api: sanitize raw markdown content (#5907)

Fixed a security issue reported by bluebird.

internal/markup/markdown.go

@@ -157,8 +157,7 @@ func RawMarkdown(body []byte, urlPrefix string) []byte {
 		extensions |= blackfriday.EXTENSION_HARD_LINE_BREAK
 	}
 
-	body = blackfriday.Markdown(body, renderer, extensions)
+	return blackfriday.Markdown(body, renderer, extensions)
-	return body
 }
 
 // Markdown takes a string or []byte and renders to HTML in Markdown syntax with special links.

internal/markup/markup.go

@@ -334,7 +334,7 @@ func Detect(filename string) Type {
 	}
 }
 
-// Render takes a string or []byte and renders to HTML in given type of syntax with special links.
+// Render takes a string or []byte and renders to sanitized HTML in given type of syntax with special links.
 func Render(typ Type, input interface{}, urlPrefix string, metas map[string]string) []byte {
 	var rawBytes []byte
 	switch v := input.(type) {

internal/route/api/v1/misc/markdown.go

@@ -20,16 +20,18 @@ func Markdown(c *context.APIContext, form api.MarkdownOption) {
 	}
 
 	if len(form.Text) == 0 {
-		c.Write([]byte(""))
+		_, _ = c.Write([]byte(""))
 		return
 	}
 
+	var md []byte
 	switch form.Mode {
 	case "gfm":
-		c.Write(markup.Markdown([]byte(form.Text), form.Context, nil))
+		md = markup.Markdown([]byte(form.Text), form.Context, nil)
 	default:
-		c.Write(markup.RawMarkdown([]byte(form.Text), ""))
+		md = markup.SanitizeBytes(markup.RawMarkdown([]byte(form.Text), ""))
 	}
+	_, _ = c.Write(md)
 }
 
 func MarkdownRaw(c *context.APIContext) {
@@ -38,5 +40,5 @@ func MarkdownRaw(c *context.APIContext) {
 		c.Error(http.StatusUnprocessableEntity, "", err)
 		return
 	}
-	c.Write(markup.RawMarkdown(body, ""))
+	_, _ = c.Write(markup.SanitizeBytes(markup.RawMarkdown(body, "")))
 }