Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Add html filtering#1356

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Merged
JoannaaKL merged 7 commits intomainfromadd-html-filtering
Nov 5, 2025
Merged

Add html filtering#1356

JoannaaKL merged 7 commits intomainfromadd-html-filtering
Nov 5, 2025

Conversation

@JoannaaKL
Copy link
Contributor

@JoannaaKLJoannaaKL commentedNov 4, 2025
edited
Loading

This PR:

  • adds a dependency tomicrocosm-cc/bluemonday for html sanitization
  • adds a function that will sanitise html tags
  • uses the above to sanitise pull requests and issues

Misc updates:

  • github.com/microcosm-cc/bluemonday
  • script/licenses andscript/licenses-check were updated to useGOFLAGS=-mod=mod which will ignore the vendor directory. The report template uses theLicenseURL field, but it’s being populated with links to this repo’s vendored paths because the tool is running in vendor mode by default when a vendor/ directory exists. By addingGOFLAGS=-mod=mod vendor directory is ignored and the upstream module url is used as expected.

@JoannaaKLJoannaaKL marked this pull request as ready for reviewNovember 5, 2025 10:23
@JoannaaKLJoannaaKL requested a review froma team as acode ownerNovember 5, 2025 10:23
CopilotAI review requested due to automatic review settingsNovember 5, 2025 10:23
Copy link
Contributor

CopilotAI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Pull Request Overview

This PR adds HTML sanitization capabilities to prevent XSS attacks and other security issues when handling user-provided content. It introduces the bluemonday library to sanitize HTML tags in GitHub issue and pull request titles and bodies.

  • Integrates bluemonday library for HTML sanitization with a configurable policy
  • Updates sanitization logic to filter both invisible characters and HTML tags
  • Adds comprehensive test coverage for the new HTML filtering functionality

Reviewed Changes

Copilot reviewed 14 out of 15 changed files in this pull request and generated 2 comments.

Show a summary per file
FileDescription
pkg/sanitize/sanitize.goAddsFilterHTMLTags andSanitize functions with bluemonday policy configuration
pkg/sanitize/sanitize_test.goAdds comprehensive test cases for HTML tag filtering
pkg/github/issues.goUpdates to useSanitize instead ofFilterInvisibleCharacters
pkg/github/pullrequests.goUpdates to useSanitize instead ofFilterInvisibleCharacters
go.modAdds bluemonday and its dependencies
go.sumUpdates checksums for new dependencies
third-party-licenses.*.mdAdds license entries for new dependencies
third-party/*/LICENSE*Adds license files for new third-party dependencies
script/licensesAddsGOFLAGS=-mod=mod to go-licenses commands
script/licenses-checkAddsGOFLAGS=-mod=mod and fixes echo to printf

💡Add Copilot custom instructions for smarter, more guided reviews.Learn how to get started.

Copy link
Collaborator

@SamMorrowDrumsSamMorrowDrums left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Looks great! 🚀

Copy link
Contributor

@kerobbikerobbi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Tiny comment, but other than that lgtm!

}

funcFilterHTMLTags(inputstring)string {
ifinput=="" {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Maybe we could also check if the string has any HTML in the first place in this early return?

SamMorrowDrums reacted with heart emoji
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Interesting idea, although an early return that has to parse the content might not be an optimisation. Hard to tell without getting into the weeds.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

What I was mainly thinking about is just adding a simple!strings.Contains(input, "<") check, nothing fancy or overly complex. It wouldn't even handle all edge cases (i.e., an input containing a single< for whatever reason) but it would be just a quick scan to avoid running the full sanitiser on plain input. But what you said is definitely a good point!

Copy link
ContributorAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Bluemonday does html input tokenization and I don't want to reinvent the wheel here. :)

@JoannaaKLJoannaaKL merged commit6a39a39 intomainNov 5, 2025
22 checks passed
@JoannaaKLJoannaaKL deleted the add-html-filtering branchNovember 5, 2025 11:49
Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment

Reviewers

@SamMorrowDrumsSamMorrowDrumsSamMorrowDrums approved these changes

Copilot code reviewCopilotCopilot left review comments

@kerobbikerobbikerobbi approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@JoannaaKL@SamMorrowDrums@kerobbi
[8]ページ先頭
©2009-2025 Movatter.jp