Refactor flash message and remove SanitizeHTML template func#37179
Merged
wxiaoguang merged 4 commits intogo-gitea:mainfrom Apr 12, 2026
Merged
Refactor flash message and remove SanitizeHTML template func#37179wxiaoguang merged 4 commits intogo-gitea:mainfrom
wxiaoguang merged 4 commits intogo-gitea:mainfrom
Conversation
GiteaBot
added
the
lgtm/need 2
wxiaoguang
force-pushed
the
fix-flash-message
branch
from
da199e2 to
8c05c6f
Compare
Contributor
Author
|
wxiaoguang
force-pushed
the
fix-flash-message
branch
from
8c05c6f to
d96813e
Compare
wxiaoguang
force-pushed
the
fix-flash-message
branch
from
d96813e to
6568780
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
This PR refactors how flash messages are rendered across the web UI to improve layout consistency (single-line vs multi-line), standardize “details” rendering using \n + <pre>, and remove the SanitizeHTML template func from normal web templates to reduce misuse potential (while keeping compatibility for mail templates). It also adjusts commit-message post-processing APIs to make the HTML-in/HTML-out behavior explicit.
Changes:
- Centralize flash message rendering via
ctx.RenderUtils.RenderFlashMessage, with improved alignment and newline handling. - Replace
SanitizeHTMLusage in web templates/handlers with safer alternatives (markup.Sanitize, escaping helpers, or pre-rendered HTML). - Update
PostProcessCommitMessageto accept/returntemplate.HTML, and update affected call sites.
Reviewed changes
Copilot reviewed 26 out of 26 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| web_src/css/devtest.css | Moves devtest <h1>/<h2> styling into the CSS file and adds demo form styling. |
| web_src/css/base.css | Updates flash-message styling for <pre> and adds .flex-relaxed-list helper layout class. |
| templates/repo/issue/view_content/comments.tmpl | Switches commit-ref comment rendering to a dedicated sanitized HTML getter. |
| templates/repo/commit_page.tmpl | Removes SanitizeHTML from rendered git note content display. |
| templates/devtest/toast-and-message.tmpl | Wraps devtest content in a container for consistent layout. |
| templates/devtest/fetch-action.tmpl | Cleans up devtest markup, uses new layout helper class, and removes inline styles. |
| templates/devtest/devtest-header.tmpl | Wraps alerts in a container and passes ctx.RootData to alert partial. |
| templates/base/alert.tmpl | Refactors flash rendering to RenderFlashMessage and tweaks 2FA-required message markup/classes. |
| templates/base/alert_details.tmpl | Renders summary/details via <pre> and removes SanitizeHTML usage. |
| routers/web/repo/pull.go | Replaces <br>-based details concatenation with \n and switches to escaping helper. |
| routers/web/repo/issue_view.go | Replaces templates.SanitizeHTML usage with markup.Sanitize and removes unused import. |
| routers/web/repo/issue_new.go | Switches invalid-template flash “Details” to escaped \n-based content. |
| routers/web/repo/editor_error.go | Uses escaping helper and changes JSON fallback error response to a generic message; improves logging. |
| routers/web/repo/commit.go | Adapts to PostProcessCommitMessage HTML-in/HTML-out signature. |
| routers/web/repo/branch.go | Switches push-rejected details to escaping helper. |
| routers/web/feed/convert.go | Replaces templates.SanitizeHTML with markup.Sanitize for feed descriptions. |
| routers/web/devtest/devtest.go | Updates devtest flash messages to use \n and adds mock data for toast/message page. |
| routers/utils/utils.go | Replaces SanitizeFlashErrorString with EscapeFlashErrorString returning escaped template.HTML. |
| routers/utils/utils_test.go | Updates the test to call the renamed function (but expected values still reflect old behavior). |
| modules/templates/util_render.go | Updates commit-message rendering to match new post-processing API and adds RenderFlashMessage. |
| modules/templates/mail.go | Keeps SanitizeHTML available for mail templates (deprecated) by mapping to internal sanitizer. |
| modules/templates/helper.go | Removes SanitizeHTML from web func map; makes sanitizer helper unexported. |
| modules/templates/helper_test.go | Updates sanitizer test to use the unexported helper. |
| modules/markup/html.go | Changes PostProcessCommitMessage signature to template.HTML and adds clarifying FIXME. |
| models/issues/comment.go | Adds a new method to return sanitized HTML for commit-ref comment content. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
wxiaoguang
force-pushed
the
fix-flash-message
branch
from
6568780 to
79ead6b
Compare
Closed
wxiaoguang
force-pushed
the
fix-flash-message
branch
from
74bb905 to
a5df943
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 26 out of 26 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
lunny
approved these changes
Apr 11, 2026
GiteaBot
added
lgtm/need 1
GiteaBot
added
lgtm/done
bircni
added
the
reviewed/wait-merge
GiteaBot
removed
the
reviewed/wait-merge
Contributor
Author
Nope. No backport for a non-bug PR |
zjjhot
added a commit
to zjjhot/gitea
that referenced
this pull request
Apr 14, 2026
* main: Add comment for the design of "user activity time" (go-gitea#37195) fix(api): handle missing base branch in PR commits API (go-gitea#37193) Refactor htmx and fetch-action related code (go-gitea#37186) Fix encoding for Matrix Webhooks (go-gitea#37190) Always show owner/repo name in compare page dropdowns (go-gitea#37172) fix(api): handle fork-only commits in compare API (go-gitea#37185) Improve Contributing docs and set a release schedule (go-gitea#37109) Update Nix flake (go-gitea#37183) Remove outdated RunUser logic (go-gitea#37180) Refactor flash message and remove SanitizeHTML template func (go-gitea#37179) Indicate form field readonly via background (go-gitea#37175) Remove dead CSS rules (go-gitea#37173) Fix flaky `TestCatFileBatch/QueryTerminated` test (go-gitea#37159) Implement logout redirection for reverse proxy auth setups (go-gitea#36085) Add missing `//nolint:depguard` (go-gitea#37162)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
\n, sometimes<br><pre>to renderBy the way: cleaned up some devtest pages, move embedded style block to CSS file