Fix various legacy problems (#37092)

1. Fix #36439 2. Fix #37089 3. Fix incorrect layout of admin auth oidc page 4. Fix #35866 5. Fix #35800 6. Fix #36243
2026-04-05 14:48:07 +00:00 · 2026-04-03 20:19:04 +08:00
parent 30c07c20e9
commit 74060bb849
18 changed files with 132 additions and 76 deletions
--- a/modules/markup/markdown/markdown.go
+++ b/modules/markup/markdown/markdown.go
@@ -21,7 +21,6 @@ import (
 	chromahtml "github.com/alecthomas/chroma/v2/formatters/html"
 	"github.com/yuin/goldmark"
 	highlighting "github.com/yuin/goldmark-highlighting/v2"
-	meta "github.com/yuin/goldmark-meta"
 	"github.com/yuin/goldmark/ast"
 	"github.com/yuin/goldmark/extension"
 	"github.com/yuin/goldmark/parser"
@@ -166,7 +165,6 @@ func SpecializedMarkdown(ctx *markup.RenderContext) *GlodmarkRender {
 				ParseBlockDollar:         setting.Markdown.MathCodeBlockOptions.ParseBlockDollar,
 				ParseBlockSquareBrackets: setting.Markdown.MathCodeBlockOptions.ParseBlockSquareBrackets, //  this is a bad syntax "\[ ... \]", it conflicts with normal markdown escaping
 			}),
-			meta.Meta,
 		),
 		goldmark.WithParserOptions(
 			parser.WithAttribute(),
--- a/modules/markup/markdown/markdown_test.go
+++ b/modules/markup/markdown/markdown_test.go
@@ -429,9 +429,12 @@ test
 ---
 test
 `,
-			`- item1
- item2
-
+			`<hr/>
+<ul>
+<li>item1</li>
+<li>item2</li>
+</ul>
+<hr/>
 <p>test</p>
 `,
 		},
@@ -443,8 +446,8 @@ anything
 ---
 test
 `,
-			`anything
-
+			`<hr/>
+<h2>anything</h2>
 <p>test</p>
 `,
 		},
@@ -471,14 +474,26 @@ foo: bar
 </details><ul>
 <li class="task-list-item"><input type="checkbox" disabled="" data-source-position="19"/>task 1</li>
 </ul>
+`,
+		},
+		// we have our own frontmatter parser, don't need to use github.com/yuin/goldmark-meta
+		{
+			"InvalidFrontmatter",
+			`---
+foo
+`,
+			`<hr/>
+<p>foo</p>
 `,
 		},
 	}

-	for _, test := range testcases {
-		res, err := markdown.RenderString(markup.NewTestRenderContext(), test.input)
-		assert.NoError(t, err, "Unexpected error in testcase: %q", test.name)
-		assert.Equal(t, test.expected, string(res), "Unexpected result in testcase %q", test.name)
+	for _, tt := range testcases {
+		t.Run(tt.name, func(t *testing.T) {
+			res, err := markdown.RenderString(markup.NewTestRenderContext(), tt.input)
+			assert.NoError(t, err, "Unexpected error in testcase: %q", tt.name)
+			assert.Equal(t, tt.expected, string(res), "Unexpected result in testcase %q", tt.name)
+		})
 	}
 }

--- a/modules/markup/markdown/meta.go
+++ b/modules/markup/markdown/meta.go
@@ -60,8 +60,8 @@ func ExtractMetadata(contents string, out any) (string, error) {
 	return string(body), err
 }

-// ExtractMetadata consumes a markdown file, parses YAML frontmatter,
-// and returns the frontmatter metadata separated from the markdown content
+// ExtractMetadataBytes consumes a Markdown content, parses YAML frontmatter,
+// and returns the frontmatter metadata separated from the Markdown content
 func ExtractMetadataBytes(contents []byte, out any) ([]byte, error) {
 	var front, body []byte

--- a/modules/markup/sanitizer_default.go
+++ b/modules/markup/sanitizer_default.go
@@ -56,6 +56,11 @@ func (st *Sanitizer) createDefaultPolicy() *bluemonday.Policy {

 	policy.AllowAttrs("src", "autoplay", "controls").OnElements("video")

+	// Native support of "<picture><source media=... srcset=...><img src=...></picture>"
+	// ATTENTION: it only works with "auto" theme, because "media" query doesn't work with the theme chosen by end user manually.
+	// For example: browser's color scheme is "dark", but end user chooses "light" theme. Maybe it needs JS to help to make it work.
+	policy.AllowAttrs("media", "srcset").OnElements("source")
+
 	policy.AllowAttrs("loading").OnElements("img")

 	// Allow generally safe attributes (reference: https://github.com/jch/html-pipeline)
@@ -86,6 +91,7 @@ func (st *Sanitizer) createDefaultPolicy() *bluemonday.Policy {
 		"dl", "dt", "dd", "kbd", "q", "samp", "var", "hr", "ruby", "rt", "rp", "li", "tr", "td", "th", "s", "strike", "summary",
 		"details", "caption", "figure", "figcaption",
 		"abbr", "bdo", "cite", "dfn", "mark", "small", "span", "time", "video", "wbr",
+		"picture", "source",
 	}
 	// FIXME: Need to handle longdesc in img but there is no easy way to do it
 	policy.AllowAttrs(generalSafeAttrs...).OnElements(generalSafeElements...)
--- a/modules/markup/sanitizer_default_test.go
+++ b/modules/markup/sanitizer_default_test.go
@@ -58,6 +58,9 @@ func TestSanitizer(t *testing.T) {
 		`<a href="cbthunderlink://somebase64string)">my custom URL scheme</a>`, `<a href="cbthunderlink://somebase64string)" rel="nofollow">my custom URL scheme</a>`,
 		`<a href="matrix:roomid/psumPMeAfzgAeQpXMG:feneas.org?action=join">my custom URL scheme</a>`, `<a href="matrix:roomid/psumPMeAfzgAeQpXMG:feneas.org?action=join" rel="nofollow">my custom URL scheme</a>`,

+		// picture
+		`<picture><source media="a"><source media="b"><img alt="c" src="d"></picture>`, `<picture><source media="a"><source media="b"><img alt="c" src="d"></picture>`,
+
 		// Disallow dangerous url schemes
 		`<a href="javascript:alert('xss')">bad</a>`, `bad`,
 		`<a href="vbscript:no">bad</a>`, `bad`,