From e4d4662074472106f6a2baeb202f242196565482 Mon Sep 17 00:00:00 2001
From: Hongcai Deng <admin@dhchouse.com>
Date: Thu, 10 Sep 2015 09:06:09 +0800
Subject: [PATCH] add regexp to restrict `<code class=""></code>`

---
 modules/base/tool.go | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/modules/base/tool.go b/modules/base/tool.go
index 0fa564819..fa5202366 100644
--- a/modules/base/tool.go
+++ b/modules/base/tool.go
@@ -15,6 +15,7 @@ import (
 	"hash"
 	"html/template"
 	"math"
+	"regexp"
 	"strings"
 	"time"
 
@@ -26,11 +27,8 @@ import (
 	"github.com/gogits/gogs/modules/setting"
 )
 
-var Sanitizer = bluemonday.UGCPolicy()
+var Sanitizer = bluemonday.UGCPolicy().AllowAttrs("class").Matching(regexp.MustCompile(`[\p{L}\p{N}\s\-_',:\[\]!\./\\\(\)&]*`)).OnElements("code")
 
-func init() {
-	Sanitizer.AllowAttrs("class").OnElements("code")
-}
 
 // Encode string to md5 hex value.
 func EncodeMd5(str string) string {