[chore]: Bump github.com/microcosm-cc/bluemonday from 1.0.26 to 1.0.27 (#3081)

This commit is contained in:
dependabot[bot] 2024-07-08 07:34:39 +00:00 committed by GitHub
parent a81455e81c
commit 5769722c58
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
19 changed files with 57 additions and 204 deletions

4
go.mod
View File

@ -41,7 +41,7 @@ require (
github.com/gorilla/websocket v1.5.2
github.com/h2non/filetype v1.1.3
github.com/jackc/pgx/v5 v5.6.0
github.com/microcosm-cc/bluemonday v1.0.26
github.com/microcosm-cc/bluemonday v1.0.27
github.com/miekg/dns v1.1.61
github.com/minio/minio-go/v7 v7.0.72
github.com/mitchellh/mapstructure v1.5.0
@ -142,7 +142,7 @@ require (
github.com/golang-jwt/jwt v3.2.2+incompatible // indirect
github.com/golang/geo v0.0.0-20210211234256-740aa86cb551 // indirect
github.com/gorilla/context v1.1.2 // indirect
github.com/gorilla/css v1.0.0 // indirect
github.com/gorilla/css v1.0.1 // indirect
github.com/gorilla/handlers v1.5.2 // indirect
github.com/gorilla/securecookie v1.1.2 // indirect
github.com/gorilla/sessions v1.2.2 // indirect

8
go.sum
View File

@ -331,8 +331,8 @@ github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1 h1:EGx4pi6eqNxGa
github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
github.com/gorilla/context v1.1.2 h1:WRkNAv2uoa03QNIc1A6u4O7DAGMUVoopZhkiXWA2V1o=
github.com/gorilla/context v1.1.2/go.mod h1:KDPwT9i/MeWHiLl90fuTgrt4/wPcv75vFAZLaOOcbxM=
github.com/gorilla/css v1.0.0 h1:BQqNyPTi50JCFMTw/b67hByjMVXZRwGha6wxVGkeihY=
github.com/gorilla/css v1.0.0/go.mod h1:Dn721qIggHpt4+EFCcTLTU/vk5ySda2ReITrtgBl60c=
github.com/gorilla/css v1.0.1 h1:ntNaBIghp6JmvWnxbZKANoLyuXTPZ4cAMlo6RyhlbO8=
github.com/gorilla/css v1.0.1/go.mod h1:BvnYkspnSzMmwRK+b8/xgNPLiIuNZr6vbZBTPQ2A3b0=
github.com/gorilla/feeds v1.2.0 h1:O6pBiXJ5JHhPvqy53NsjKOThq+dNFm8+DFrxBEdzSCc=
github.com/gorilla/feeds v1.2.0/go.mod h1:WMib8uJP3BbY+X8Szd1rA5Pzhdfh+HCCAYT2z7Fza6Y=
github.com/gorilla/handlers v1.5.2 h1:cLTUSsNkgcwhgRqvCNmdbRWG0A3N4F+M2nWKdScwyEE=
@ -416,8 +416,8 @@ github.com/mattn/go-colorable v0.1.7/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope
github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU=
github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
github.com/microcosm-cc/bluemonday v1.0.26 h1:xbqSvqzQMeEHCqMi64VAs4d8uy6Mequs3rQ0k/Khz58=
github.com/microcosm-cc/bluemonday v1.0.26/go.mod h1:JyzOCs9gkyQyjs+6h10UEVSe02CGwkhd72Xdqh78TWs=
github.com/microcosm-cc/bluemonday v1.0.27 h1:MpEUotklkwCSLeH+Qdx1VJgNqLlpY2KXwXFM08ygZfk=
github.com/microcosm-cc/bluemonday v1.0.27/go.mod h1:jFi9vgW+H7c3V0lb6nR74Ib/DIB5OBs92Dimizgw2cA=
github.com/miekg/dns v1.1.61 h1:nLxbwF3XxhwVSm8g9Dghm9MHPaUZuqhPiGL+675ZmEs=
github.com/miekg/dns v1.1.61/go.mod h1:mnAarhS3nWaW+NVP2wTkYVIZyHNJ098SJZUki3eykwQ=
github.com/minio/md5-simd v1.1.2 h1:Gdi1DZK69+ZVMoNHRXJyNcxrMA4dSxoYHZSQbirFg34=

View File

@ -1,27 +1,28 @@
Copyright (c) 2013, Gorilla web toolkit
All rights reserved.
Copyright (c) 2023 The Gorilla Authors. All rights reserved.
Redistribution and use in source and binary forms, with or without modification,
are permitted provided that the following conditions are met:
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are
met:
Redistributions of source code must retain the above copyright notice, this
list of conditions and the following disclaimer.
* Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above
copyright notice, this list of conditions and the following disclaimer
in the documentation and/or other materials provided with the
distribution.
* Neither the name of Google Inc. nor the names of its
contributors may be used to endorse or promote products derived from
this software without specific prior written permission.
Redistributions in binary form must reproduce the above copyright notice, this
list of conditions and the following disclaimer in the documentation and/or
other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Neither the name of the {organization} nor the names of its
contributors may be used to endorse or promote products derived from
this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

View File

@ -191,7 +191,11 @@ func init() {
// New returns a new CSS scanner for the given input.
func New(input string) *Scanner {
// Normalize newlines.
// https://www.w3.org/TR/css-syntax-3/#input-preprocessing
input = strings.Replace(input, "\r\n", "\n", -1)
input = strings.Replace(input, "\r", "\n", -1)
input = strings.Replace(input, "\f", "\n", -1)
input = strings.Replace(input, "\u0000", "\ufffd", -1)
return &Scanner{
input: input,
row: 1,
@ -232,7 +236,7 @@ func (s *Scanner) Next() *Token {
// shortcut before testing multiple regexps.
input := s.input[s.pos:]
switch input[0] {
case '\t', '\n', '\f', '\r', ' ':
case '\t', '\n', ' ':
// Whitespace.
return s.emitToken(TokenS, matchers[TokenS].FindString(input))
case '.':

View File

@ -1 +0,0 @@
repo_token: x2wlA1x0X8CK45ybWpZRCVRB4g7vtkhaw

View File

@ -1,4 +0,0 @@
root = true
[*]
end_of_line = lf

View File

@ -1 +0,0 @@
* text=auto eol=lf

View File

@ -1,15 +0,0 @@
# Binaries for programs and plugins
*.exe
*.exe~
*.dll
*.so
*.dylib
# Test binary, built with `go test -c`
*.test
# Output of the go coverage tool, specifically when used with LiteIDE
*.out
# goland idea folder
*.idea

View File

@ -1,26 +0,0 @@
language: go
go:
- 1.2.x
- 1.3.x
- 1.4.x
- 1.5.x
- 1.6.x
- 1.7.x
- 1.8.x
- 1.9.x
- 1.10.x
- 1.11.x
- 1.12.x
- 1.13.x
- 1.14.x
- 1.15.x
- 1.16.x
- tip
matrix:
allow_failures:
- go: tip
fast_finish: true
install:
- go get .
script:
- go test -v ./...

View File

@ -8,7 +8,7 @@ Third-party patches are essential for keeping bluemonday secure and offering the
## Guidelines
1. Do not vendor dependencies. As a security package, were we to vendor dependencies the projects that then vendor bluemonday may not receive the latest security updates to the dependencies. By not vendoring dependencies the project that implements bluemonday will vendor the latest version of any dependent packages. Vendoring is a project problem, not a package problem. bluemonday will be tested against the latest version of dependencies periodically and during any PR/merge.
1. Do not vendor dependencies. Vendoring is a project problem, not a package problem.
2. I do not care about spelling mistakes or whitespace and I do not believe that you should either. PRs therefore must be functional in their nature or be substantial and impactful if documentation or examples.
3. This module does not participate in hacktober, please make your contributions meaningful.
@ -31,10 +31,9 @@ If you are reporting a security flaw, you may expect that we will provide the co
1. Include tests for your patch, 1 test should encapsulate the entire patch and should refer to the Github issue
1. If you have added new exposed/public functionality, you should ensure it is documented appropriately
1. If you have added new exposed/public functionality, you should consider demonstrating how to use it within one of the helpers or shipped policies if appropriate or within a test if modifying a helper or policy is not appropriate
1. Run all of the tests `go test -v ./...` or `make test` and ensure all tests pass
1. Run gofmt `gofmt -w ./$*` or `make fmt`
1. Run vet `go tool vet *.go` or `make vet` and resolve any issues
1. Install golint using `go get -u github.com/golang/lint/golint` and run vet `golint *.go` or `make lint` and resolve every warning
1. Run all of the tests `go test -v ./...` and ensure all tests pass
1. Run gofmt `go fmt ./...`
1. Run vet `go vet ./...` and resolve any issues
* When submitting the pull request you should
1. Note the issue(s) it resolves, i.e. `Closes #6` in the pull request comment to close issue #6 when the pull request is accepted

View File

@ -1,6 +1,3 @@
SPDX short identifier: BSD-3-Clause
https://opensource.org/licenses/BSD-3-Clause
Copyright (c) 2014, David Kitchen <david@buro9.com>
All rights reserved.

View File

@ -1,48 +0,0 @@
# Targets:
#
# all: Builds the code locally after testing
#
# fmt: Formats the source files
# fmt-check: Check if the source files are formated
# build: Builds the code locally
# vet: Vets the code
# staticcheck: Runs staticcheck over the code
# test: Runs the tests
# cover: Gives you the URL to a nice test coverage report
#
# install: Builds, tests and installs the code locally
GOFILES_NOVENDOR = $(shell find . -type f -name '*.go' -not -path "./vendor/*" -not -path "./.git/*")
.PHONY: all fmt build vet lint test cover install
# The first target is always the default action if `make` is called without
# args we build and install into $GOPATH so that it can just be run
all: fmt vet test install
fmt:
@gofmt -s -w ${GOFILES_NOVENDOR}
fmt-check:
@([ -z "$(shell gofmt -d $(GOFILES_NOVENDOR) | head)" ]) || (echo "Source is unformatted"; exit 1)
build:
@go build
vet:
@go vet
staticcheck:
@staticcheck ./...
test:
@go test -v ./...
cover: COVERAGE_FILE := coverage.out
cover:
@go test -coverprofile=$(COVERAGE_FILE) && \
go tool cover -html=$(COVERAGE_FILE) && rm $(COVERAGE_FILE)
install:
@go install ./...

View File

@ -56,14 +56,6 @@ The policy containing the allowlist is applied using a fast non-validating, forw
We expect to be supplied with well-formatted HTML (closing elements for every applicable open element, nested correctly) and so we do not focus on repairing badly nested or incomplete HTML. We focus on simply ensuring that whatever elements do exist are described in the policy allowlist and that attributes and links are safe for use on your web page. [GIGO](http://en.wikipedia.org/wiki/Garbage_in,_garbage_out) does apply and if you feed it bad HTML bluemonday is not tasked with figuring out how to make it good again.
### Supported Go Versions
bluemonday is tested on all versions since Go 1.2 including tip.
We do not support Go 1.0 as we depend on `golang.org/x/net/html` which includes a reference to `io.ErrNoProgress` which did not exist in Go 1.0.
We support Go 1.1 but Travis no longer tests against it.
## Is it production ready?
*Yes*
@ -76,7 +68,7 @@ We invite pull requests and issues to help us ensure we are offering comprehensi
## Usage
Install in your `${GOPATH}` using `go get -u github.com/microcosm-cc/bluemonday`
Install using `go get github.com/microcosm-cc/bluemonday`
Then call it:
```go
@ -388,30 +380,6 @@ It is not the job of bluemonday to fix your bad HTML, it is merely the job of bl
* Investigate whether devs want to blacklist elements and attributes. This would allow devs to take an existing policy (such as the `bluemonday.UGCPolicy()` ) that encapsulates 90% of what they're looking for but does more than they need, and to remove the extra things they do not want to make it 100% what they want
* Investigate whether devs want a validating HTML mode, in which the HTML elements are not just transformed into a balanced tree (every start tag has a closing tag at the correct depth) but also that elements and character data appear only in their allowed context (i.e. that a `table` element isn't a descendent of a `caption`, that `colgroup`, `thead`, `tbody`, `tfoot` and `tr` are permitted, and that character data is not permitted)
## Development
If you have cloned this repo you will probably need the dependency:
`go get golang.org/x/net/html`
Gophers can use their familiar tools:
`go build`
`go test`
I personally use a Makefile as it spares typing the same args over and over whilst providing consistency for those of us who jump from language to language and enjoy just typing `make` in a project directory and watch magic happen.
`make` will build, vet, test and install the library.
`make clean` will remove the library from a *single* `${GOPATH}/pkg` directory tree
`make test` will run the tests
`make cover` will run the tests and *open a browser window* with the coverage report
`make lint` will run golint (install via `go get github.com/golang/lint/golint`)
## Long term goals
1. Open the code to adversarial peer review similar to the [Attack Review Ground Rules](https://code.google.com/p/owasp-java-html-sanitizer/wiki/AttackReviewGroundRules)

View File

@ -4,12 +4,10 @@
Latest tag and tip are supported.
Older tags remain present but changes result in new tags and are not back ported... please verify any issue against the latest tag and tip.
Changes are not backported, please verify any issue against the latest tag and tip.
## Reporting a Vulnerability
Email: <bluemonday@buro9.com>
Report vulnerabilities either via [GitHub's private reporting flow](https://github.com/microcosm-cc/bluemonday/security/advisories/new) or via email to the security@ alias of geomys.org.
Bluemonday is pure OSS and not maintained by a company. As such there is no bug bounty program but security issues will be taken seriously and resolved as soon as possible.
The maintainer lives in the United Kingdom and whilst the email is monitored expect a reply or ACK when the maintainer is awake.
There is no bug bounty program but security issues will be taken seriously and resolved as soon as possible.

View File

@ -291,7 +291,7 @@
Font = regexp.MustCompile(`^('[a-z \-]+'|[a-z \-]+)$`)
Grayscale = regexp.MustCompile(`^grayscale\(([0-9]{1,2}|100)%\)$`)
GridTemplateAreas = regexp.MustCompile(`^['"]?[a-z ]+['"]?$`)
HexRGB = regexp.MustCompile(`^#([0-9a-f]{3}|[0-9a-f]{6}|[0-9a-f]{8})$`)
HexRGB = regexp.MustCompile(`^#([0-9a-f]{3,4}|[0-9a-f]{6}|[0-9a-f]{8})$`)
HSL = regexp.MustCompile(`^hsl\([ ]*([012]?[0-9]{1,2}|3[0-5][0-9]|360),[ ]*([0-9]{0,2}|100)\%,[ ]*([0-9]{0,2}|100)\%\)$`)
HSLA = regexp.MustCompile(`^hsla\(([ ]*[012]?[0-9]{1,2}|3[0-5][0-9]|360),[ ]*([0-9]{0,2}|100)\%,[ ]*([0-9]{0,2}|100)\%,[ ]*(1|1\.0|0|(0\.[0-9]+))\)$`)
HueRotate = regexp.MustCompile(`^hue-rotate\(([12]?[0-9]{1,2}|3[0-5][0-9]|360)?\)$`)

View File

@ -529,9 +529,11 @@ func (p *Policy) sanitizeAttrs(
if ap.regexp != nil {
if ap.regexp.MatchString(htmlAttr.Val) {
cleanAttrs = append(cleanAttrs, htmlAttr)
continue attrsLoop
}
} else {
cleanAttrs = append(cleanAttrs, htmlAttr)
continue attrsLoop
}
}
}
@ -762,10 +764,10 @@ func (p *Policy) sanitizeAttrs(
switch elementName {
case "audio", "img", "link", "script", "video":
var crossOriginFound bool
for _, htmlAttr := range cleanAttrs {
for i, htmlAttr := range cleanAttrs {
if htmlAttr.Key == "crossorigin" {
crossOriginFound = true
htmlAttr.Val = "anonymous"
cleanAttrs[i].Val = "anonymous"
}
}
@ -1087,3 +1089,8 @@ func normaliseElementName(str string) string {
`"`,
)
}
type stringWriterWriter interface {
io.Writer
io.StringWriter
}

View File

@ -1,11 +0,0 @@
//go:build go1.12
// +build go1.12
package bluemonday
import "io"
type stringWriterWriter interface {
io.Writer
io.StringWriter
}

View File

@ -1,15 +0,0 @@
//go:build go1.1 && !go1.12
// +build go1.1,!go1.12
package bluemonday
import "io"
type stringWriterWriter interface {
io.Writer
StringWriter
}
type StringWriter interface {
WriteString(s string) (n int, err error)
}

8
vendor/modules.txt vendored
View File

@ -359,8 +359,8 @@ github.com/google/uuid
# github.com/gorilla/context v1.1.2
## explicit; go 1.20
github.com/gorilla/context
# github.com/gorilla/css v1.0.0
## explicit
# github.com/gorilla/css v1.0.1
## explicit; go 1.20
github.com/gorilla/css/scanner
# github.com/gorilla/feeds v1.2.0
## explicit; go 1.20
@ -478,8 +478,8 @@ github.com/mailru/easyjson/jwriter
# github.com/mattn/go-isatty v0.0.20
## explicit; go 1.15
github.com/mattn/go-isatty
# github.com/microcosm-cc/bluemonday v1.0.26
## explicit; go 1.21
# github.com/microcosm-cc/bluemonday v1.0.27
## explicit; go 1.19
github.com/microcosm-cc/bluemonday
github.com/microcosm-cc/bluemonday/css
# github.com/miekg/dns v1.1.61