Allow render HTML with css/js external links (#19017)
* Allow render HTML with css/js external links * Fix bug because of filename escape chars * Fix lint * Update docs about new configuration item * Fix bug of render HTML in sub directory * Add CSP head for displaying iframe in rendering file * Fix test * Apply suggestions from code review Co-authored-by: delvh <dev.lh@web.de> * Some improvements * some improvement * revert change in SanitizerDisabled of external renderer * Add sandbox for iframe and support allow-scripts and allow-same-origin * refactor * fix * fix lint * fine tune * use single option RENDER_CONTENT_MODE, use sandbox=allow-scripts * fine tune CSP * Apply suggestions from code review Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: delvh <dev.lh@web.de> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>tokarchuk/v1.17
parent
7d1770cd71
commit
b01dce2a6e
@ -0,0 +1,79 @@ |
||||
// Copyright 2022 The Gitea Authors. All rights reserved.
|
||||
// Use of this source code is governed by a MIT-style
|
||||
// license that can be found in the LICENSE file.
|
||||
|
||||
package repo |
||||
|
||||
import ( |
||||
"bytes" |
||||
"io" |
||||
"net/http" |
||||
"path" |
||||
|
||||
"code.gitea.io/gitea/modules/charset" |
||||
"code.gitea.io/gitea/modules/context" |
||||
"code.gitea.io/gitea/modules/git" |
||||
"code.gitea.io/gitea/modules/markup" |
||||
"code.gitea.io/gitea/modules/typesniffer" |
||||
"code.gitea.io/gitea/modules/util" |
||||
) |
||||
|
||||
// RenderFile renders a file by repos path
|
||||
func RenderFile(ctx *context.Context) { |
||||
blob, err := ctx.Repo.Commit.GetBlobByPath(ctx.Repo.TreePath) |
||||
if err != nil { |
||||
if git.IsErrNotExist(err) { |
||||
ctx.NotFound("GetBlobByPath", err) |
||||
} else { |
||||
ctx.ServerError("GetBlobByPath", err) |
||||
} |
||||
return |
||||
} |
||||
|
||||
dataRc, err := blob.DataAsync() |
||||
if err != nil { |
||||
ctx.ServerError("DataAsync", err) |
||||
return |
||||
} |
||||
defer dataRc.Close() |
||||
|
||||
buf := make([]byte, 1024) |
||||
n, _ := util.ReadAtMost(dataRc, buf) |
||||
buf = buf[:n] |
||||
|
||||
st := typesniffer.DetectContentType(buf) |
||||
isTextFile := st.IsText() |
||||
|
||||
rd := charset.ToUTF8WithFallbackReader(io.MultiReader(bytes.NewReader(buf), dataRc)) |
||||
|
||||
if markupType := markup.Type(blob.Name()); markupType == "" { |
||||
if isTextFile { |
||||
_, err = io.Copy(ctx.Resp, rd) |
||||
if err != nil { |
||||
ctx.ServerError("Copy", err) |
||||
} |
||||
return |
||||
} |
||||
ctx.Error(http.StatusInternalServerError, "Unsupported file type render") |
||||
return |
||||
} |
||||
|
||||
treeLink := ctx.Repo.RepoLink + "/src/" + ctx.Repo.BranchNameSubURL() |
||||
if ctx.Repo.TreePath != "" { |
||||
treeLink += "/" + util.PathEscapeSegments(ctx.Repo.TreePath) |
||||
} |
||||
|
||||
ctx.Resp.Header().Add("Content-Security-Policy", "frame-src 'self'; sandbox allow-scripts") |
||||
err = markup.Render(&markup.RenderContext{ |
||||
Ctx: ctx, |
||||
RelativePath: ctx.Repo.TreePath, |
||||
URLPrefix: path.Dir(treeLink), |
||||
Metas: ctx.Repo.Repository.ComposeDocumentMetas(), |
||||
GitRepo: ctx.Repo.GitRepo, |
||||
InStandalonePage: true, |
||||
}, rd, ctx.Resp) |
||||
if err != nil { |
||||
ctx.ServerError("Render", err) |
||||
return |
||||
} |
||||
} |
Loading…
Reference in new issue