Skip to content

RENDER_CONTENT_MODE = no-sanitizer still sanitizes output #35725

New issue
New issue
Closed
#35727
Closed
RENDER_CONTENT_MODE = no-sanitizer still sanitizes output#35725
#35727
Labels
type/bug
@jimparis

Description

@jimparis
jimparis
opened on Oct 22, 2025

Description

The RENDER_CONTENT_MODE setting isn't working. If I sent it to no-sanitize, it's still changing the rendered output. For example, with this config in my app.ini:

[markup.test]
ENABLED = true
FILE_EXTENSIONS = .test
RENDER_CONTENT_MODE = no-sanitizer
RENDER_COMMAND = echo <script>window.alert("hi")</script>

When I visit a foo.test file, Gitea is still sanitizing the output:

	<div class="ui bottom attached table unstackable segment">
		
		<div class="file-view markup test">
			
				&lt;script&gt;window.alert(&#34;hi&#34;)&lt;/script&gt;

			
		</div>
	</div>

I expected to see:

	<div class="ui bottom attached table unstackable segment">
		
		<div class="file-view markup test">
			
				<script>window.alert("hi")</script>

			
		</div>
	</div>

Gitea Version

1.24.6

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

No response

Screenshots

No response

Git Version

No response

Operating System

Linux

How are you running Gitea?

Official binary

Database

SQLite

Metadata

Metadata

Assignees

No one assigned

    Labels

    type/bug

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions