------------------------------------------
|
|
// svg / avatar / icon / color
|
|
"svg": svg.RenderHTML,
|
|
"EntryIcon": base.EntryIcon,
|
|
"MigrationIcon": migrationIcon,
|
|
"ActionIcon": actionIcon,
|
|
"SortArrow": sortArrow,
|
|
"ContrastColor": util.ContrastColor,
|
|
|
|
// -----------------------------------------------------------------
|
|
// time / number / format
|
|
"FileSize": base.FileSize,
|
|
"CountFmt": base.FormatNumberSI,
|
|
"Sec2Time": util.SecToTime,
|
|
"LoadTimes": func(startTime time.Time) string {
|
|
return fmt.Sprint(time.Since(startTime).Nanoseconds()/1e6) + "ms"
|
|
},
|
|
|
|
// -----------------------------------------------------------------
|
|
// setting
|
|
"AppName": func() string {
|
|
return setting.AppName
|
|
},
|
|
"AppSubUrl": func() string {
|
|
return setting.AppSubURL
|
|
},
|
|
"AssetUrlPrefix": func() string {
|
|
return setting.StaticURLPrefix + "/assets"
|
|
},
|
|
"AppUrl": func() string {
|
|
// The usage of AppUrl should be avoided as much as possible,
|
|
// because the AppURL(ROOT_URL) may not match user's visiting site and the ROOT_URL in app.ini may be incorrect.
|
|
// And it's difficult for Gitea to guess absolute URL correctly with zero configuration,
|
|
// because Gitea doesn't know whether the scheme is HTTP or HTTPS unless the reverse proxy could tell Gitea.
|
|
return setting.AppURL
|
|
},
|
|
"AppVer": func() string {
|
|
return setting.AppVer
|
|
},
|
|
"AppDomain": func() string { // documented in mail-templates.md
|
|
return setting.Domain
|
|
},
|
|
"AssetVersion": func() string {
|
|
return setting.AssetVersion
|
|
},
|
|
"DefaultShowFullName": func() bool {
|
|
return setting.UI.DefaultShowFullName
|
|
},
|
|
"ShowFooterTemplateLoadTime": func() bool {
|
|
return setting.Other.ShowFooterTemplateLoadTime
|
|
},
|
|
"ShowFooterPoweredBy": func() bool {
|
|
return setting.Other.ShowFooterPoweredBy
|
|
},
|
|
"AllowedReactions": func() []string {
|
|
return setting.UI.Reactions
|
|
},
|
|
"CustomEmojis": func() map[string]string {
|
|
return setting.UI.CustomEmojisMap
|
|
},
|
|
"MetaAuthor": func() string {
|
|
return setting.UI.Meta.Author
|
|
},
|
|
"MetaDescription": func() string {
|
|
return setting.UI.Meta.Description
|
|
},
|
|
"MetaKeywords": func() string {
|
|
return setting.UI.Meta.Keywords
|
|
},
|
|
"EnableTimetracking": func() bool {
|
|
return setting.Service.EnableTimetracking
|
|
},
|
|
"DisableGitHooks": func() bool {
|
|
return setting.DisableGitHooks
|
|
},
|
|
"DisableWebhooks": func() bool {
|
|
return setting.DisableWebhooks
|
|
},
|
|
"DisableImportLocal": func() bool {
|
|
return !setting.ImportLocalPaths
|
|
},
|
|
"UserThemeName": userThemeName,
|
|
"NotificationSettings": func() map[string]any {
|
|
return map[string]any{
|
|
"MinTimeout": int(setting.UI.Notification.MinTimeout / time.Millisecond),
|
|
"TimeoutStep": int(setting.UI.Notification.TimeoutStep / time.Millisecond),
|
|
"MaxTimeout": int(setting.UI.Notification.MaxTimeout / time.Millisecond),
|
|
"EventSourceUpdateTime": int(setting.UI.Notification.EventSourceUpdateTime / time.Millisecond),
|
|
}
|
|
},
|
|
"MermaidMaxSourceCharacters": func() int {
|
|
return setting.MermaidMaxSourceCharacters
|
|
},
|
|
|
|
// -----------------------------------------------------------------
|
|
// render
|
|
"RenderCodeBlock": renderCodeBlock,
|
|
"ReactionToEmoji": reactionToEmoji,
|
|
|
|
// -----------------------------------------------------------------
|
|
// misc
|
|
"ShortSha": base.ShortSha,
|
|
"ActionContent2Commits": ActionContent2Commits,
|
|
"IsMultilineCommitMessage": isMultilineCommitMessage,
|
|
"CommentMustAsDiff": gitdiff.CommentMustAsDiff,
|
|
"MirrorRemoteAddress": mirrorRemoteAddress,
|
|
|
|
"FilenameIsImage": filenameIsImage,
|
|
"TabSizeClass": tabSizeClass,
|
|
|
|
// for backward compatibility only, do not use them anymore
|
|
"TimeSince": timeSinceLegacy,
|
|
"TimeSinceUnix": timeSinceLegacy,
|
|
"DateTime": dateTimeLegacy,
|
|
|
|
"RenderEmoji": renderEmojiLegacy,
|
|
"RenderLabel": renderLabelLegacy,
|
|
"RenderLabels": renderLabelsLegacy,
|
|
"RenderIssueTitle": renderIssueTitleLegacy,
|
|
|
|
"RenderMarkdownToHtml": renderMarkdownToHtmlLegacy,
|
|
|
|
"RenderCommitMessage": renderCommitMessageLegacy,
|
|
"RenderCommitMessageLinkSubject": renderCommitMessageLinkSubjectLegacy,
|
|
"RenderCommitBody": renderCommitBodyLegacy,
|
|
}
|
|
}
|
|
|
|
// safeHTML render raw as HTML
|
|
func safeHTML(s any) template.HTML {
|
|
switch v := s.(type) {
|
|
case string:
|
|
return template.HTML(v)
|
|
case template.HTML:
|
|
return v
|
|
}
|
|
panic(fmt.Sprintf("unexpected type %T", s))
|
|
}
|
|
|
|
// SanitizeHTML sanitizes the input by pre-defined markdown rules
|
|
func SanitizeHTML(s string) template.HTML {
|
|
return template.HTML(markup.Sanitize(s))
|
|
}
|
|
|
|
func htmlEscape(s any) template.HTML {
|
|
switch v := s.(type) {
|
|
case string:
|
|
return template.HTML(html.EscapeString(v))
|
|
case template.HTML:
|
|
return v
|
|
}
|
|
panic(fmt.Sprintf("unexpected type %T", s))
|
|
}
|
|
|
|
func jsEscapeSafe(s string) template.HTML {
|
|
return template.HTML(template.JSEscapeString(s))
|
|
}
|
|
|
|
func queryEscape(s string) template.URL {
|
|
return template.URL(url.QueryEscape(s))
|
|
}
|
|
|
|
// dotEscape wraps a dots in names with ZWJ [U+200D] in order to prevent auto-linkers from detecting these as urls
|
|
func dotEscape(raw string) string {
|
|
return strings.ReplaceAll(raw, ".", "\u200d.\u200d")
|
|
}
|
|
|
|
// iif is an "inline-if", similar util.Iif[T] but templates need the non-generic version,
|
|
// and it could be simply used as "{{iif expr trueVal}}" (omit the falseVal).
|
|
func iif(condition any, vals ...any) any {
|
|
if isTemplateTruthy(condition) {
|
|
return vals[0]
|
|
} else if len(vals) > 1 {
|
|
return vals[1]
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func isTemplateTruthy(v any) bool {
|
|
if v == nil {
|
|
return false
|
|
}
|
|
|
|
rv := reflect.ValueOf(v)
|
|
switch rv.Kind() {
|
|
case reflect.Bool:
|
|
return rv.Bool()
|
|
case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64:
|
|
return rv.Int() != 0
|
|
case reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64:
|
|
return rv.Uint() != 0
|
|
case reflect.Float32, reflect.Float64:
|
|
return rv.Float() != 0
|
|
case reflect.Complex64, reflect.Complex128:
|
|
return rv.Complex() != 0
|
|
case reflect.String, reflect.Slice, reflect.Array, reflect.Map:
|
|
return rv.Len() > 0
|
|
case reflect.Struct:
|
|
return true
|
|
default:
|
|
return !rv.IsNil()
|
|
}
|
|
}
|
|
|
|
// evalTokens evaluates the expression by tokens and returns the result, see the comment of eval.Expr for details.
|
|
// To use this helper function in templates, pass each token as a separate parameter.
|
|
//
|
|
// {{ $int64 := Eval $var "+" 1 }}
|
|
// {{ $float64 := Eval $var "+" 1.0 }}
|
|
//
|
|
// Golang's template supports comparable int types, so the int64 result can be used in later statements like {{if lt $int64 10}}
|
|
func evalTokens(tokens ...any) (any, error) {
|
|
n, err := eval.Expr(tokens...)
|
|
return n.Value, err
|
|
}
|
|
|
|
func userThemeName(user *user_model.User) string {
|
|
if user == nil || user.Theme == "" {
|
|
return setting.UI.DefaultTheme
|
|
}
|
|
if webtheme.IsThemeAvailable(user.Theme) {
|
|
return user.Theme
|
|
}
|
|
return setting.UI.DefaultTheme
|
|
}
|
|
|
|
func panicIfDevOrTesting() {
|
|
if !setting.IsProd || setting.IsInTesting {
|
|
panic("legacy template functions are for backward compatibility only, do not use them in new code")
|
|
}
|
|
}
|