Refactor flash message and remove SanitizeHTML template func (#37179)

1. Fix the "flash message" layout problem for different cases * I am sure most of the users should have ever seen the ugly center-aligned error message with multiple lines. 2. Fix inconsistent "Details" flash message EOL handling, sometimes `\n`, sometimes `<br>` * Now, always use "\n" and use `<pre>` to render 3. Remove SanitizeHTML template func because it is not useful and can be easily abused. * But it is still kept for mail templates, for example: https://github.com/go-gitea/gitea/issues/36049 4. Clarify PostProcessCommitMessage's behavior and add FIXME comment By the way: cleaned up some devtest pages, move embedded style block to CSS file
2026-05-08 14:34:49 +09:00 · 2026-04-12 10:17:25 +08:00
parent ba9258c478
commit 8fcbdf05b0
29 changed files with 159 additions and 113 deletions
--- a/routers/utils/utils.go
+++ b/routers/utils/utils.go
@@ -5,10 +5,11 @@ package utils

 import (
 	"html"
-	"strings"
+	"html/template"
 )

-// SanitizeFlashErrorString will sanitize a flash error string
-func SanitizeFlashErrorString(x string) string {
-	return strings.ReplaceAll(html.EscapeString(x), "\n", "<br>")
+// EscapeFlashErrorString will escape the flash error string
+// Maybe do more sanitization in the future, e.g.: hide sensitive information, etc.
+func EscapeFlashErrorString(x string) template.HTML {
+	return template.HTML(html.EscapeString(x))
 }
--- a/routers/utils/utils_test.go
+++ b/routers/utils/utils_test.go
@@ -4,16 +4,17 @@
 package utils

 import (
+	"html/template"
 	"testing"

 	"github.com/stretchr/testify/assert"
 )

-func TestSanitizeFlashErrorString(t *testing.T) {
+func TestEscapeFlashErrorString(t *testing.T) {
 	tests := []struct {
 		name string
 		arg  string
-		want string
+		want template.HTML
 	}{
 		{
 			name: "no error",
@@ -28,13 +29,13 @@ func TestSanitizeFlashErrorString(t *testing.T) {
 		{
 			name: "line break error",
 			arg:  "some error:\n\nawesome!",
-			want: "some error:<br><br>awesome!",
+			want: "some error:\n\nawesome!",
 		},
 	}

 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			got := SanitizeFlashErrorString(tt.arg)
+			got := EscapeFlashErrorString(tt.arg)
 			assert.Equal(t, tt.want, got)
 		})
 	}