From c5a408df052c32ff2a1872cc65d2cac451769f35 Mon Sep 17 00:00:00 2001 From: zeripath Date: Wed, 20 Oct 2021 21:58:39 +0100 Subject: [PATCH] Upgrade Bluemonday to v1.0.16 (#17372) Upgrade Bluemonday to latest version Signed-off-by: Andrew Thornton Co-authored-by: 6543 <6543@obermui.de> --- go.mod | 2 +- go.sum | 4 +- .../microcosm-cc/bluemonday/.editorconfig | 4 ++ .../microcosm-cc/bluemonday/.gitattributes | 1 + .../microcosm-cc/bluemonday/CREDITS.md | 3 +- .../microcosm-cc/bluemonday/Makefile | 8 ++- .../microcosm-cc/bluemonday/README.md | 6 +- .../github.com/microcosm-cc/bluemonday/go.mod | 1 - .../github.com/microcosm-cc/bluemonday/go.sum | 7 --- .../microcosm-cc/bluemonday/policy.go | 30 ++++++++++ .../microcosm-cc/bluemonday/sanitize.go | 57 ++++++++++++++++--- .../bluemonday/stringwriterwriter_go1.12.go | 1 + .../bluemonday/stringwriterwriter_ltgo1.12.go | 1 + vendor/modules.txt | 2 +- 14 files changed, 103 insertions(+), 24 deletions(-) create mode 100644 vendor/github.com/microcosm-cc/bluemonday/.editorconfig create mode 100644 vendor/github.com/microcosm-cc/bluemonday/.gitattributes diff --git a/go.mod b/go.mod index 7a4923e9e..ce22ba220 100644 --- a/go.mod +++ b/go.mod @@ -82,7 +82,7 @@ require ( github.com/mattn/go-runewidth v0.0.13 // indirect github.com/mattn/go-sqlite3 v1.14.8 github.com/mholt/archiver/v3 v3.5.0 - github.com/microcosm-cc/bluemonday v1.0.15 + github.com/microcosm-cc/bluemonday v1.0.16 github.com/miekg/dns v1.1.43 // indirect github.com/minio/md5-simd v1.1.2 // indirect github.com/minio/minio-go/v7 v7.0.12 diff --git a/go.sum b/go.sum index d935b6b84..fcf4e9f9e 100644 --- a/go.sum +++ b/go.sum @@ -869,8 +869,8 @@ github.com/mholt/acmez v0.1.3 h1:J7MmNIk4Qf9b8mAGqAh4XkNeowv3f1zW816yf4zt7Qk= github.com/mholt/acmez v0.1.3/go.mod h1:8qnn8QA/Ewx8E3ZSsmscqsIjhhpxuy9vqdgbX2ceceM= github.com/mholt/archiver/v3 v3.5.0 h1:nE8gZIrw66cu4osS/U7UW7YDuGMHssxKutU8IfWxwWE= github.com/mholt/archiver/v3 v3.5.0/go.mod h1:qqTTPUK/HZPFgFQ/TJ3BzvTpF/dPtFVJXdQbCmeMxwc= -github.com/microcosm-cc/bluemonday v1.0.15 h1:J4uN+qPng9rvkBZBoBb8YGR+ijuklIMpSOZZLjYpbeY= -github.com/microcosm-cc/bluemonday v1.0.15/go.mod h1:ZLvAzeakRwrGnzQEvstVzVt3ZpqOF2+sdFr0Om+ce30= +github.com/microcosm-cc/bluemonday v1.0.16 h1:kHmAq2t7WPWLjiGvzKa5o3HzSfahUKiOq7fAPUiMNIc= +github.com/microcosm-cc/bluemonday v1.0.16/go.mod h1:Z0r70sCuXHig8YpBzCc5eGHAap2K7e/u082ZUpDRRqM= github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg= github.com/miekg/dns v1.1.42/go.mod h1:+evo5L0630/F6ca/Z9+GAqzhjGyn8/c+TBaOyfEl0V4= github.com/miekg/dns v1.1.43 h1:JKfpVSCB84vrAmHzyrsxB5NAr5kLoMXZArPSw7Qlgyg= diff --git a/vendor/github.com/microcosm-cc/bluemonday/.editorconfig b/vendor/github.com/microcosm-cc/bluemonday/.editorconfig new file mode 100644 index 000000000..006bc2fc7 --- /dev/null +++ b/vendor/github.com/microcosm-cc/bluemonday/.editorconfig @@ -0,0 +1,4 @@ +root = true + +[*] +end_of_line = lf diff --git a/vendor/github.com/microcosm-cc/bluemonday/.gitattributes b/vendor/github.com/microcosm-cc/bluemonday/.gitattributes new file mode 100644 index 000000000..6313b56c5 --- /dev/null +++ b/vendor/github.com/microcosm-cc/bluemonday/.gitattributes @@ -0,0 +1 @@ +* text=auto eol=lf diff --git a/vendor/github.com/microcosm-cc/bluemonday/CREDITS.md b/vendor/github.com/microcosm-cc/bluemonday/CREDITS.md index b3185f543..68fa88da8 100644 --- a/vendor/github.com/microcosm-cc/bluemonday/CREDITS.md +++ b/vendor/github.com/microcosm-cc/bluemonday/CREDITS.md @@ -4,4 +4,5 @@ 1. Andrew Krasichkov @buglloc https://github.com/buglloc 1. Mike Samuel mikesamuel@gmail.com 1. Dmitri Shuralyov shurcooL@gmail.com -1. https://github.com/opennota \ No newline at end of file +1. opennota https://github.com/opennota https://gitlab.com/opennota +1. Tom Anthony https://www.tomanthony.co.uk/ \ No newline at end of file diff --git a/vendor/github.com/microcosm-cc/bluemonday/Makefile b/vendor/github.com/microcosm-cc/bluemonday/Makefile index b5903a2e8..dcd042a71 100644 --- a/vendor/github.com/microcosm-cc/bluemonday/Makefile +++ b/vendor/github.com/microcosm-cc/bluemonday/Makefile @@ -3,6 +3,7 @@ # all: Builds the code locally after testing # # fmt: Formats the source files +# fmt-check: Check if the source files are formated # build: Builds the code locally # vet: Vets the code # lint: Runs lint over the code (you do not need to fix everything) @@ -11,6 +12,8 @@ # # install: Builds, tests and installs the code locally +GOFILES_NOVENDOR = $(shell find . -type f -name '*.go' -not -path "./vendor/*" -not -path "./.git/*") + .PHONY: all fmt build vet lint test cover install # The first target is always the default action if `make` is called without @@ -19,7 +22,10 @@ all: fmt vet test install fmt: - @gofmt -s -w ./$* + @gofmt -s -w ${GOFILES_NOVENDOR} + +fmt-check: + @([ -z "$(shell gofmt -d $(GOFILES_NOVENDOR) | head)" ]) || (echo "Source is unformatted"; exit 1) build: @go build diff --git a/vendor/github.com/microcosm-cc/bluemonday/README.md b/vendor/github.com/microcosm-cc/bluemonday/README.md index 6a34473ef..d20debf0e 100644 --- a/vendor/github.com/microcosm-cc/bluemonday/README.md +++ b/vendor/github.com/microcosm-cc/bluemonday/README.md @@ -180,7 +180,7 @@ p.AllowElementsMatching(regex.MustCompile(`^my-element-`)) Or add elements as a virtue of adding an attribute: ```go -// Not the recommended pattern, see the recommendation on using .Matching() below +// Note the recommended pattern, see the recommendation on using .Matching() below p.AllowAttrs("nowrap").OnElements("td", "th") ``` @@ -222,7 +222,7 @@ p.AllowElements("fieldset", "select", "option") Although it's possible to handle inline CSS using `AllowAttrs` with a `Matching` rule, writing a single monolithic regular expression to safely process all inline CSS which you wish to allow is not a trivial task. Instead of attempting to do so, you can allow the `style` attribute on whichever element(s) you desire and use style policies to control and sanitize inline styles. -It is suggested that you use `Matching` (with a suitable regular expression) +It is strongly recommended that you use `Matching` (with a suitable regular expression) `MatchingEnum`, or `MatchingHandler` to ensure each style matches your needs, but default handlers are supplied for most widely used styles. @@ -379,6 +379,8 @@ Both examples exhibit the same issue, they declare attributes but do not then sp We are not yet including any tools to help allow and sanitize CSS. Which means that unless you wish to do the heavy lifting in a single regular expression (inadvisable), **you should not allow the "style" attribute anywhere**. +In the same theme, both `