From f09906dc7f29e5703c4f4b4fc078c252068c8f7a Mon Sep 17 00:00:00 2001 From: "j. mccann" Date: Wed, 19 Feb 2020 15:41:08 -0500 Subject: [PATCH 1/2] Allow all characters in title attribute According to the common mark spec: https://spec.commonmark.org/0.29/#link-title You should be able to stick abut anything in there. Right now we're limited by the default setting of bluemonday which restricts what can go in a title tag and makes our rendering not compliant with the spec. This should fix #10326 --- modules/markup/sanitizer.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/modules/markup/sanitizer.go b/modules/markup/sanitizer.go index 49f681f05a1e6..00e7ccfc717f5 100644 --- a/modules/markup/sanitizer.go +++ b/modules/markup/sanitizer.go @@ -56,6 +56,9 @@ func ReplaceSanitizer() { // Allow classes for anchors sanitizer.policy.AllowAttrs("class").Matching(regexp.MustCompile(`ref-issue`)).OnElements("a") + // Allow more characters in title attribute per commonmark spec + sanitizer.policy.AllowAttrs("title").Matching(regexp.MustCompile(`(.*?)`)).OnElements("a") + // Custom keyword markup for _, rule := range setting.ExternalSanitizerRules { if rule.Regexp != nil { From 123564fa4d6f4603ff4b7e80388c2b8b23170582 Mon Sep 17 00:00:00 2001 From: "j. mccann" Date: Thu, 20 Feb 2020 10:29:44 -0500 Subject: [PATCH 2/2] add a few tests --- modules/markup/markdown/markdown_test.go | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/modules/markup/markdown/markdown_test.go b/modules/markup/markdown/markdown_test.go index b2cf529964091..f44c0acb96131 100644 --- a/modules/markup/markdown/markdown_test.go +++ b/modules/markup/markdown/markdown_test.go @@ -93,6 +93,12 @@ func TestRender_Images(t *testing.T) { test( "[!["+title+"]("+url+")]("+href+")", `

`+title+`

`) + test( + "!["+title+"]("+url+" \"1 -> 2 -> 3 -> 4 -> 5\")", + `

`+title+`

`) + test( + "!["+title+"]("+url+" \"this?is#a!test:P\")", + `

`+title+`

`) } func testAnswers(baseURLContent, baseURLImages string) []string {