Also allow image tags

2025-01-30 14:30:08 +08:00 · 2022-07-17 20:51:01 +02:00 · 2022-07-17 20:51:01 +02:00 · 30e167c677
commit 30e167c677
parent 3fc82c05da
2 changed files with 36 additions and 7 deletions
--- a/src/main/java/io/papermc/hangar/service/internal/MarkdownService.java
+++ b/src/main/java/io/papermc/hangar/service/internal/MarkdownService.java
@ -26,21 +26,17 @@ import com.vladsch.flexmark.parser.Parser;
 import com.vladsch.flexmark.util.ast.Node;
 import com.vladsch.flexmark.util.data.MutableDataSet;
 import io.papermc.hangar.config.hangar.HangarConfig;
+import io.papermc.hangar.util.HtmlSanitizerUtil;
 import org.jetbrains.annotations.NotNull;
 import org.jetbrains.annotations.Nullable;
-import org.owasp.html.HtmlPolicyBuilder;
-import org.owasp.html.PolicyFactory;
-import org.owasp.html.Sanitizers;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Service;
+
 import java.util.Arrays;
 import java.util.Set;

@Service
 public class MarkdownService {
-
-    private static final PolicyFactory SANITIZER = Sanitizers.FORMATTING.and(Sanitizers.BLOCKS).and(Sanitizers.TABLES).and(Sanitizers.STYLES)
-        .and(new HtmlPolicyBuilder().allowElements("details").toFactory());
    private final Parser markdownParser;
    private final MutableDataSet options;
    private final HangarConfig config;
@ -90,7 +86,7 @@ public class MarkdownService {
    }

    public String render(String input, RenderSettings settings) {
-        input = SANITIZER.sanitize(input);
+        input = HtmlSanitizerUtil.SANITIZER.sanitize(input);
        MutableDataSet localOptions = new MutableDataSet(this.options);

        if (settings.linkEscapeChars != null) {
--- a/src/main/java/io/papermc/hangar/util/HtmlSanitizerUtil.java
+++ b/src/main/java/io/papermc/hangar/util/HtmlSanitizerUtil.java
@ -0,0 +1,33 @@
+package io.papermc.hangar.util;
+
+import org.owasp.html.AttributePolicy;
+import org.owasp.html.HtmlPolicyBuilder;
+import org.owasp.html.PolicyFactory;
+import org.owasp.html.Sanitizers;
+
+public final class HtmlSanitizerUtil {
+
+    private static final PolicyFactory IMAGES = new HtmlPolicyBuilder().allowUrlProtocols("https").allowElements("img")
+        .allowAttributes("alt", "src").onElements("img").allowAttributes("border", "height", "width")
+        .matching(integerPolicy()).onElements("img").toFactory();
+    public static final PolicyFactory SANITIZER = Sanitizers.FORMATTING.and(Sanitizers.BLOCKS).and(IMAGES).and(Sanitizers.TABLES).and(Sanitizers.STYLES)
+        .and(new HtmlPolicyBuilder().allowElements("details").toFactory());
+
+    private static AttributePolicy integerPolicy() {
+        return (elementName, attributeName, value) -> {
+            int n = value.length();
+            if (n == 0) {
+                return null;
+            }
+            for (int i = 0; i < n; ++i) {
+                char ch = value.charAt(i);
+                if (ch == '.') {
+                    return i == 0 ? null : value.substring(0, i);
+                } else if ('0' > ch || ch > '9') {
+                    return null;
+                }
+            }
+            return value;
+        };
+    }
+}