Skip to content

Commit 7bcdcc0

Browse files
wxiaoguangwxiaoguang
committed
fix
1 parent 195fc71 commit 7bcdcc0

File tree

3 files changed

+25
-15
lines changed

3 files changed

+25
-15
lines changed

modules/markup/render.go

Lines changed: 21 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,7 @@ import (
1212
"strings"
1313
"time"
1414

15+
"code.gitea.io/gitea/modules/htmlutil"
1516
"code.gitea.io/gitea/modules/markup/internal"
1617
"code.gitea.io/gitea/modules/setting"
1718
"code.gitea.io/gitea/modules/util"
@@ -164,23 +165,28 @@ func RenderString(ctx *RenderContext, content string) (string, error) {
164165
}
165166

166167
func renderIFrame(ctx *RenderContext, output io.Writer) error {
167-
// set height="0" ahead, otherwise the scrollHeight would be max(150, realHeight)
168-
// at the moment, only "allow-scripts" is allowed for sandbox mode.
169-
// "allow-same-origin" should never be used, it leads to XSS attack, and it makes the JS in iframe can access parent window's config and CSRF token
170-
// TODO: when using dark theme, if the rendered content doesn't have proper style, the default text color is black, which is not easy to read
171-
_, err := io.WriteString(output, fmt.Sprintf(`
172-
<iframe src="%s/%s/%s/render/%s/%s"
173-
name="giteaExternalRender"
174-
onload="this.height=giteaExternalRender.document.documentElement.scrollHeight"
175-
width="100%%" height="0" scrolling="no" frameborder="0" style="overflow: hidden"
176-
sandbox="allow-scripts"
177-
></iframe>`,
178-
setting.AppSubURL,
168+
src := fmt.Sprintf("%s/%s/%s/render/%s/%s", setting.AppSubURL,
179169
url.PathEscape(ctx.RenderOptions.Metas["user"]),
180170
url.PathEscape(ctx.RenderOptions.Metas["repo"]),
181-
ctx.RenderOptions.Metas["RefTypeNameSubURL"],
182-
url.PathEscape(ctx.RenderOptions.RelativePath),
183-
))
171+
util.PathEscapeSegments(ctx.RenderOptions.Metas["RefTypeNameSubURL"]),
172+
util.PathEscapeSegments(ctx.RenderOptions.RelativePath),
173+
)
174+
175+
defaultWidth := "100%"
176+
defaultHeight := "300"
177+
178+
// ATTENTION! at the moment, only "allow-scripts" is allowed for sandbox mode.
179+
// "allow-same-origin" should never be used, it leads to XSS attack, and it makes the JS in iframe can access parent window's config and CSRF token
180+
iframe := htmlutil.HTMLFormat(`
181+
<iframe data-src="%s"
182+
class="external-render-iframe"
183+
sandbox="allow-scripts"
184+
width="%s" height="%s"
185+
></iframe>
186+
`,
187+
src, defaultWidth, defaultHeight)
188+
189+
_, err := io.WriteString(output, string(iframe))
184190
return err
185191
}
186192

web_src/css/index.css

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -44,6 +44,7 @@
4444
@import "./features/console.css";
4545

4646
@import "./markup/content.css";
47+
@import "./markup/render.css";
4748
@import "./markup/codecopy.css";
4849
@import "./markup/codepreview.css";
4950
@import "./markup/asciicast.css";

web_src/css/markup/render.css

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
.markup .external-render-iframe {
2+
3+
}

0 commit comments

Comments
 (0)