Allow to specify colors for text in markup (go-gitea#20363)

`<span style="color: red">Hello World!</span>` will now be accepted by
Bluemonday, other properties are still disallowed by Bluemonday.

Author: Gusted

modules/markup/sanitizer.go

@@ -85,6 +85,12 @@ func createDefaultPolicy() *bluemonday.Policy {
 	// Allow icons, emojis, chroma syntax and keyword markup on span
 	policy.AllowAttrs("class").Matching(regexp.MustCompile(`^((icon(\s+[\p{L}\p{N}_-]+)+)|(emoji))$|^([a-z][a-z0-9]{0,2})$|^` + keywordClass + `$`)).OnElements("span")
 
+	// Allow 'style' attribute on text elements.
+	policy.AllowAttrs("style").OnElements("span", "p")
+
+	// Allow 'color' property for the style attribute on text elements.
+	policy.AllowStyles("color").OnElements("span", "p")
+
 	// Allow generally safe attributes
 	generalSafeAttrs := []string{
 		"abbr", "accept", "accept-charset",

modules/markup/sanitizer_test.go

@@ -45,6 +45,14 @@ func Test_Sanitizer(t *testing.T) {
 		`<input type="checkbox" disabled=""/>unchecked`, `<input type="checkbox" disabled=""/>unchecked`,
 		`<span class="emoji dropdown">NAUGHTY</span>`, `<span>NAUGHTY</span>`,
 		`<span class="emoji">contents</span>`, `<span class="emoji">contents</span>`,
+
+		// Color property
+		`<span style="color: red">Hello World</span>`, `<span style="color: red">Hello World</span>`,
+		`<p style="color: red">Hello World</p>`, `<p style="color: red">Hello World</p>`,
+		`<code style="color: red">Hello World</code>`, `<code>Hello World</code>`,
+		`<span style="bad-color: red">Hello World</span>`, `<span>Hello World</span>`,
+		`<p style="bad-color: red">Hello World</p>`, `<p>Hello World</p>`,
+		`<code style="bad-color: red">Hello World</code>`, `<code>Hello World</code>`,
 	}
 
 	for i := 0; i < len(testCases); i += 2 {