diff --git a/modules/markup/markdown/markdown_test.go b/modules/markup/markdown/markdown_test.go
index 4eb01bcc2da52..593a5dce5c1e1 100644
--- a/modules/markup/markdown/markdown_test.go
+++ b/modules/markup/markdown/markdown_test.go
@@ -17,6 +17,7 @@ import (
"code.gitea.io/gitea/modules/util"
"github.com/stretchr/testify/assert"
+ "github.com/stretchr/testify/require"
)
const (
@@ -547,3 +548,45 @@ func TestMarkdownLink(t *testing.T) {
link3
`, string(result))
}
+
+func TestToCWithHTML(t *testing.T) {
+ defer test.MockVariableValue(&markup.RenderBehaviorForTesting.DisableAdditionalAttributes, true)()
+
+ t1 := `tag link and Bold`
+ t2 := "code block ``"
+ t3 := "markdown **bold**"
+ input := `---
+include_toc: true
+---
+
+# ` + t1 + `
+# ` + t2 + `
+# ` + t3 + `
+`
+
+ resultHTML, err := markdown.RenderString(markup.NewTestRenderContext(), input)
+ assert.NoError(t, err)
+ result := string(resultHTML)
+
+ pos1, pos2 := strings.Index(result, ``), strings.Index(result, `
`)
+ require.Positive(t, pos1)
+ require.Positive(t, pos2)
+ partToc, partContent := result[pos1:pos2+5], result[pos2+5:]
+ pos3 := strings.Index(partContent, "
+
+tag link and Bold
+
+code block
+
+markdown bold
+`, partToc)
+
+ assert.Equal(t, `tag link and Bold
+code block <a>
+markdown bold
+`, partContent)
+}
diff --git a/modules/markup/markdown/transform_heading.go b/modules/markup/markdown/transform_heading.go
index a229a7b1a4d20..010c0ef2cbc69 100644
--- a/modules/markup/markdown/transform_heading.go
+++ b/modules/markup/markdown/transform_heading.go
@@ -9,6 +9,7 @@ import (
"code.gitea.io/gitea/modules/markup"
"code.gitea.io/gitea/modules/util"
+ "github.com/microcosm-cc/bluemonday"
"github.com/yuin/goldmark/ast"
"github.com/yuin/goldmark/text"
)
@@ -20,6 +21,7 @@ func (g *ASTTransformer) transformHeading(_ *markup.RenderContext, v *ast.Headin
}
}
txt := v.Text(reader.Source()) //nolint:staticcheck // Text is deprecated
+ txt = bluemonday.StrictPolicy().SanitizeBytes(txt)
header := Header{
Text: util.UnsafeBytesToString(txt),
Level: v.Level,