Restore checkbox rendering and prevent poor sanitization of spans (#11277)

* Add test Signed-off-by: Andrew Thornton <art27@cantab.net> * Restore checkbox rendering and prevent poor sanitization of spans Signed-off-by: Andrew Thornton <art27@cantab.net> * Also fix preview context Signed-off-by: Andrew Thornton <art27@cantab.net> * Also fix preview context Signed-off-by: Andrew Thornton <art27@cantab.net>
2020-05-03 21:17:24 +01:00 · 2020-05-03 21:17:24 +01:00 · ce66ca7f9f
commit ce66ca7f9f
parent 940ed92392
4 changed files with 21 additions and 3 deletions
--- a/modules/markup/sanitizer.go
+++ b/modules/markup/sanitizer.go
@ -58,15 +58,16 @@ func ReplaceSanitizer() {

 	// Allow icons
 	sanitizer.policy.AllowAttrs("class").Matching(regexp.MustCompile(`^icon(\s+[\p{L}\p{N}_-]+)+$`)).OnElements("i")
-	sanitizer.policy.AllowAttrs("class").Matching(regexp.MustCompile(`^((icon(\s+[\p{L}\p{N}_-]+)+)|(ui checkbox)|(ui checked checkbox))$`)).OnElements("span")

 	// Allow unlabelled labels
 	sanitizer.policy.AllowNoAttrs().OnElements("label")

 	// Allow classes for emojis
-	sanitizer.policy.AllowAttrs("class").Matching(regexp.MustCompile(`emoji`)).OnElements("span")
 	sanitizer.policy.AllowAttrs("class").Matching(regexp.MustCompile(`emoji`)).OnElements("img")

+	// Allow icons, checkboxes and emojis on span
+	sanitizer.policy.AllowAttrs("class").Matching(regexp.MustCompile(`^((icon(\s+[\p{L}\p{N}_-]+)+)|(ui checkbox)|(ui checked checkbox)|(emoji))$`)).OnElements("span")
+
 	// Allow generally safe attributes
 	generalSafeAttrs := []string{"abbr", "accept", "accept-charset",
 		"accesskey", "action", "align", "alt",