From 89d58f5a22585cf46d8ec6ebaff667e83f9950f9 Mon Sep 17 00:00:00 2001 From: Daniel Heath Date: Thu, 18 Jan 2018 20:50:55 +1100 Subject: [PATCH] Allow insecure markup (for private wikis amongst friends) --- main.go | 19 ++++++++++++++++++- utils.go | 6 ++++++ 2 files changed, 24 insertions(+), 1 deletion(-) diff --git a/main.go b/main.go index 22471b3..7083993 100755 --- a/main.go +++ b/main.go @@ -38,7 +38,20 @@ func main() { } else { fmt.Printf("\nRunning cowyo server (version %s) at http://%s:%s\n\n", version, host, c.GlobalString("port")) } - serve(c.GlobalString("host"), c.GlobalString("port"), c.GlobalString("cert"), c.GlobalString("key"), TLS, c.GlobalString("css"), c.GlobalString("default-page"), c.GlobalString("lock"), c.GlobalInt("debounce"), c.GlobalBool("diary")) + + allowInsecureHtml = c.GlobalBool("allow-insecure-markup") + serve( + c.GlobalString("host"), + c.GlobalString("port"), + c.GlobalString("cert"), + c.GlobalString("key"), + TLS, + c.GlobalString("css"), + c.GlobalString("default-page"), + c.GlobalString("lock"), + c.GlobalInt("debounce"), + c.GlobalBool("diary"), + ) return nil } app.Flags = []cli.Flag{ @@ -82,6 +95,10 @@ func main() { Value: "", Usage: "show default-page/read instead of editing (default: show random editing)", }, + cli.BoolFlag{ + Name: "allow-insecure-markup", + Usage: "Skip HTML sanitization", + }, cli.StringFlag{ Name: "lock", Value: "", diff --git a/utils.go b/utils.go index 7a38ca7..eb483dd 100644 --- a/utils.go +++ b/utils.go @@ -20,6 +20,7 @@ import ( var animals []string var adjectives []string var aboutPageText string +var allowInsecureHtml bool var log *lumber.ConsoleLogger @@ -174,6 +175,11 @@ func exists(path string) bool { func MarkdownToHtml(s string) string { unsafe := blackfriday.MarkdownCommon([]byte(s)) + + if allowInsecureHtml { + return string(unsafe) + } + pClean := bluemonday.UGCPolicy() pClean.AllowElements("img") pClean.AllowAttrs("alt").OnElements("img")