[chore]: Bump github.com/microcosm-cc/bluemonday from 1.0.23 to 1.0.24 (#1843)

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
This commit is contained in:
dependabot[bot] 2023-05-29 14:03:08 +01:00 committed by GitHub
parent f620ee8da9
commit 049b02aab1
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 22 additions and 4 deletions

2
go.mod
View file

@ -34,7 +34,7 @@ require (
github.com/h2non/filetype v1.1.3
github.com/jackc/pgconn v1.14.0
github.com/jackc/pgx/v5 v5.3.1
github.com/microcosm-cc/bluemonday v1.0.23
github.com/microcosm-cc/bluemonday v1.0.24
github.com/miekg/dns v1.1.54
github.com/minio/minio-go/v7 v7.0.55
github.com/mitchellh/mapstructure v1.5.0

4
go.sum
View file

@ -443,8 +443,8 @@ github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27k
github.com/mattn/go-isatty v0.0.18 h1:DOKFKCQ7FNG2L1rbrmstDN4QVRdS89Nkh85u68Uwp98=
github.com/mattn/go-isatty v0.0.18/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
github.com/mattn/go-sqlite3 v2.0.3+incompatible h1:gXHsfypPkaMZrKbD5209QV9jbUTJKjyR5WD3HYQSd+U=
github.com/microcosm-cc/bluemonday v1.0.23 h1:SMZe2IGa0NuHvnVNAZ+6B38gsTbi5e4sViiWJyDDqFY=
github.com/microcosm-cc/bluemonday v1.0.23/go.mod h1:mN70sk7UkkF8TUr2IGBpNN0jAgStuPzlK76QuruE/z4=
github.com/microcosm-cc/bluemonday v1.0.24 h1:NGQoPtwGVcbGkKfvyYk1yRqknzBuoMiUrO6R7uFTPlw=
github.com/microcosm-cc/bluemonday v1.0.24/go.mod h1:ArQySAMps0790cHSkdPEJ7bGkF2VePWH773hsJNSHf8=
github.com/miekg/dns v1.1.54 h1:5jon9mWcb0sFJGpnI99tOMhCPyJ+RPVz5b63MQG0VWI=
github.com/miekg/dns v1.1.54/go.mod h1:uInx36IzPl7FYnDcMeVWxj9byh7DutNykX4G9Sj60FY=
github.com/minio/md5-simd v1.1.2 h1:Gdi1DZK69+ZVMoNHRXJyNcxrMA4dSxoYHZSQbirFg34=

View file

@ -117,6 +117,10 @@ type Policy struct {
// returning true are allowed.
allowURLSchemes map[string][]urlPolicy
// These regexps are used to match allowed URL schemes, for example
// if one would want to allow all URL schemes, they would add `.+`
allowURLSchemeRegexps []*regexp.Regexp
// If an element has had all attributes removed as a result of a policy
// being applied, then the element would be removed from the output.
//
@ -221,6 +225,7 @@ func (p *Policy) init() {
p.elsMatchingAndStyles = make(map[*regexp.Regexp]map[string][]stylePolicy)
p.globalStyles = make(map[string][]stylePolicy)
p.allowURLSchemes = make(map[string][]urlPolicy)
p.allowURLSchemeRegexps = make([]*regexp.Regexp, 0)
p.setOfElementsAllowedWithoutAttrs = make(map[string]struct{})
p.setOfElementsToSkipContent = make(map[string]struct{})
p.initialized = true
@ -563,6 +568,13 @@ func (p *Policy) AllowElementsMatching(regex *regexp.Regexp) *Policy {
return p
}
// AllowURLSchemesMatching will append URL schemes to the allowlist if they
// match a regexp.
func (p *Policy) AllowURLSchemesMatching(r *regexp.Regexp) *Policy {
p.allowURLSchemeRegexps = append(p.allowURLSchemeRegexps, r)
return p
}
// RequireNoFollowOnLinks will result in all a, area, link tags having a
// rel="nofollow"added to them if one does not already exist
//

View file

@ -852,6 +852,7 @@ func (p *Policy) sanitizeStyles(attr html.Attribute, elementName string) html.At
}
//Add semi-colon to end to fix parsing issue
attr.Val = strings.TrimRight(attr.Val, " ")
if len(attr.Val) > 0 && attr.Val[len(attr.Val)-1] != ';' {
attr.Val = attr.Val + ";"
}
@ -969,6 +970,11 @@ func (p *Policy) validURL(rawurl string) (string, bool) {
}
if u.Scheme != "" {
for _, r := range p.allowURLSchemeRegexps {
if r.MatchString(u.Scheme) {
return u.String(), true
}
}
urlPolicies, ok := p.allowURLSchemes[u.Scheme]
if !ok {

2
vendor/modules.txt vendored
View file

@ -374,7 +374,7 @@ github.com/magiconair/properties
# github.com/mattn/go-isatty v0.0.18
## explicit; go 1.15
github.com/mattn/go-isatty
# github.com/microcosm-cc/bluemonday v1.0.23
# github.com/microcosm-cc/bluemonday v1.0.24
## explicit; go 1.19
github.com/microcosm-cc/bluemonday
github.com/microcosm-cc/bluemonday/css