Prevent double sanitize (#16386)

* Prevent double sanitize. * Use SanitizeReaderToWriter. At the moment `actualRender` uses `SanitizeReader` to sanitize the output. But `SanitizeReader` gets called in `markup.render` too so the output gets sanitized twice. I moved the `SanitizeReader` call into `RenderRaw` because this method does not use `markup.render`. I would like to remove the `RenderRaw`/`RenderRawString` methods too because they are only called from tests, the fuzzer and the `/markup/raw` api endpoint. This endpoint is not in use so I think we could remove them. If we really in the future need a method to render markdown without PostProcessing we could achieve this with a more flexible `renderer.NeedPostProcess` method.
2025-10-27 00:23:41 +09:00 · 2021-11-19 11:46:47 +01:00
parent 381e131fc8
commit a09b40de8d
3 changed files with 48 additions and 64 deletions
--- a/modules/markup/sanitizer.go
+++ b/modules/markup/sanitizer.go
@@ -6,7 +6,6 @@
 package markup

 import (
-	"bytes"
 	"io"
 	"regexp"
 	"sync"
@@ -149,11 +148,11 @@ func Sanitize(s string) string {
 }

 // SanitizeReader sanitizes a Reader
-func SanitizeReader(r io.Reader, renderer string) *bytes.Buffer {
+func SanitizeReader(r io.Reader, renderer string, w io.Writer) error {
 	NewSanitizer()
 	policy, exist := sanitizer.rendererPolicies[renderer]
 	if !exist {
 		policy = sanitizer.defaultPolicy
 	}
-	return policy.SanitizeReader(r)
+	return policy.SanitizeReaderToWriter(r, w)
 }