* Allow render HTML with css/js external links * Fix bug because of filename escape chars * Fix lint * Update docs about new configuration item * Fix bug of render HTML in sub directory * Add CSP head for displaying iframe in rendering file * Fix test * Apply suggestions from code review Co-authored-by: delvh <dev.lh@web.de> * Some improvements * some improvement * revert change in SanitizerDisabled of external renderer * Add sandbox for iframe and support allow-scripts and allow-same-origin * refactor * fix * fix lint * fine tune * use single option RENDER_CONTENT_MODE, use sandbox=allow-scripts * fine tune CSP * Apply suggestions from code review Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: delvh <dev.lh@web.de> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
		
			
				
	
	
		
			80 lines
		
	
	
		
			2.0 KiB
		
	
	
	
		
			Go
		
	
	
	
	
	
			
		
		
	
	
			80 lines
		
	
	
		
			2.0 KiB
		
	
	
	
		
			Go
		
	
	
	
	
	
| // Copyright 2022 The Gitea Authors. All rights reserved.
 | |
| // Use of this source code is governed by a MIT-style
 | |
| // license that can be found in the LICENSE file.
 | |
| 
 | |
| package repo
 | |
| 
 | |
| import (
 | |
| 	"bytes"
 | |
| 	"io"
 | |
| 	"net/http"
 | |
| 	"path"
 | |
| 
 | |
| 	"code.gitea.io/gitea/modules/charset"
 | |
| 	"code.gitea.io/gitea/modules/context"
 | |
| 	"code.gitea.io/gitea/modules/git"
 | |
| 	"code.gitea.io/gitea/modules/markup"
 | |
| 	"code.gitea.io/gitea/modules/typesniffer"
 | |
| 	"code.gitea.io/gitea/modules/util"
 | |
| )
 | |
| 
 | |
| // RenderFile renders a file by repos path
 | |
| func RenderFile(ctx *context.Context) {
 | |
| 	blob, err := ctx.Repo.Commit.GetBlobByPath(ctx.Repo.TreePath)
 | |
| 	if err != nil {
 | |
| 		if git.IsErrNotExist(err) {
 | |
| 			ctx.NotFound("GetBlobByPath", err)
 | |
| 		} else {
 | |
| 			ctx.ServerError("GetBlobByPath", err)
 | |
| 		}
 | |
| 		return
 | |
| 	}
 | |
| 
 | |
| 	dataRc, err := blob.DataAsync()
 | |
| 	if err != nil {
 | |
| 		ctx.ServerError("DataAsync", err)
 | |
| 		return
 | |
| 	}
 | |
| 	defer dataRc.Close()
 | |
| 
 | |
| 	buf := make([]byte, 1024)
 | |
| 	n, _ := util.ReadAtMost(dataRc, buf)
 | |
| 	buf = buf[:n]
 | |
| 
 | |
| 	st := typesniffer.DetectContentType(buf)
 | |
| 	isTextFile := st.IsText()
 | |
| 
 | |
| 	rd := charset.ToUTF8WithFallbackReader(io.MultiReader(bytes.NewReader(buf), dataRc))
 | |
| 
 | |
| 	if markupType := markup.Type(blob.Name()); markupType == "" {
 | |
| 		if isTextFile {
 | |
| 			_, err = io.Copy(ctx.Resp, rd)
 | |
| 			if err != nil {
 | |
| 				ctx.ServerError("Copy", err)
 | |
| 			}
 | |
| 			return
 | |
| 		}
 | |
| 		ctx.Error(http.StatusInternalServerError, "Unsupported file type render")
 | |
| 		return
 | |
| 	}
 | |
| 
 | |
| 	treeLink := ctx.Repo.RepoLink + "/src/" + ctx.Repo.BranchNameSubURL()
 | |
| 	if ctx.Repo.TreePath != "" {
 | |
| 		treeLink += "/" + util.PathEscapeSegments(ctx.Repo.TreePath)
 | |
| 	}
 | |
| 
 | |
| 	ctx.Resp.Header().Add("Content-Security-Policy", "frame-src 'self'; sandbox allow-scripts")
 | |
| 	err = markup.Render(&markup.RenderContext{
 | |
| 		Ctx:              ctx,
 | |
| 		RelativePath:     ctx.Repo.TreePath,
 | |
| 		URLPrefix:        path.Dir(treeLink),
 | |
| 		Metas:            ctx.Repo.Repository.ComposeDocumentMetas(),
 | |
| 		GitRepo:          ctx.Repo.GitRepo,
 | |
| 		InStandalonePage: true,
 | |
| 	}, rd, ctx.Resp)
 | |
| 	if err != nil {
 | |
| 		ctx.ServerError("Render", err)
 | |
| 		return
 | |
| 	}
 | |
| }
 |