Commit graph

304 commits

Author SHA1 Message Date
Gusted
dccf180307 disallow javascript: URI in the repository description
- Fixes an XSS that was introduced in
https://codeberg.org/forgejo/forgejo/pulls/1433
- This XSS allows for `href`s in anchor elements to be set to a
`javascript:` uri in the repository description, which would upon
clicking (and not upon loading) the anchor element execute the specified
javascript in that uri.
- [`AllowStandardURLs`](https://pkg.go.dev/github.com/microcosm-cc/bluemonday#Policy.AllowStandardURLs) is now called for the repository description
policy, which ensures that URIs in anchor elements are `mailto:`,
`http://` or `https://` and thereby disallowing the `javascript:` URI.
It also now allows non-relative links and sets `rel="nofollow"` on
anchor elements.
- Unit test added.

(cherry picked from commit bb448f3dc2)
2024-08-09 05:57:21 +00:00
Gusted
d3260fe348 [BUG] Render references to cross-repo issues with external issues
- If you have the external issue setting enabled, any reference would
have been rendered as an external issue, however this shouldn't be
happening to references that refer to issues in other repositories.
- Unit test added.

(cherry picked from commit 05e163aaf3)
2024-08-07 05:43:24 +00:00
TheFox0x7
ce563ade3d enable linter testifylint on v8 (#4573)
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4573
Co-authored-by: TheFox0x7 <thefox0x7@gmail.com>
Co-committed-by: TheFox0x7 <thefox0x7@gmail.com>
2024-07-30 19:41:27 +00:00
Gusted
bb9dcec39c
[v8.0/forgejo] Don't panic on empty blockquote
- Backport #4602
- On a empty blockquote the callout feature would panic, as it expects
to always have at least one child.
- This panic cannot result in a DoS, because any panic that happens
while rendering any markdown input will be recovered gracefully.
- Adds a simple condition to avoid this panic.

(cherry picked from commit efd63ec1d8)
2024-07-22 14:17:50 +02:00
charles
b53be9d45c
Fix markdown math brackets render problem (#31420)
Close #31371, support `($ ... $)` like GitHub

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
(cherry picked from commit 90a3c20e7996e2db577a51d37f2190e2e990a22a)

Conflicts:
	modules/markup/markdown/markdown_test.go
	trivial context conflict
2024-06-23 12:40:06 +02:00
wxiaoguang
75bbca68ce
Refactor markup code (#31399)
1. use clearer names
2. remove deadcode
3. avoid name shadowing
4. eliminate some lint warnings

(cherry picked from commit 5a7376c0605415e63cb5b3b8f89ead01e567229b)

Conflicts:
	modules/markup/html.go
	simple code divergence, trivial logic
2024-06-23 11:53:36 +02:00
Oleksandr Redko
b640ac4660
Refactor to use UnsafeStringToBytes (#31358)
The PR replaces all `goldmark/util.BytesToReadOnlyString` with
`util.UnsafeBytesToString`, `goldmark/util.StringToReadOnlyBytes` with
`util.UnsafeStringToBytes`. This removes one `TODO`.

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
(cherry picked from commit 1761459ebc7eb6d432eced093b4583425a5c5d4b)
2024-06-16 13:42:58 +02:00
Lunny Xiao
62ed5f2db5
Fix hash render end with colon (#31319)
Fix a hash render problem like `<hash>: xxxxx` which is usually used in
release notes.

(cherry picked from commit 7115dce773e3021b3538ae360c4e7344d5bbf45b)
2024-06-16 13:42:58 +02:00
silverwind
d8bc0495de
Enable unparam linter (#31277)
Enable [unparam](https://github.com/mvdan/unparam) linter.

Often I could not tell the intention why param is unused, so I put
`//nolint` for those cases like webhook request creation functions never
using `ctx`.

---------

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: delvh <dev.lh@web.de>
(cherry picked from commit fc2d75f86d77b022ece848acf2581c14ef21d43b)

Conflicts:
	modules/setting/config_env.go
	modules/storage/azureblob.go
	services/webhook/dingtalk.go
	services/webhook/discord.go
	services/webhook/feishu.go
	services/webhook/matrix.go
	services/webhook/msteams.go
	services/webhook/packagist.go
	services/webhook/slack.go
	services/webhook/telegram.go
	services/webhook/wechatwork.go

	run make lint-go and fix Forgejo specific warnings
2024-06-16 13:42:58 +02:00
Henrique Pimentel
433b6c6910
Add MAX_ROWS option for CSV rendering (#30268)
This solution implements a new config variable MAX_ROWS, which
corresponds to the “Maximum allowed rows to render CSV files. (0 for no
limit)” and rewrites the Render function for CSV files in markup module.
Now the render function only reads the file once, having MAX_FILE_SIZE+1
as a reader limit and MAX_ROWS as a row limit. When the file is larger
than MAX_FILE_SIZE or has more rows than MAX_ROWS, it only renders until
the limit, and displays a user-friendly warning informing that the
rendered data is not complete, in the user's language.

---

Previously, when a CSV file was larger than the limit, the render
function lost its function to render the code. There were also multiple
reads to the file, in order to determine its size and render or
pre-render.

The warning: ![image](https://s3.amazonaws.com/i.snag.gy/vcKh90.jpg)

(cherry picked from commit f7125ab61aaa02fd4c7ab0062a2dc9a57726e2ec)
2024-06-09 16:04:57 +02:00
Yaroslav Halchenko
2b2fd2728c Add codespell support and fix a good number of typos with its help (#3270)
More about codespell: https://github.com/codespell-project/codespell .

I personally introduced it to dozens if not hundreds of projects already and so far only positive feedback.

```
❯ grep lint-spell Makefile
	@echo " - lint-spell                       lint spelling"
	@echo " - lint-spell-fix                   lint spelling and fix issues"
lint: lint-frontend lint-backend lint-spell
lint-fix: lint-frontend-fix lint-backend-fix lint-spell-fix
.PHONY: lint-spell
lint-spell: lint-codespell
.PHONY: lint-spell-fix
lint-spell-fix: lint-codespell-fix
❯ git grep lint- -- .forgejo/
.forgejo/workflows/testing.yml:      - run: make --always-make -j$(nproc) lint-backend checks-backend # ensure the "go-licenses" make target runs
.forgejo/workflows/testing.yml:      - run: make lint-frontend
```
so how would you like me to invoke `lint-codespell` on CI? (without that would be IMHO very suboptimal and let typos sneak in)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3270
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: Yaroslav Halchenko <debian@onerussian.com>
Co-committed-by: Yaroslav Halchenko <debian@onerussian.com>
2024-05-09 13:49:37 +00:00
Chongyi Zheng
c504461b66
Resolve lint for unused parameter and unnecessary type arguments (#30750)
Resolve all cases for `unused parameter` and `unnecessary type
arguments`

Related: #30729

---------

Co-authored-by: Giteabot <teabot@gitea.io>
(cherry picked from commit e80466f7349164ce4cf3c07bdac30d736d20f035)

Conflicts:
	modules/markup/markdown/transform_codespan.go
	modules/setting/incoming_email.go
	routers/api/v1/admin/user_badge.go
	routers/private/hook_pre_receive.go
	tests/integration/repo_search_test.go
	resolved by discarding the change, this is linting only and
	for the sake of avoiding future conflicts
2024-05-05 08:38:16 +01:00
Gergely Nagy
8164ef9762
markup: Allow cross references to contain URL query parameters too
Adjust the `anyHashPattern` to match URL query parameters too, and
adjust `fullHashPatternProcessor` accordingly.

Includes a test case, and an update to an existing one to account for
the new capture group.

Fixes #3548.

Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
2024-05-01 21:14:16 +02:00
Gergely Nagy
9a01062ae2
Fix user mention processing
When mentioning a user, the markup post-processor did not handle the
case where the mentioned user did not exist well: it tried to skip to
the next node, which in turn, ended up skipping the rest of the line.

To fix this, lets skip just the mentioned, but non-existing user, and
continue processing the current node from there.

Fixes #3535.

Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
2024-04-30 12:51:30 +02:00
silverwind
12b199c5e5
Enable more revive linter rules (#30608)
Noteable additions:

- `redefines-builtin-id` forbid variable names that shadow go builtins
- `empty-lines` remove unnecessary empty lines that `gofumpt` does not
remove for some reason
- `superfluous-else` eliminate more superfluous `else` branches

Rules are also sorted alphabetically and I cleaned up various parts of
`.golangci.yml`.

(cherry picked from commit 74f0c84fa4245a20ce6fb87dac1faf2aeeded2a2)

Conflicts:
	.golangci.yml
	apply the linter recommendations to Forgejo code as well
2024-04-28 15:39:00 +02:00
0ko
469c214ec8 s/Gitea/Forgejo in various log messages and comments 2024-04-21 21:26:15 +05:00
Mai-Lapyst
acfae43253
Fix panic where now a third link breaks everything 2024-04-19 23:54:46 +02:00
Mai-Lapyst
e9eacdecd2
Fix issue where rendering stops after the first invalid parmalink 2024-04-19 18:21:21 +02:00
Mai-Lapyst
5b6b3f3fb3
Fix some edge cases; closes #3232
- Fixes wrong usage of AppURL
- Fixes wrong rendering with extra path segments when AppSubURL is empty
- Now also renders all links when 2+ permalinks are present
2024-04-17 13:02:48 +02:00
wxiaoguang
f692069616
Refactor markdown render (#30139)
Only split the file into small ones (and rename AttentionTypes to
attentionTypes)

(cherry picked from commit 71706126b56616750a65290460fd211b9b8449da)
Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>

Conflicts:
	- modules/markup/markdown/goldmark.go
	- modules/markup/markdown/transform_blockquote.go
	Conflicts were resolved by favouring the Forgejo implementation:
	I copied the Forgejo code to the same place Gitea copied them
	to, and adjusted the imports accordingly.

	Apart from conflict resolution, this also moves
	`applyElementDir` from a local func in `goldmark.Transform` to a
	method on `*ASTTransformer`, to make it callable from the
	extracted functions.
2024-04-16 10:42:49 +02:00
Mai-Lapyst
1d1c0131bb Fix inline permalinks across repo; closes #2965 (#3042)
This PR fixes the possible ambiguity of rendered inline permalinks across repos by adding it as a suffix to the title element if the permalink refers to a file not inside the current repository. Closes #2965

![grafik](/attachments/e70e37b8-24c7-4f7b-ab52-92f1e8dfb009)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3042
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Mai-Lapyst <mai-lapyst@noreply.codeberg.org>
Co-committed-by: Mai-Lapyst <mai-lapyst@noreply.codeberg.org>
2024-04-12 22:30:20 +00:00
João Tiago
2adc3a45fb
Fixes #27605: inline math blocks can't be preceeded/followed by alphanumerical characters (#30175)
- Inline math blocks couldn't be preceeded or succeeded by
alphanumerical characters due to changes introduced in PR #21171.
Removed the condition that caused this (precedingCharacter condition)
and added a new exit condition of the for-loop that checks if a specific
'$' was escaped using '\' so that the math expression can be rendered as
intended.
- Additionally this PR fixes another bug where math blocks of the type
'$xyz$abc$' where the dollar sign was not escaped by the user, generated
an error (shown in the screenshots below)
- Altered the tests to accomodate for the changes

Former behaviour (from try.gitea.io):

![image](https://github.com/go-gitea/gitea/assets/114936010/8f0cbb21-321d-451c-b871-c67a8e1e9235)

Fixed behaviour (from my local build):

![image](https://github.com/go-gitea/gitea/assets/114936010/5c22687c-6f11-4407-b5e7-c14b838bc20d)

(Edit) Source code for the README.md file:
```
$x$ -$x$ $x$-

a$xa$ $xa$a 1$xb$ $xb$1

$a a$b b$

a$b $a a$b b$

$a a\$b b$
```

---------

Signed-off-by: João Tiago <joao.leal.tintas@tecnico.ulisboa.pt>
Co-authored-by: Giteabot <teabot@gitea.io>
(cherry picked from commit e006451ab1509f8d6d43c5974387c05b26517392)
2024-04-07 15:40:31 +02:00
Gusted
b0cd0ebb91
[BUG] Fix crash in issue forms
- Fix a crash in the issue forms, because `ctx.Ctx` was trying to be
accessed, however this is not set in all contexts thus could result to NPE.
- Adds integration test.
- Resolves #3011
2024-04-04 15:54:06 +02:00
Gusted
6ffae461d4
[BUG] Center icon and callout text
- Wrap the icon and callout into a seperate `<p>` which has `display:
flex; align-items: center` set. To center the icon with the callout text.
- Resolves #3006
2024-04-03 22:26:19 +02:00
Earl Warren
2e744dc991 Merge pull request 'Render inline file permalinks' (#2669) from Mai-Lapyst/forgejo:markup-add-filepreview into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/2669
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-04-01 13:57:01 +00:00
Gusted
80f22ab0d8
[BUG] Don't color dot literal color names
- Colordots are generated for colors in inline code, such as `red`,
`rgb(255, 0, 124)`, `#ffaabb` and `hsl(124, 52%, 50%)`. However this
shouldn't be doon for literal color names as these can be too common
assiocated with non-color related stuff _and matches the behavior of
some other forge_.
- Move the regexes from bluemonday to Forgejo and do the checking
ourselves.
- Adds unit tests.
- Resolves https://codeberg.org/Codeberg/Community/issues/1510
2024-03-30 14:30:41 +01:00
Mai-Lapyst
6e98bacbbd
Format code 2024-03-28 05:42:25 +01:00
Mai-Lapyst
16a8658878
Update test 2024-03-28 04:20:13 +01:00
Mai-Lapyst
7e0014dd13
Fix formating & remove commented out code 2024-03-27 18:43:55 +01:00
wxiaoguang
d4ea1c2559
Fix some pending problems (#29985)
These changes are quite independent and trivial, so I don't want to open
too many PRs.

* https://github.com/go-gitea/gitea/pull/29882#discussion_r1529607091
    * the `f.Close` should be called properly
* the error message could be more meaningful
(https://github.com/go-gitea/gitea/pull/29882#pullrequestreview-1942557935)
*
https://github.com/go-gitea/gitea/pull/29859#pullrequestreview-1942324716
    * the new translation strings don't take arguments
* https://github.com/go-gitea/gitea/pull/28710#discussion_r1443778807
    * stale for long time
*  #28140
    * a form was forgotten to be changed to work with backend code

(cherry picked from commit 226231ea27d4f2b0f09fa4efb39501507613b284)

Conflicts:
	templates/repo/issue/view_content/pull.tmpl
	discarded because unexplained
	templates/status/404.tmpl
	implemented differently in Forgejo
2024-03-26 19:04:26 +01:00
coldWater
664052fb0b
Fix missing error check of bufio.Scanner (#29882)
maybe more

(cherry picked from commit 0e183d81fc5283f9d2047472de580e4f04a046c1)
2024-03-26 19:04:25 +01:00
Mai-Lapyst
2b6546adc9
Add setting to restrict count of lines being displayed & only highlight those lines 2024-03-25 16:05:01 +01:00
Mai-Lapyst
069d87b80f
Remove unneeded case for a trailing dot 2024-03-25 14:33:54 +01:00
Earl Warren
af0bb6e68a Merge pull request '[port] gitea#29833: Refactor markdown attention render' (#2747) from algernon/forgejo:gitea/port/29833/refactor into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/2747
2024-03-23 19:44:45 +00:00
Gergely Nagy
d571a2c202
Remove some more dead code from the markup sanitizer
This removes some more dead code from the markup sanitizer:

- Allowing unlabelled labels is no longer neccessary as of
  41e8b834af.
- Allowing `style` attributes on `span` and `p` are no longer necessary,
  `bluemonday` allows them by default now.

Selectively cherry picked from commit 66902d89e567ab1ae6dfb828636999c61ff0149e.

Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
2024-03-23 17:16:22 +01:00
Earl Warren
b5775f6d6e Merge pull request 'modules/markup/markdown/ast: Drop IsColorPreview' (#2746) from algernon/forgejo:gitea/cherry-pick/29833/dead-code-removal into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/2746
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-03-23 15:25:08 +00:00
Gergely Nagy
58d4af8fdb
Refactor the GitHub Legacy callout renderer too
Following up on the previous commit, change the GitHub Legacy callout
renderer to render the same as the refactored modern renderer.

Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
2024-03-23 15:38:43 +01:00
wxiaoguang
ec2201a3da
Refactor markdown attention render (#29833)
* Remove some deadcode
* Use 2-word name for CSS class names
* Remove "gt-*" rules for sanitizer

The UI doesn't change much.

(cherry picked from commit 66902d89e567ab1ae6dfb828636999c61ff0149e)
2024-03-23 15:38:43 +01:00
Gergely Nagy
8af8682f7d
modules/markup/markdown/ast: Drop IsColorPreview
The function isn't used anywhere, it's dead code. Remove it.

Partially cherry picked from commit 46c3f3b9e81e25c3ed08ba6c5bfeb8802b3ba1fd.

Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
2024-03-23 14:47:15 +01:00
Yarden Shoham
20446ac6b3
Don't use <br /> in alert block (#29650)
- Follows https://github.com/go-gitea/gitea/pull/29121

When I implemented alert blocks I was always testing the markdown in
issue comments. I used `<br />` for line breaks and it looked good. I
have since learned that the markdown on README files doesn't allow these
tags. So a comment with

```md
> [!NOTE]
> If you're interested in using our APIs, we have experimental support with [documentation](https://try.gitea.io/api/swagger).
```

looked like this in a comment

![image](https://github.com/go-gitea/gitea/assets/20454870/96b1de01-2c87-4d4f-83dd-98192b83e9d0)
but looked like this in a README

![image](https://github.com/go-gitea/gitea/assets/20454870/474b636d-dd7a-4b7f-ba27-643803c71aa3)

So I changed how we render the alert block by having the alert itself
have a dedicated paragraph, so line breaks happen naturally between
paragraphs.

![image](https://github.com/go-gitea/gitea/assets/20454870/474b636d-dd7a-4b7f-ba27-643803c71aa3)

![image](https://github.com/go-gitea/gitea/assets/20454870/167a8d37-9a44-4479-9340-5dc80347b595)

![image](https://github.com/go-gitea/gitea/assets/20454870/2f99fec0-98ff-4ba8-97fe-b4567041ae79)

![image](https://github.com/go-gitea/gitea/assets/20454870/ffdeae11-fb06-4d00-b497-eae135f0d7ad)

---------

Signed-off-by: Yarden Shoham <git@yardenshoham.com>
Co-authored-by: silverwind <me@silverwind.io>
2024-03-23 12:18:40 +01:00
coldWater
d413a8fcac
Refactor markup/csv: don't read all to memory (#29760)
(cherry picked from commit e79a807a8461a73bd66146d816f635b66e198c89)
2024-03-20 08:46:29 +01:00
KN4CK3R
024bfb7f34
Use relative links for commits, mentions, and issues in markdown (#29427)
Fixes #29404

Use relative links for
- commits
- mentions
- issues

---------

Co-authored-by: silverwind <me@silverwind.io>
(cherry picked from commit 85c59d6c21e10ef9d3ccf11713548f50e47e920f)
2024-03-20 08:46:28 +01:00
yp05327
b6e480fcbb
Fix inconsistent rendering of block mathematical expressions (#29677)
Fix #28735

GitHub render `\```math\``` ` as a block now.
Add `display` class will render it as a block.

After:

![image](https://github.com/go-gitea/gitea/assets/18380374/2a1c20c7-438e-4ab1-8c66-cf91c8343087)

![image](https://github.com/go-gitea/gitea/assets/18380374/b81b8a93-8bca-46a5-b7db-e0d2f53e1342)

---------

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
(cherry picked from commit 8fc1a8f0eb642c574610a346e858d42c433ebe01)
2024-03-20 08:46:28 +01:00
Mai-Lapyst
ed8e8a792e
Run make fmt 2024-03-18 06:23:12 +01:00
Mai-Lapyst
db6f6281fc
Add copyright & license header to file_preview.go 2024-03-18 06:21:35 +01:00
Mai-Lapyst
10bca456a9
Remove rel and id attributes that only add the linenumber to elements 2024-03-18 06:19:27 +01:00
Mai-Lapyst
8218e80bfc
Fix linting issues 2024-03-16 08:18:47 +01:00
Mai-Lapyst
d789d33229
Split filePreviewPatternProcessor into a new type FilePreview and some functions to make code more maintainable 2024-03-16 08:09:49 +01:00
Mai-Lapyst
562e5cdf32
Get locales directly from context like the other code; add translations for subtitle 2024-03-16 01:17:04 +01:00
Mai-Lapyst
6721cba75b
Fix filePreviewPattern 2024-03-16 00:37:46 +01:00