From 3633f46c92024eaee3d88e2a337e01db1f0d0bd4 Mon Sep 17 00:00:00 2001
From: wxiaoguang <wxiaoguang@gmail.com>
Date: Wed, 22 Oct 2025 13:49:44 +0800
Subject: [PATCH 1/2] fix

---
 custom/conf/app.example.ini               |  5 ++
 modules/markup/external/external.go       |  7 +-
 modules/markup/render.go                  | 46 ++++++++----
 modules/setting/markup.go                 |  4 +-
 routers/web/repo/view.go                  | 17 ++++-
 tests/integration/markup_external_test.go | 87 ++++++++++++++---------
 tests/sqlite.ini.tmpl                     | 13 +++-
 7 files changed, 123 insertions(+), 56 deletions(-)

diff --git a/custom/conf/app.example.ini b/custom/conf/app.example.ini
index 4a6356ec50bd0..04ec54250d970 100644
--- a/custom/conf/app.example.ini
+++ b/custom/conf/app.example.ini
@@ -2541,6 +2541,11 @@ LEVEL = Info
 ;; * no-sanitizer: Disable the sanitizer and render the content inside current page. It's **insecure** and may lead to XSS attack if the content contains malicious code.
 ;; * iframe: Render the content in a separate standalone page and embed it into current page by iframe. The iframe is in sandbox mode with same-origin disabled, and the JS code are safely isolated from parent page.
 ;RENDER_CONTENT_MODE=sanitized
+;;
+;; Whether post-process the rendered HTML content, including:
+;; resolve relative links and image sources, recognizing issue/commit references, escaping invisible characters,
+;; mentioning users, rendering permlink code blocks, replacing emoji shorthands, etc.
+;NEED_POST_PROCESS=false
 
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
diff --git a/modules/markup/external/external.go b/modules/markup/external/external.go
index 39861ade121ee..be40a50aade40 100644
--- a/modules/markup/external/external.go
+++ b/modules/markup/external/external.go
@@ -15,6 +15,8 @@ import (
 	"code.gitea.io/gitea/modules/markup"
 	"code.gitea.io/gitea/modules/process"
 	"code.gitea.io/gitea/modules/setting"
+
+	"github.com/kballard/go-shellquote"
 )
 
 // RegisterRenderers registers all supported third part renderers according settings
@@ -81,7 +83,10 @@ func (p *Renderer) Render(ctx *markup.RenderContext, input io.Reader, output io.
 		envMark("GITEA_PREFIX_SRC"), baseLinkSrc,
 		envMark("GITEA_PREFIX_RAW"), baseLinkRaw,
 	).Replace(p.Command)
-	commands := strings.Fields(command)
+	commands, err := shellquote.Split(command)
+	if err != nil || len(commands) == 0 {
+		return fmt.Errorf("%s invalid command %q: %w", p.Name(), p.Command, err)
+	}
 	args := commands[1:]
 
 	if p.IsInputFile {
diff --git a/modules/markup/render.go b/modules/markup/render.go
index 79f1f473c2c6f..4eff9734ae2a3 100644
--- a/modules/markup/render.go
+++ b/modules/markup/render.go
@@ -120,31 +120,38 @@ func (ctx *RenderContext) WithHelper(helper RenderHelper) *RenderContext {
 	return ctx
 }
 
-// Render renders markup file to HTML with all specific handling stuff.
-func Render(ctx *RenderContext, input io.Reader, output io.Writer) error {
+// FindRendererByContext finds renderer by RenderContext
+// TODO: it should be merged with other similar functions like GetRendererByFileName, DetectMarkupTypeByFileName, etc
+func FindRendererByContext(ctx *RenderContext) (Renderer, error) {
 	if ctx.RenderOptions.MarkupType == "" && ctx.RenderOptions.RelativePath != "" {
 		ctx.RenderOptions.MarkupType = DetectMarkupTypeByFileName(ctx.RenderOptions.RelativePath)
 		if ctx.RenderOptions.MarkupType == "" {
-			return util.NewInvalidArgumentErrorf("unsupported file to render: %q", ctx.RenderOptions.RelativePath)
+			return nil, util.NewInvalidArgumentErrorf("unsupported file to render: %q", ctx.RenderOptions.RelativePath)
 		}
 	}
 
 	renderer := renderers[ctx.RenderOptions.MarkupType]
 	if renderer == nil {
-		return util.NewInvalidArgumentErrorf("unsupported markup type: %q", ctx.RenderOptions.MarkupType)
+		return nil, util.NewNotExistErrorf("unsupported markup type: %q", ctx.RenderOptions.MarkupType)
 	}
 
-	if ctx.RenderOptions.RelativePath != "" {
-		if externalRender, ok := renderer.(ExternalRenderer); ok && externalRender.DisplayInIFrame() {
-			if !ctx.RenderOptions.InStandalonePage {
-				// for an external "DisplayInIFrame" render, it could only output its content in a standalone page
-				// otherwise, a <iframe> should be outputted to embed the external rendered page
-				return renderIFrame(ctx, output)
-			}
-		}
+	return renderer, nil
+}
+
+func RendererNeedPostProcess(renderer Renderer) bool {
+	if r, ok := renderer.(PostProcessRenderer); ok && r.NeedPostProcess() {
+		return true
 	}
+	return false
+}
 
-	return render(ctx, renderer, input, output)
+// Render renders markup file to HTML with all specific handling stuff.
+func Render(ctx *RenderContext, input io.Reader, output io.Writer) error {
+	renderer, err := FindRendererByContext(ctx)
+	if err != nil {
+		return err
+	}
+	return RenderWithRenderer(ctx, renderer, input, output)
 }
 
 // RenderString renders Markup string to HTML with all specific handling stuff and return string
@@ -185,7 +192,16 @@ func pipes() (io.ReadCloser, io.WriteCloser, func()) {
 	}
 }
 
-func render(ctx *RenderContext, renderer Renderer, input io.Reader, output io.Writer) error {
+func RenderWithRenderer(ctx *RenderContext, renderer Renderer, input io.Reader, output io.Writer) error {
+	if externalRender, ok := renderer.(ExternalRenderer); ok && externalRender.DisplayInIFrame() {
+		if !ctx.RenderOptions.InStandalonePage {
+			// for an external "DisplayInIFrame" render, it could only output its content in a standalone page
+			// otherwise, a <iframe> should be outputted to embed the external rendered page
+			return renderIFrame(ctx, output)
+		}
+		// else: this is a standalone page, fallthrough to the real rendering
+	}
+
 	ctx.usedByRender = true
 	if ctx.RenderHelper != nil {
 		defer ctx.RenderHelper.CleanUp()
@@ -214,7 +230,7 @@ func render(ctx *RenderContext, renderer Renderer, input io.Reader, output io.Wr
 	}
 
 	eg.Go(func() (err error) {
-		if r, ok := renderer.(PostProcessRenderer); ok && r.NeedPostProcess() {
+		if RendererNeedPostProcess(renderer) {
 			err = PostProcessDefault(ctx, pr1, pw2)
 		} else {
 			_, err = io.Copy(pw2, pr1)
diff --git a/modules/setting/markup.go b/modules/setting/markup.go
index 057b0650c30e3..5a966dcdf1a53 100644
--- a/modules/setting/markup.go
+++ b/modules/setting/markup.go
@@ -259,7 +259,9 @@ func newMarkupRenderer(name string, sec ConfigSection) {
 		FileExtensions:    exts,
 		Command:           command,
 		IsInputFile:       sec.Key("IS_INPUT_FILE").MustBool(false),
-		NeedPostProcess:   sec.Key("NEED_POSTPROCESS").MustBool(true),
 		RenderContentMode: renderContentMode,
+
+		// if no sanitizer is needed, no post process is needed
+		NeedPostProcess: sec.Key("NEED_POST_PROCESS").MustBool(renderContentMode == RenderContentModeSanitized),
 	})
 }
diff --git a/routers/web/repo/view.go b/routers/web/repo/view.go
index d294934622cbb..1d05a3aa51c19 100644
--- a/routers/web/repo/view.go
+++ b/routers/web/repo/view.go
@@ -151,17 +151,28 @@ func loadLatestCommitData(ctx *context.Context, latestCommit *git.Commit) bool {
 }
 
 func markupRender(ctx *context.Context, renderCtx *markup.RenderContext, input io.Reader) (escaped *charset.EscapeStatus, output template.HTML, err error) {
+	renderer, err := markup.FindRendererByContext(renderCtx)
+	if err != nil {
+		return nil, "", err
+	}
+
 	markupRd, markupWr := io.Pipe()
 	defer markupWr.Close()
+
 	done := make(chan struct{})
 	go func() {
 		sb := &strings.Builder{}
-		// We allow NBSP here this is rendered
-		escaped, _ = charset.EscapeControlReader(markupRd, sb, ctx.Locale, charset.RuneNBSP)
+		if markup.RendererNeedPostProcess(renderer) {
+			escaped, _ = charset.EscapeControlReader(markupRd, sb, ctx.Locale, charset.RuneNBSP) // We allow NBSP here this is rendered
+		} else {
+			escaped = &charset.EscapeStatus{}
+			_, _ = io.Copy(sb, markupRd)
+		}
 		output = template.HTML(sb.String())
 		close(done)
 	}()
-	err = markup.Render(renderCtx, input, markupWr)
+
+	err = markup.RenderWithRenderer(renderCtx, renderer, input, markupWr)
 	_ = markupWr.CloseWithError(err)
 	<-done
 	return escaped, output, err
diff --git a/tests/integration/markup_external_test.go b/tests/integration/markup_external_test.go
index 47d143a29e6cc..d4843dcb47209 100644
--- a/tests/integration/markup_external_test.go
+++ b/tests/integration/markup_external_test.go
@@ -4,18 +4,23 @@
 package integration
 
 import (
-	"bytes"
 	"io"
 	"net/http"
+	"net/url"
 	"strings"
 	"testing"
 
+	repo_model "code.gitea.io/gitea/models/repo"
+	"code.gitea.io/gitea/models/unittest"
+	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/modules/markup"
 	"code.gitea.io/gitea/modules/markup/external"
 	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/modules/test"
 	"code.gitea.io/gitea/tests"
 
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )
 
 func TestExternalMarkupRenderer(t *testing.T) {
@@ -25,36 +30,52 @@ func TestExternalMarkupRenderer(t *testing.T) {
 		return
 	}
 
-	req := NewRequest(t, "GET", "/user30/renderer/src/branch/master/README.html")
-	resp := MakeRequest(t, req, http.StatusOK)
-	assert.Equal(t, "text/html; charset=utf-8", resp.Header().Get("Content-Type"))
-
-	bs, err := io.ReadAll(resp.Body)
-	assert.NoError(t, err)
-
-	doc := NewHTMLParser(t, bytes.NewBuffer(bs))
-	div := doc.Find("div.file-view")
-	data, err := div.Html()
-	assert.NoError(t, err)
-	assert.Equal(t, "<div>\n\ttest external renderer\n</div>", strings.TrimSpace(data))
-
-	r := markup.GetRendererByFileName("a.html").(*external.Renderer)
-	r.RenderContentMode = setting.RenderContentModeIframe
-
-	req = NewRequest(t, "GET", "/user30/renderer/src/branch/master/README.html")
-	resp = MakeRequest(t, req, http.StatusOK)
-	assert.Equal(t, "text/html; charset=utf-8", resp.Header().Get("Content-Type"))
-	bs, err = io.ReadAll(resp.Body)
-	assert.NoError(t, err)
-	doc = NewHTMLParser(t, bytes.NewBuffer(bs))
-	iframe := doc.Find("iframe")
-	assert.Equal(t, "/user30/renderer/render/branch/master/README.html", iframe.AttrOr("src", ""))
-
-	req = NewRequest(t, "GET", "/user30/renderer/render/branch/master/README.html")
-	resp = MakeRequest(t, req, http.StatusOK)
-	assert.Equal(t, "text/html; charset=utf-8", resp.Header().Get("Content-Type"))
-	bs, err = io.ReadAll(resp.Body)
-	assert.NoError(t, err)
-	assert.Equal(t, "frame-src 'self'; sandbox allow-scripts", resp.Header().Get("Content-Security-Policy"))
-	assert.Equal(t, "<div>\n\ttest external renderer\n</div>\n", string(bs))
+	onGiteaRun(t, func(t *testing.T, _ *url.URL) {
+		t.Run("RenderNoSanitizer", func(t *testing.T) {
+			user2 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
+			repo1 := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
+			_, err := createFile(user2, repo1, "file.no-sanitizer", "master", `any content`)
+			require.NoError(t, err)
+
+			req := NewRequest(t, "GET", "/user2/repo1/src/branch/master/file.no-sanitizer")
+			resp := MakeRequest(t, req, http.StatusOK)
+			doc := NewHTMLParser(t, resp.Body)
+			div := doc.Find("div.file-view")
+			data, err := div.Html()
+			assert.NoError(t, err)
+			assert.Equal(t, `<script>window.alert("hi")</script>`, strings.TrimSpace(data))
+		})
+	})
+
+	t.Run("RenderContentDirectly", func(t *testing.T) {
+		req := NewRequest(t, "GET", "/user30/renderer/src/branch/master/README.html")
+		resp := MakeRequest(t, req, http.StatusOK)
+		assert.Equal(t, "text/html; charset=utf-8", resp.Header().Get("Content-Type"))
+
+		doc := NewHTMLParser(t, resp.Body)
+		div := doc.Find("div.file-view")
+		data, err := div.Html()
+		assert.NoError(t, err)
+		assert.Equal(t, "<div>\n\ttest external renderer\n</div>", strings.TrimSpace(data))
+	})
+
+	r := markup.GetRendererByFileName("any-file.html").(*external.Renderer)
+	defer test.MockVariableValue(&r.RenderContentMode, setting.RenderContentModeIframe)()
+
+	t.Run("RenderContentInIFrame", func(t *testing.T) {
+		req := NewRequest(t, "GET", "/user30/renderer/src/branch/master/README.html")
+		resp := MakeRequest(t, req, http.StatusOK)
+		assert.Equal(t, "text/html; charset=utf-8", resp.Header().Get("Content-Type"))
+		doc := NewHTMLParser(t, resp.Body)
+		iframe := doc.Find("iframe")
+		assert.Equal(t, "/user30/renderer/render/branch/master/README.html", iframe.AttrOr("src", ""))
+
+		req = NewRequest(t, "GET", "/user30/renderer/render/branch/master/README.html")
+		resp = MakeRequest(t, req, http.StatusOK)
+		assert.Equal(t, "text/html; charset=utf-8", resp.Header().Get("Content-Type"))
+		bs, err := io.ReadAll(resp.Body)
+		assert.NoError(t, err)
+		assert.Equal(t, "frame-src 'self'; sandbox allow-scripts", resp.Header().Get("Content-Security-Policy"))
+		assert.Equal(t, "<div>\n\ttest external renderer\n</div>\n", string(bs))
+	})
 }
diff --git a/tests/sqlite.ini.tmpl b/tests/sqlite.ini.tmpl
index 938f203633528..63bbe82254976 100644
--- a/tests/sqlite.ini.tmpl
+++ b/tests/sqlite.ini.tmpl
@@ -114,9 +114,16 @@ ENABLED = true
 [markup.html]
 ENABLED = true
 FILE_EXTENSIONS = .html
-RENDER_COMMAND = `go run build/test-echo.go`
-IS_INPUT_FILE = false
-RENDER_CONTENT_MODE=sanitized
+RENDER_COMMAND = go run build/test-echo.go
+;RENDER_COMMAND = cat
+;IS_INPUT_FILE = true
+RENDER_CONTENT_MODE = sanitized
+
+[markup.no-sanitizer]
+ENABLED = true
+FILE_EXTENSIONS = .no-sanitizer
+RENDER_COMMAND = echo '<script>window.alert("hi")</script>'
+RENDER_CONTENT_MODE = no-sanitizer
 
 [actions]
 ENABLED = true

From 8b7dfc0f6b9d86f6bb9bb41c30a84b7f0304a9fc Mon Sep 17 00:00:00 2001
From: wxiaoguang <wxiaoguang@gmail.com>
Date: Wed, 22 Oct 2025 21:26:19 +0800
Subject: [PATCH 2/2] Update custom/conf/app.example.ini

Signed-off-by: wxiaoguang <wxiaoguang@gmail.com>
---
 custom/conf/app.example.ini | 1 +
 1 file changed, 1 insertion(+)

diff --git a/custom/conf/app.example.ini b/custom/conf/app.example.ini
index 04ec54250d970..b77da3ab796c3 100644
--- a/custom/conf/app.example.ini
+++ b/custom/conf/app.example.ini
@@ -2545,6 +2545,7 @@ LEVEL = Info
 ;; Whether post-process the rendered HTML content, including:
 ;; resolve relative links and image sources, recognizing issue/commit references, escaping invisible characters,
 ;; mentioning users, rendering permlink code blocks, replacing emoji shorthands, etc.
+;; By default, this is true when RENDER_CONTENT_MODE is `sanitized`, otherwise false.
 ;NEED_POST_PROCESS=false
 
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;