Refactor HTMLFormat, update chroma render, fix js error (#33136)

A small refactor to improve HTMLFormat, to help to prevent low-level mistakes. And fix #33141, fix #33139
2025-07-22 18:28:37 +00:00 · 2025-01-08 11:44:32 +08:00
parent 67aeb1f896
commit 386c1ed908
12 changed files with 34 additions and 17 deletions
--- a/modules/templates/helper.go
+++ b/modules/templates/helper.go
@@ -38,7 +38,7 @@ func NewFuncMap() template.FuncMap {
 		"Iif":          iif,
 		"Eval":         evalTokens,
 		"SafeHTML":     safeHTML,
-		"HTMLFormat":   htmlutil.HTMLFormat,
+		"HTMLFormat":   htmlFormat,
 		"HTMLEscape":   htmlEscape,
 		"QueryEscape":  queryEscape,
 		"QueryBuild":   QueryBuild,
@@ -207,6 +207,20 @@ func htmlEscape(s any) template.HTML {
 	panic(fmt.Sprintf("unexpected type %T", s))
 }

+func htmlFormat(s any, args ...any) template.HTML {
+	if len(args) == 0 {
+		// to prevent developers from calling "HTMLFormat $userInput" by mistake which will lead to XSS
+		panic("missing arguments for HTMLFormat")
+	}
+	switch v := s.(type) {
+	case string:
+		return htmlutil.HTMLFormat(template.HTML(v), args...)
+	case template.HTML:
+		return htmlutil.HTMLFormat(v, args...)
+	}
+	panic(fmt.Sprintf("unexpected type %T", s))
+}
+
 func jsEscapeSafe(s string) template.HTML {
 	return template.HTML(template.JSEscapeString(s))
 }