Allow render HTML with css/js external links

Author: lunny

modules/markup/csv/csv.go

@@ -51,6 +51,11 @@ func (Renderer) SanitizerDisabled() bool {
 	return false
 }
 
+// DisplayInIFrame disabled sanitize if return true
+func (Renderer) DisplayInIFrame() bool {
+	return false
+}
+
 func writeField(w io.Writer, element, class, field string) error {
 	if _, err := io.WriteString(w, "<"); err != nil {
 		return err

modules/markup/external/external.go

@@ -59,6 +59,11 @@ func (p *Renderer) SanitizerDisabled() bool {
 	return p.DisableSanitizer
 }
 
+// DisplayInIFrame disabled sanitize if return true
+func (p *Renderer) DisplayInIFrame() bool {
+	return p.UseIFrame
+}
+
 func envMark(envName string) string {
 	if runtime.GOOS == "windows" {
 		return "%" + envName + "%"

modules/markup/markdown/markdown.go

@@ -226,6 +226,11 @@ func (Renderer) SanitizerDisabled() bool {
 	return false
 }
 
+// DisplayInIFrame disabled sanitize if return true
+func (Renderer) DisplayInIFrame() bool {
+	return false
+}
+
 // Render implements markup.Renderer
 func (Renderer) Render(ctx *markup.RenderContext, input io.Reader, output io.Writer) error {
 	return render(ctx, input, output)

modules/markup/orgmode/orgmode.go

@@ -52,6 +52,11 @@ func (Renderer) SanitizerDisabled() bool {
 	return false
 }
 
+// DisplayInIFrame disabled sanitize if return true
+func (Renderer) DisplayInIFrame() bool {
+	return false
+}
+
 // Render renders orgmode rawbytes to HTML
 func Render(ctx *markup.RenderContext, input io.Reader, output io.Writer) error {
 	htmlWriter := org.NewHTMLWriter()

modules/markup/renderer.go

@@ -45,6 +45,7 @@ type RenderContext struct {
 	GitRepo       *git.Repository
 	ShaExistCache map[string]bool
 	cancelFn      func()
+	UseIframe     bool
 }
 
 // Cancel runs any cleanup functions that have been registered for this Ctx
@@ -82,6 +83,7 @@ type Renderer interface {
 	NeedPostProcess() bool
 	SanitizerRules() []setting.MarkupSanitizerRule
 	SanitizerDisabled() bool
+	DisplayInIFrame() bool
 	Render(ctx *RenderContext, input io.Reader, output io.Writer) error
 }
 
@@ -134,6 +136,18 @@ type nopCloser struct {
 
 func (nopCloser) Close() error { return nil }
 
+func renderIFrame(ctx *RenderContext, renderer Renderer, input io.Reader, output io.Writer) error {
+	_, err := io.WriteString(output, fmt.Sprintf(`<iframe src="%s%s/%s/render/%s/%s" name="ifd"
+onload="this.height=ifd.document.body.scrollHeight" width="100%%" scrolling="no" frameborder="0"/>`,
+		setting.AppURL,
+		ctx.Metas["user"],
+		ctx.Metas["repo"],
+		ctx.Metas["BranchNameSubURL"],
+		ctx.Filename,
+	))
+	return err
+}
+
 func render(ctx *RenderContext, renderer Renderer, input io.Reader, output io.Writer) error {
 	var wg sync.WaitGroup
 	var err error
@@ -212,6 +226,9 @@ func (err ErrUnsupportedRenderExtension) Error() string {
 func renderFile(ctx *RenderContext, input io.Reader, output io.Writer) error {
 	extension := strings.ToLower(filepath.Ext(ctx.Filename))
 	if renderer, ok := extRenderers[extension]; ok {
+		if renderer.DisplayInIFrame() && ctx.UseIframe {
+			return renderIFrame(ctx, renderer, input, output)
+		}
 		return render(ctx, renderer, input, output)
 	}
 	return ErrUnsupportedRenderExtension{extension}

modules/setting/markup.go

@@ -30,6 +30,7 @@ type MarkupRenderer struct {
 	NeedPostProcess      bool
 	MarkupSanitizerRules []MarkupSanitizerRule
 	DisableSanitizer     bool
+	UseIFrame            bool
 }
 
 // MarkupSanitizerRule defines the policy for whitelisting attributes on
@@ -152,5 +153,6 @@ func newMarkupRenderer(name string, sec *ini.Section) {
 		IsInputFile:      sec.Key("IS_INPUT_FILE").MustBool(false),
 		NeedPostProcess:  sec.Key("NEED_POSTPROCESS").MustBool(true),
 		DisableSanitizer: sec.Key("DISABLE_SANITIZER").MustBool(false),
+		UseIFrame:        sec.Key("USE_IFRAME").MustBool(false),
 	})
 }

routers/web/repo/render.go

@@ -0,0 +1,85 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package repo
+
+import (
+	"bytes"
+	"io"
+	"net/http"
+	"path"
+	"strings"
+
+	"code.gitea.io/gitea/modules/charset"
+	"code.gitea.io/gitea/modules/context"
+	"code.gitea.io/gitea/modules/git"
+	"code.gitea.io/gitea/modules/markup"
+	"code.gitea.io/gitea/modules/typesniffer"
+	"code.gitea.io/gitea/modules/util"
+)
+
+// RenderFile renders a file by repos path
+func RenderFile(ctx *context.Context) {
+	blob, err := ctx.Repo.Commit.GetBlobByPath(ctx.Repo.TreePath)
+	if err != nil {
+		if git.IsErrNotExist(err) {
+			ctx.NotFound("GetBlobByPath", nil)
+		} else {
+			ctx.ServerError("GetBlobByPath", err)
+		}
+		return
+	}
+
+	dataRc, err := blob.DataAsync()
+	if err != nil {
+		ctx.ServerError("DataAsync", err)
+		return
+	}
+	defer dataRc.Close()
+
+	buf := make([]byte, 1024)
+	n, _ := util.ReadAtMost(dataRc, buf)
+	buf = buf[:n]
+
+	st := typesniffer.DetectContentType(buf)
+	isTextFile := st.IsText()
+
+	rd := charset.ToUTF8WithFallbackReader(io.MultiReader(bytes.NewReader(buf), dataRc))
+
+	if markupType := markup.Type(blob.Name()); markupType == "" {
+		if isTextFile {
+			_, err = io.Copy(ctx.Resp, rd)
+			if err != nil {
+				ctx.ServerError("Copy", err)
+			}
+			return
+		}
+		ctx.Error(http.StatusInternalServerError, "Unsupported file type render")
+		return
+	}
+
+	treeLink := ctx.Repo.RepoLink + "/src/" + ctx.Repo.BranchNameSubURL()
+	if len(ctx.Repo.TreePath) > 0 {
+		treeLink += "/" + util.PathEscapeSegments(ctx.Repo.TreePath)
+	}
+
+	var result bytes.Buffer
+	err = markup.Render(&markup.RenderContext{
+		Ctx:       ctx,
+		Filename:  blob.Name(),
+		URLPrefix: path.Dir(treeLink),
+		Metas:     ctx.Repo.Repository.ComposeDocumentMetas(),
+		GitRepo:   ctx.Repo.GitRepo,
+	}, rd, &result)
+	if err != nil {
+		ctx.ServerError("Render", err)
+		return
+	}
+
+	_, err = charset.EscapeControlReader(strings.NewReader(result.String()), ctx.Resp)
+	if err != nil {
+		ctx.ServerError("EscapeControlReader", err)
+		return
+	}
+}

routers/web/repo/view.go

@@ -516,12 +516,15 @@ func renderFile(ctx *context.Context, entry *git.TreeEntry, treeLink, rawLink st
 			ctx.Data["IsMarkup"] = true
 			ctx.Data["MarkupType"] = markupType
 			var result strings.Builder
+			metas := ctx.Repo.Repository.ComposeDocumentMetas()
+			metas["BranchNameSubURL"] = ctx.Repo.BranchNameSubURL()
 			err := markup.Render(&markup.RenderContext{
 				Ctx:       ctx,
 				Filename:  blob.Name(),
 				URLPrefix: path.Dir(treeLink),
-				Metas:     ctx.Repo.Repository.ComposeDocumentMetas(),
+				Metas:     metas,
 				GitRepo:   ctx.Repo.GitRepo,
+				UseIframe: true,
 			}, rd, &result)
 			if err != nil {
 				ctx.ServerError("Render", err)

routers/web/web.go

@@ -1148,6 +1148,13 @@ func RegisterRoutes(m *web.Route) {
 			m.Get("/*", context.RepoRefByType(context.RepoRefLegacy), repo.SingleDownload)
 		}, repo.MustBeNotEmpty, reqRepoCodeReader)
 
+		m.Group("/render", func() {
+			m.Get("/branch/*", context.RepoRefByType(context.RepoRefBranch), repo.RenderFile)
+			m.Get("/tag/*", context.RepoRefByType(context.RepoRefTag), repo.RenderFile)
+			m.Get("/commit/*", context.RepoRefByType(context.RepoRefCommit), repo.RenderFile)
+			m.Get("/blob/{sha}", context.RepoRefByType(context.RepoRefBlob), repo.RenderFile)
+		}, repo.MustBeNotEmpty, reqRepoCodeReader)
+
 		m.Group("/commits", func() {
 			m.Get("/branch/*", context.RepoRefByType(context.RepoRefBranch), repo.RefCommits)
 			m.Get("/tag/*", context.RepoRefByType(context.RepoRefTag), repo.RefCommits)