From 71cafd964a5d85546f25a6f2afffa659cec30745 Mon Sep 17 00:00:00 2001
From: Anirudh Oppiliappan <anirudh@tangled.sh>
Date: Wed, 30 Jul 2025 12:23:27 +0300
Subject: [PATCH] appview/pages: don't sanitize plaintext readmes
Change-Id: ormxrmmzomqupqkpzwqzpxtowxtkzylw

Also, sanitize the raw markdown before rendering.

Signed-off-by: Anirudh Oppiliappan <anirudh@tangled.sh>
---
 appview/pages/pages.go                  | 6 ++----
 appview/pages/templates/repo/index.html | 4 ++--
 2 files changed, 4 insertions(+), 6 deletions(-)

diff --git a/appview/pages/pages.go b/appview/pages/pages.go
index 05a733d..eeea3f7 100644
--- a/appview/pages/pages.go
+++ b/appview/pages/pages.go
@@ -33,7 +33,6 @@ import (
 	"github.com/bluesky-social/indigo/atproto/syntax"
 	"github.com/go-git/go-git/v5/plumbing"
 	"github.com/go-git/go-git/v5/plumbing/object"
-	"github.com/microcosm-cc/bluemonday"
 )
 
 //go:embed templates/* static
@@ -502,13 +501,12 @@ func (p *Pages) RepoIndexPage(w io.Writer, params RepoIndexParams) error {
 		ext := filepath.Ext(params.ReadmeFileName)
 		switch ext {
 		case ".md", ".markdown", ".mdown", ".mkdn", ".mkd":
+			htmlString = p.rctx.Sanitize(htmlString)
 			htmlString = p.rctx.RenderMarkdown(params.Readme)
 			params.Raw = false
-			params.HTMLReadme = template.HTML(p.rctx.Sanitize(htmlString))
+			params.HTMLReadme = template.HTML(htmlString)
 		default:
-			htmlString = string(params.Readme)
 			params.Raw = true
-			params.HTMLReadme = template.HTML(bluemonday.NewPolicy().Sanitize(htmlString))
 		}
 	}
 
diff --git a/appview/pages/templates/repo/index.html b/appview/pages/templates/repo/index.html
index dc75ec6..817b356 100644
--- a/appview/pages/templates/repo/index.html
+++ b/appview/pages/templates/repo/index.html
@@ -358,7 +358,7 @@
 {{ end }}
 
 {{ define "repoAfter" }}
-    {{- if .HTMLReadme -}}
+    {{- if or .HTMLReadme .Readme -}}
         <section
             class="p-6 mt-4 rounded-br rounded-bl bg-white dark:bg-gray-800 dark:text-white drop-shadow-sm w-full mx-auto overflow-auto {{ if not .Raw }}
                 prose dark:prose-invert dark:[&_pre]:bg-gray-900
@@ -367,7 +367,7 @@
             {{ end }}"
         >
             <article class="{{ if .Raw }}whitespace-pre{{ end }}">{{- if .Raw -}}<pre class="dark:bg-gray-800 dark:text-white overflow-x-auto">
-                        {{- .HTMLReadme -}}
+                        {{- .Readme -}}
                     </pre>
                 {{- else -}}
                     {{ .HTMLReadme }}
-- 
2.43.0