From 357c002c033868f4211dc4daf9c701645664fd61 Mon Sep 17 00:00:00 2001
From: Hongcai Deng <admin@dhchouse.com>
Date: Wed, 9 Sep 2015 17:31:14 +0800
Subject: [PATCH 1/2] add allow attribute `class` to `<code>`

---
 modules/base/tool.go | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/modules/base/tool.go b/modules/base/tool.go
index 0e118552a..0fa564819 100644
--- a/modules/base/tool.go
+++ b/modules/base/tool.go
@@ -28,6 +28,10 @@ import (
 
 var Sanitizer = bluemonday.UGCPolicy()
 
+func init() {
+	Sanitizer.AllowAttrs("class").OnElements("code")
+}
+
 // Encode string to md5 hex value.
 func EncodeMd5(str string) string {
 	m := md5.New()

From e4d4662074472106f6a2baeb202f242196565482 Mon Sep 17 00:00:00 2001
From: Hongcai Deng <admin@dhchouse.com>
Date: Thu, 10 Sep 2015 09:06:09 +0800
Subject: [PATCH 2/2] add regexp to restrict `<code class=""></code>`

---
 modules/base/tool.go | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/modules/base/tool.go b/modules/base/tool.go
index 0fa564819..fa5202366 100644
--- a/modules/base/tool.go
+++ b/modules/base/tool.go
@@ -15,6 +15,7 @@ import (
 	"hash"
 	"html/template"
 	"math"
+	"regexp"
 	"strings"
 	"time"
 
@@ -26,11 +27,8 @@ import (
 	"github.com/gogits/gogs/modules/setting"
 )
 
-var Sanitizer = bluemonday.UGCPolicy()
+var Sanitizer = bluemonday.UGCPolicy().AllowAttrs("class").Matching(regexp.MustCompile(`[\p{L}\p{N}\s\-_',:\[\]!\./\\\(\)&]*`)).OnElements("code")
 
-func init() {
-	Sanitizer.AllowAttrs("class").OnElements("code")
-}
 
 // Encode string to md5 hex value.
 func EncodeMd5(str string) string {