Remove unnecessary SanitizeHTML from code (#29575)

* "mail/issue/default.tmpl": the body is rendered by backend `markdown.RenderString() HTML`, it has been already sanitized * "repo/settings/webhook/base_list.tmpl": "Description" is prepared by backend `ctx.Tr`, it doesn't need to be sanitized
2024-03-04 20:02:45 +08:00 · 2024-03-04 20:02:45 +08:00 · dae7f1ebdb
parent e91733468e
commit dae7f1ebdb
7 changed files with 7 additions and 14 deletions
--- a/docs/content/administration/mail-templates.en-us.md
+++ b/docs/content/administration/mail-templates.en-us.md
@ -224,7 +224,7 @@ Please check [Gitea's logs](administration/logging-config.md) for error messages
        {{if not (eq .Body "")}}
            <h3>Message content</h3>
            <hr>
-            {{.Body | SanitizeHTML}}
+            {{.Body}}
        {{end}}
    </p>
    <hr>
--- a/docs/content/administration/mail-templates.zh-cn.md
+++ b/docs/content/administration/mail-templates.zh-cn.md
@ -207,7 +207,7 @@ _主题_ 和 _邮件正文_ 由 [Golang的模板引擎](https://go.dev/pkg/text/
        {{if not (eq .Body "")}}
            <h3>消息内容：</h3>
            <hr>
-            {{.Body | SanitizeHTML}}
+            {{.Body}}
        {{end}}
    </p>
    <hr>
--- a/modules/templates/helper.go
+++ b/modules/templates/helper.go
@ -208,14 +208,8 @@ func SafeHTML(s any) template.HTML {
 }
 // SanitizeHTML sanitizes the input by pre-defined markdown rules
-func SanitizeHTML(s any) template.HTML {
+func SanitizeHTML(s string) template.HTML {
-	switch v := s.(type) {
+	return template.HTML(markup.Sanitize(s))
 	case string:
 		return template.HTML(markup.Sanitize(v))
 	case template.HTML:
 		return template.HTML(markup.Sanitize(string(v)))
 	}
 	panic(fmt.Sprintf("unexpected type %T", s))
 }
 func HTMLEscape(s any) template.HTML {
--- a/modules/templates/helper_test.go
+++ b/modules/templates/helper_test.go
@ -64,5 +64,4 @@ func TestHTMLFormat(t *testing.T) {
 func TestSanitizeHTML(t *testing.T) {
 	assert.Equal(t, template.HTML(`<a href="/" rel="nofollow">link</a> xss <div>inline</div>`), SanitizeHTML(`<a href="/">link</a> <a href="javascript:">xss</a> <div style="dangerous">inline</div>`))
 	assert.Equal(t, template.HTML(`<a href="/" rel="nofollow">link</a> xss <div>inline</div>`), SanitizeHTML(template.HTML(`<a href="/">link</a> <a href="javascript:">xss</a> <div style="dangerous">inline</div>`)))
 }
--- a/templates/mail/issue/default.tmpl
+++ b/templates/mail/issue/default.tmpl
@ -58,7 +58,7 @@
 				{{.locale.Tr "mail.issue.action.new" .Doer.Name .Issue.Index}}
 			{{end}}
 		{{else}}
-			{{.Body | SanitizeHTML}}
+			{{.Body}}
 		{{end -}}
 		{{- range .ReviewComments}}
 			<hr>
--- a/templates/repo/settings/webhook/base_list.tmpl
+++ b/templates/repo/settings/webhook/base_list.tmpl
@ -10,7 +10,7 @@
 <div class="ui attached segment">
 	<div class="ui list">
 		<div class="item">
-			{{.Description | SanitizeHTML}}
+			{{.Description}}
 		</div>
 		{{range .Webhooks}}
 			<div class="item truncated-item-container">
--- a/templates/status/500.tmpl
+++ b/templates/status/500.tmpl
@ -1,5 +1,5 @@
 {{/* This page should only depend the minimal template functions/variables, to avoid triggering new panics.
-* base template functions: AppName, AssetUrlPrefix, AssetVersion, AppSubUrl, ThemeName, SanitizeHTML
+* base template functions: AppName, AssetUrlPrefix, AssetVersion, AppSubUrl, ThemeName
 * ctx.Locale
 * .Flash
 * .ErrorMsg