chore(release-notes): notes for the week 2024-47-v9.0 weekly cherry pick

Fix and refactor markdown rendering (#32522 )
(cherry picked from commit 5eebe1dc5fb29a162c51d050396fce7b14e47f4e) Conflicts: models/repo/repo.go models/repo/repo_test.go modules/markup/html.go modules/markup/html_commit.go modules/markup/html_email.go modules/markup/html_emoji.go modules/markup/html_internal_test.go modules/markup/html_issue.go modules/markup/html_link.go modules/markup/html_node.go modules/markup/html_test.go modules/markup/markdown/goldmark.go modules/markup/markdown/markdown_test.go modules/markup/markdown/transform_image.go modules/markup/orgmode/orgmode.go modules/markup/orgmode/orgmode_test.go modules/markup/render.go modules/markup/render_links.go modules/templates/util_render.go modules/templates/util_render_test.go routers/common/markup.go routers/web/feed/convert.go routers/web/repo/wiki.go but a few lines survived and are useful
2024-11-21 17:34:24 +01:00 · 2024-11-17 20:52:58 +01:00 · 2024-11-17 20:50:50 +01:00
3 changed files with 8 additions and 4 deletions
--- a/modules/markup/asciicast/asciicast.go
+++ b/modules/markup/asciicast/asciicast.go
@ -39,7 +39,7 @@ const (
 // SanitizerRules implements markup.Renderer
 func (Renderer) SanitizerRules() []setting.MarkupSanitizerRule {
 	return []setting.MarkupSanitizerRule{
-		{Element: "div", AllowAttr: "class", Regexp: regexp.MustCompile(playerClassName)},
+		{Element: "div", AllowAttr: "class", Regexp: regexp.MustCompile("^" + playerClassName + "$")},
 		{Element: "div", AllowAttr: playerSrcAttr},
 	}
 }
--- a/modules/markup/csv/csv.go
+++ b/modules/markup/csv/csv.go
@ -37,9 +37,9 @@ func (Renderer) Extensions() []string {
 // SanitizerRules implements markup.Renderer
 func (Renderer) SanitizerRules() []setting.MarkupSanitizerRule {
 	return []setting.MarkupSanitizerRule{
-		{Element: "table", AllowAttr: "class", Regexp: regexp.MustCompile(`data-table`)},
-		{Element: "th", AllowAttr: "class", Regexp: regexp.MustCompile(`line-num`)},
-		{Element: "td", AllowAttr: "class", Regexp: regexp.MustCompile(`line-num`)},
+		{Element: "table", AllowAttr: "class", Regexp: regexp.MustCompile(`^data-table$`)},
+		{Element: "th", AllowAttr: "class", Regexp: regexp.MustCompile(`^line-num$`)},
+		{Element: "td", AllowAttr: "class", Regexp: regexp.MustCompile(`^line-num$`)},
 	}
 }

--- a/release-notes/5998.md
+++ b/release-notes/5998.md
@ -0,0 +1,4 @@
+fix(security): [commit](https://codeberg.org/forgejo/forgejo/commit/53c546951115d9e269a2778f90e43b0cb413eab6) Fix and refactor markdown rendering
+fix: [commit](https://codeberg.org/forgejo/forgejo/commit/6ac04b8c7dcedb9c6d994bb2a8cd37580394d9dd) Fix oauth2 error handle not return immediately
+fix: [commit](https://codeberg.org/forgejo/forgejo/commit/9f05c76b7b84f3cfafd4de22f5f18b87e4c79775) Fix nil panic if repo doesn't exist
+fix: [commit](https://codeberg.org/forgejo/forgejo/commit/8cec637d08542535d1dc9689c22943cd3ffe1c45) Disable Oauth check if oauth disabled