repo flag to allow raw html

7 months ago · 4468b26309
parent 2e0332618b
commit 4468b26309
3 changed files with 56 additions and 0 deletions
--- a/post.go
+++ b/post.go
@ -8,6 +8,7 @@ import (
 	"github.com/yuin/goldmark"
 	"github.com/yuin/goldmark/extension"
 	"github.com/yuin/goldmark/parser"
+	"github.com/yuin/goldmark/renderer/html"
 	"gopkg.in/yaml.v2"
 )

@ -80,7 +81,15 @@ func (post Post) MarkdownData() (bytes.Buffer, PostMeta) {
 		}
 	}

+	options := goldmark.WithRendererOptions()
+	if post.user.repo.AllowRawHtml() {
+		options = goldmark.WithRendererOptions(
+			html.WithUnsafe(),
+		)
+	}
+
 	markdown := goldmark.New(
+		options,
 		goldmark.WithExtensions(
 			// meta.Meta,
 			extension.GFM,
--- a/post_test.go
+++ b/post_test.go
@ -3,6 +3,7 @@ package owl_test
 import (
 	"os"
 	"path"
+	"strings"
 	"testing"
 )

@ -84,3 +85,40 @@ func TestDraftInMetaData(t *testing.T) {
 	}

 }
+
+func TestNoRawHTMLIfDisallowedByRepo(t *testing.T) {
+	repo := getTestRepo()
+	user, _ := repo.CreateUser("testuser")
+	post, _ := user.CreateNewPost("testpost")
+	content := "---\n"
+	content += "title: test\n"
+	content += "draft: true\n"
+	content += "---\n"
+	content += "\n"
+	content += "<script>alert('foo')</script>\n"
+	os.WriteFile(post.ContentFile(), []byte(content), 0644)
+	html, _ := post.MarkdownData()
+	html_str := html.String()
+	if strings.Contains(html_str, "<script>") {
+		t.Error("HTML should not be allowed")
+	}
+}
+
+func TestRawHTMLIfAllowedByRepo(t *testing.T) {
+	repo := getTestRepo()
+	repo.SetAllowRawHtml(true)
+	user, _ := repo.CreateUser("testuser")
+	post, _ := user.CreateNewPost("testpost")
+	content := "---\n"
+	content += "title: test\n"
+	content += "draft: true\n"
+	content += "---\n"
+	content += "\n"
+	content += "<script>alert('foo')</script>\n"
+	os.WriteFile(post.ContentFile(), []byte(content), 0644)
+	html, _ := post.MarkdownData()
+	html_str := html.String()
+	if !strings.Contains(html_str, "<script>") {
+		t.Error("HTML should be allowed")
+	}
+}
--- a/repository.go
+++ b/repository.go
@ -19,6 +19,7 @@ type Repository struct {
 	name             string
 	single_user_mode bool
 	active_user      string
+	allow_raw_html   bool
 }

 type RepoConfig struct {
@ -81,6 +82,14 @@ func OpenSingleUserRepo(name string, user_name string) (Repository, error) {
 	return repo, nil
 }

+func (repo Repository) AllowRawHtml() bool {
+	return repo.allow_raw_html
+}
+
+func (repo *Repository) SetAllowRawHtml(allow bool) {
+	repo.allow_raw_html = allow
+}
+
 func (repo *Repository) SetSingleUser(user User) {
 	repo.single_user_mode = true
 	repo.active_user = user.name