[chore]: Bump github.com/microcosm-cc/bluemonday from 1.0.26 to 1.0.27 (#3081)

go.mod

@@ -41,7 +41,7 @@ require (
 	github.com/gorilla/websocket v1.5.2
 	github.com/h2non/filetype v1.1.3
 	github.com/jackc/pgx/v5 v5.6.0
-	github.com/microcosm-cc/bluemonday v1.0.26
+	github.com/microcosm-cc/bluemonday v1.0.27
 	github.com/miekg/dns v1.1.61
 	github.com/minio/minio-go/v7 v7.0.72
 	github.com/mitchellh/mapstructure v1.5.0
@@ -142,7 +142,7 @@ require (
 	github.com/golang-jwt/jwt v3.2.2+incompatible // indirect
 	github.com/golang/geo v0.0.0-20210211234256-740aa86cb551 // indirect
 	github.com/gorilla/context v1.1.2 // indirect
-	github.com/gorilla/css v1.0.0 // indirect
+	github.com/gorilla/css v1.0.1 // indirect
 	github.com/gorilla/handlers v1.5.2 // indirect
 	github.com/gorilla/securecookie v1.1.2 // indirect
 	github.com/gorilla/sessions v1.2.2 // indirect

go.sum

@@ -331,8 +331,8 @@ github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1 h1:EGx4pi6eqNxGa
 github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
 github.com/gorilla/context v1.1.2 h1:WRkNAv2uoa03QNIc1A6u4O7DAGMUVoopZhkiXWA2V1o=
 github.com/gorilla/context v1.1.2/go.mod h1:KDPwT9i/MeWHiLl90fuTgrt4/wPcv75vFAZLaOOcbxM=
-github.com/gorilla/css v1.0.0 h1:BQqNyPTi50JCFMTw/b67hByjMVXZRwGha6wxVGkeihY=
-github.com/gorilla/css v1.0.0/go.mod h1:Dn721qIggHpt4+EFCcTLTU/vk5ySda2ReITrtgBl60c=
+github.com/gorilla/css v1.0.1 h1:ntNaBIghp6JmvWnxbZKANoLyuXTPZ4cAMlo6RyhlbO8=
+github.com/gorilla/css v1.0.1/go.mod h1:BvnYkspnSzMmwRK+b8/xgNPLiIuNZr6vbZBTPQ2A3b0=
 github.com/gorilla/feeds v1.2.0 h1:O6pBiXJ5JHhPvqy53NsjKOThq+dNFm8+DFrxBEdzSCc=
 github.com/gorilla/feeds v1.2.0/go.mod h1:WMib8uJP3BbY+X8Szd1rA5Pzhdfh+HCCAYT2z7Fza6Y=
 github.com/gorilla/handlers v1.5.2 h1:cLTUSsNkgcwhgRqvCNmdbRWG0A3N4F+M2nWKdScwyEE=
@@ -416,8 +416,8 @@ github.com/mattn/go-colorable v0.1.7/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope
 github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU=
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
-github.com/microcosm-cc/bluemonday v1.0.26 h1:xbqSvqzQMeEHCqMi64VAs4d8uy6Mequs3rQ0k/Khz58=
-github.com/microcosm-cc/bluemonday v1.0.26/go.mod h1:JyzOCs9gkyQyjs+6h10UEVSe02CGwkhd72Xdqh78TWs=
+github.com/microcosm-cc/bluemonday v1.0.27 h1:MpEUotklkwCSLeH+Qdx1VJgNqLlpY2KXwXFM08ygZfk=
+github.com/microcosm-cc/bluemonday v1.0.27/go.mod h1:jFi9vgW+H7c3V0lb6nR74Ib/DIB5OBs92Dimizgw2cA=
 github.com/miekg/dns v1.1.61 h1:nLxbwF3XxhwVSm8g9Dghm9MHPaUZuqhPiGL+675ZmEs=
 github.com/miekg/dns v1.1.61/go.mod h1:mnAarhS3nWaW+NVP2wTkYVIZyHNJ098SJZUki3eykwQ=
 github.com/minio/md5-simd v1.1.2 h1:Gdi1DZK69+ZVMoNHRXJyNcxrMA4dSxoYHZSQbirFg34=

vendor/github.com/gorilla/css/LICENSE

@@ -1,27 +1,28 @@
-Copyright (c) 2013, Gorilla web toolkit
-All rights reserved.
+Copyright (c) 2023 The Gorilla Authors. All rights reserved.
 
-Redistribution and use in source and binary forms, with or without modification,
-are permitted provided that the following conditions are met:
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
 
-  Redistributions of source code must retain the above copyright notice, this
-  list of conditions and the following disclaimer.
+	 * Redistributions of source code must retain the above copyright
+notice, this list of conditions and the following disclaimer.
+	 * Redistributions in binary form must reproduce the above
+copyright notice, this list of conditions and the following disclaimer
+in the documentation and/or other materials provided with the
+distribution.
+	 * Neither the name of Google Inc. nor the names of its
+contributors may be used to endorse or promote products derived from
+this software without specific prior written permission.
 
-  Redistributions in binary form must reproduce the above copyright notice, this
-  list of conditions and the following disclaimer in the documentation and/or
-  other materials provided with the distribution.
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-  Neither the name of the {organization} nor the names of its
-  contributors may be used to endorse or promote products derived from
-  this software without specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
-ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
-WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
-ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
-(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
-ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
-SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

vendor/github.com/gorilla/css/scanner/scanner.go

@@ -191,7 +191,11 @@ func init() {
 // New returns a new CSS scanner for the given input.
 func New(input string) *Scanner {
 	// Normalize newlines.
+	// https://www.w3.org/TR/css-syntax-3/#input-preprocessing
 	input = strings.Replace(input, "\r\n", "\n", -1)
+	input = strings.Replace(input, "\r", "\n", -1)
+	input = strings.Replace(input, "\f", "\n", -1)
+	input = strings.Replace(input, "\u0000", "\ufffd", -1)
 	return &Scanner{
 		input: input,
 		row:   1,
@@ -232,7 +236,7 @@ func (s *Scanner) Next() *Token {
 	// shortcut before testing multiple regexps.
 	input := s.input[s.pos:]
 	switch input[0] {
-	case '\t', '\n', '\f', '\r', ' ':
+	case '\t', '\n', ' ':
 		// Whitespace.
 		return s.emitToken(TokenS, matchers[TokenS].FindString(input))
 	case '.':

vendor/github.com/microcosm-cc/bluemonday/.coveralls.yml

@@ -1 +0,0 @@
-repo_token: x2wlA1x0X8CK45ybWpZRCVRB4g7vtkhaw

vendor/github.com/microcosm-cc/bluemonday/.editorconfig

@@ -1,4 +0,0 @@
-root = true
-
-[*]
-end_of_line = lf

vendor/github.com/microcosm-cc/bluemonday/.gitattributes

@@ -1 +0,0 @@
-* text=auto eol=lf

vendor/github.com/microcosm-cc/bluemonday/.gitignore

@@ -1,15 +0,0 @@
- # Binaries for programs and plugins
-*.exe
-*.exe~
-*.dll
-*.so
-*.dylib
-
-# Test binary, built with `go test -c`
-*.test
-
-# Output of the go coverage tool, specifically when used with LiteIDE
-*.out
-
-# goland idea folder
-*.idea

vendor/github.com/microcosm-cc/bluemonday/.travis.yml

@@ -1,26 +0,0 @@
-language: go
-go:
-  - 1.2.x
-  - 1.3.x
-  - 1.4.x
-  - 1.5.x
-  - 1.6.x
-  - 1.7.x
-  - 1.8.x
-  - 1.9.x
-  - 1.10.x
-  - 1.11.x
-  - 1.12.x
-  - 1.13.x
-  - 1.14.x
-  - 1.15.x
-  - 1.16.x
-  - tip
-matrix:
-  allow_failures:
-    - go: tip
-  fast_finish: true
-install:
-  - go get .
-script:
-  - go test -v ./...

vendor/github.com/microcosm-cc/bluemonday/CONTRIBUTING.md

@@ -8,7 +8,7 @@ Third-party patches are essential for keeping bluemonday secure and offering the
 
 ## Guidelines
 
-1. Do not vendor dependencies. As a security package, were we to vendor dependencies the projects that then vendor bluemonday may not receive the latest security updates to the dependencies. By not vendoring dependencies the project that implements bluemonday will vendor the latest version of any dependent packages. Vendoring is a project problem, not a package problem. bluemonday will be tested against the latest version of dependencies periodically and during any PR/merge.
+1. Do not vendor dependencies. Vendoring is a project problem, not a package problem. 
 2. I do not care about spelling mistakes or whitespace and I do not believe that you should either. PRs therefore must be functional in their nature or be substantial and impactful if documentation or examples.
 3. This module does not participate in hacktober, please make your contributions meaningful.
 
@@ -31,10 +31,9 @@ If you are reporting a security flaw, you may expect that we will provide the co
   1. Include tests for your patch, 1 test should encapsulate the entire patch and should refer to the Github issue
   1. If you have added new exposed/public functionality, you should ensure it is documented appropriately
   1. If you have added new exposed/public functionality, you should consider demonstrating how to use it within one of the helpers or shipped policies if appropriate or within a test if modifying a helper or policy is not appropriate
-  1. Run all of the tests `go test -v ./...` or `make test` and ensure all tests pass
-  1. Run gofmt `gofmt -w ./$*` or `make fmt`
-  1. Run vet `go tool vet *.go` or `make vet` and resolve any issues
-  1. Install golint using `go get -u github.com/golang/lint/golint` and run vet `golint *.go` or `make lint` and resolve every warning
+  1. Run all of the tests `go test -v ./...` and ensure all tests pass
+  1. Run gofmt `go fmt ./...`
+  1. Run vet `go vet ./...` and resolve any issues
 * When submitting the pull request you should
   1. Note the issue(s) it resolves, i.e. `Closes #6` in the pull request comment to close issue #6 when the pull request is accepted
 

vendor/github.com/microcosm-cc/bluemonday/LICENSE.md

@@ -1,6 +1,3 @@
-SPDX short identifier: BSD-3-Clause
-https://opensource.org/licenses/BSD-3-Clause
-
 Copyright (c) 2014, David Kitchen <david@buro9.com>
 
 All rights reserved.

vendor/github.com/microcosm-cc/bluemonday/Makefile

@@ -1,48 +0,0 @@
-# Targets:
-#
-#   all:          Builds the code locally after testing
-#
-#   fmt:          Formats the source files
-#   fmt-check:    Check if the source files are formated
-#   build:        Builds the code locally
-#   vet:          Vets the code
-#   staticcheck:  Runs staticcheck over the code
-#   test:         Runs the tests
-#   cover:        Gives you the URL to a nice test coverage report
-#
-#   install:      Builds, tests and installs the code locally
-
-GOFILES_NOVENDOR = $(shell find . -type f -name '*.go' -not -path "./vendor/*" -not -path "./.git/*")
-
-.PHONY: all fmt build vet lint test cover install
-
-# The first target is always the default action if `make` is called without
-# args we build and install into $GOPATH so that it can just be run
-
-all: fmt vet test install
-
-fmt:
-	@gofmt -s -w ${GOFILES_NOVENDOR}
-
-fmt-check:
-	@([ -z "$(shell gofmt -d $(GOFILES_NOVENDOR) | head)" ]) || (echo "Source is unformatted"; exit 1)
-
-build:
-	@go build
-
-vet:
-	@go vet
-
-staticcheck:
-	@staticcheck ./...
-
-test:
-	@go test -v ./...
-
-cover: COVERAGE_FILE := coverage.out
-cover:
-	@go test -coverprofile=$(COVERAGE_FILE) && \
-	go tool cover -html=$(COVERAGE_FILE) && rm $(COVERAGE_FILE)
-
-install:
-	@go install ./...

vendor/github.com/microcosm-cc/bluemonday/README.md

@@ -56,14 +56,6 @@ The policy containing the allowlist is applied using a fast non-validating, forw
 
 We expect to be supplied with well-formatted HTML (closing elements for every applicable open element, nested correctly) and so we do not focus on repairing badly nested or incomplete HTML. We focus on simply ensuring that whatever elements do exist are described in the policy allowlist and that attributes and links are safe for use on your web page. [GIGO](http://en.wikipedia.org/wiki/Garbage_in,_garbage_out) does apply and if you feed it bad HTML bluemonday is not tasked with figuring out how to make it good again.
 
-### Supported Go Versions
-
-bluemonday is tested on all versions since Go 1.2 including tip.
-
-We do not support Go 1.0 as we depend on `golang.org/x/net/html` which includes a reference to `io.ErrNoProgress` which did not exist in Go 1.0.
-
-We support Go 1.1 but Travis no longer tests against it.
-
 ## Is it production ready?
 
 *Yes*
@@ -76,7 +68,7 @@ We invite pull requests and issues to help us ensure we are offering comprehensi
 
 ## Usage
 
-Install in your `${GOPATH}` using `go get -u github.com/microcosm-cc/bluemonday`
+Install using `go get github.com/microcosm-cc/bluemonday`
 
 Then call it:
 ```go
@@ -388,30 +380,6 @@ It is not the job of bluemonday to fix your bad HTML, it is merely the job of bl
 * Investigate whether devs want to blacklist elements and attributes. This would allow devs to take an existing policy (such as the `bluemonday.UGCPolicy()` ) that encapsulates 90% of what they're looking for but does more than they need, and to remove the extra things they do not want to make it 100% what they want
 * Investigate whether devs want a validating HTML mode, in which the HTML elements are not just transformed into a balanced tree (every start tag has a closing tag at the correct depth) but also that elements and character data appear only in their allowed context (i.e. that a `table` element isn't a descendent of a `caption`, that `colgroup`, `thead`, `tbody`, `tfoot` and `tr` are permitted, and that character data is not permitted)
 
-## Development
-
-If you have cloned this repo you will probably need the dependency:
-
-`go get golang.org/x/net/html`
-
-Gophers can use their familiar tools:
-
-`go build`
-
-`go test`
-
-I personally use a Makefile as it spares typing the same args over and over whilst providing consistency for those of us who jump from language to language and enjoy just typing `make` in a project directory and watch magic happen.
-
-`make` will build, vet, test and install the library.
-
-`make clean` will remove the library from a *single* `${GOPATH}/pkg` directory tree
-
-`make test` will run the tests
-
-`make cover` will run the tests and *open a browser window* with the coverage report
-
-`make lint` will run golint (install via `go get github.com/golang/lint/golint`)
-
 ## Long term goals
 
 1. Open the code to adversarial peer review similar to the [Attack Review Ground Rules](https://code.google.com/p/owasp-java-html-sanitizer/wiki/AttackReviewGroundRules)

vendor/github.com/microcosm-cc/bluemonday/SECURITY.md

@@ -4,12 +4,10 @@
 
 Latest tag and tip are supported.
 
-Older tags remain present but changes result in new tags and are not back ported... please verify any issue against the latest tag and tip.
+Changes are not backported, please verify any issue against the latest tag and tip.
 
 ## Reporting a Vulnerability
 
-Email: <bluemonday@buro9.com>
+Report vulnerabilities either via [GitHub's private reporting flow](https://github.com/microcosm-cc/bluemonday/security/advisories/new) or via email to the security@ alias of geomys.org.
 
-Bluemonday is pure OSS and not maintained by a company. As such there is no bug bounty program but security issues will be taken seriously and resolved as soon as possible.
-
-The maintainer lives in the United Kingdom and whilst the email is monitored expect a reply or ACK when the maintainer is awake.
+There is no bug bounty program but security issues will be taken seriously and resolved as soon as possible.

vendor/github.com/microcosm-cc/bluemonday/css/handlers.go

@@ -291,7 +291,7 @@
 	Font              = regexp.MustCompile(`^('[a-z \-]+'|[a-z \-]+)$`)
 	Grayscale         = regexp.MustCompile(`^grayscale\(([0-9]{1,2}|100)%\)$`)
 	GridTemplateAreas = regexp.MustCompile(`^['"]?[a-z ]+['"]?$`)
-	HexRGB            = regexp.MustCompile(`^#([0-9a-f]{3}|[0-9a-f]{6}|[0-9a-f]{8})$`)
+	HexRGB            = regexp.MustCompile(`^#([0-9a-f]{3,4}|[0-9a-f]{6}|[0-9a-f]{8})$`)
 	HSL               = regexp.MustCompile(`^hsl\([ ]*([012]?[0-9]{1,2}|3[0-5][0-9]|360),[ ]*([0-9]{0,2}|100)\%,[ ]*([0-9]{0,2}|100)\%\)$`)
 	HSLA              = regexp.MustCompile(`^hsla\(([ ]*[012]?[0-9]{1,2}|3[0-5][0-9]|360),[ ]*([0-9]{0,2}|100)\%,[ ]*([0-9]{0,2}|100)\%,[ ]*(1|1\.0|0|(0\.[0-9]+))\)$`)
 	HueRotate         = regexp.MustCompile(`^hue-rotate\(([12]?[0-9]{1,2}|3[0-5][0-9]|360)?\)$`)

vendor/github.com/microcosm-cc/bluemonday/sanitize.go

@@ -529,9 +529,11 @@ func (p *Policy) sanitizeAttrs(
 				if ap.regexp != nil {
 					if ap.regexp.MatchString(htmlAttr.Val) {
 						cleanAttrs = append(cleanAttrs, htmlAttr)
+						continue attrsLoop
 					}
 				} else {
 					cleanAttrs = append(cleanAttrs, htmlAttr)
+					continue attrsLoop
 				}
 			}
 		}
@@ -762,10 +764,10 @@ func (p *Policy) sanitizeAttrs(
 		switch elementName {
 		case "audio", "img", "link", "script", "video":
 			var crossOriginFound bool
-			for _, htmlAttr := range cleanAttrs {
+			for i, htmlAttr := range cleanAttrs {
 				if htmlAttr.Key == "crossorigin" {
 					crossOriginFound = true
-					htmlAttr.Val = "anonymous"
+					cleanAttrs[i].Val = "anonymous"
 				}
 			}
 
@@ -1087,3 +1089,8 @@ func normaliseElementName(str string) string {
 		`"`,
 	)
 }
+
+type stringWriterWriter interface {
+	io.Writer
+	io.StringWriter
+}

vendor/github.com/microcosm-cc/bluemonday/stringwriterwriter_go1.12.go

@@ -1,11 +0,0 @@
-//go:build go1.12
-// +build go1.12
-
-package bluemonday
-
-import "io"
-
-type stringWriterWriter interface {
-	io.Writer
-	io.StringWriter
-}

vendor/github.com/microcosm-cc/bluemonday/stringwriterwriter_ltgo1.12.go

@@ -1,15 +0,0 @@
-//go:build go1.1 && !go1.12
-// +build go1.1,!go1.12
-
-package bluemonday
-
-import "io"
-
-type stringWriterWriter interface {
-	io.Writer
-	StringWriter
-}
-
-type StringWriter interface {
-	WriteString(s string) (n int, err error)
-}

vendor/modules.txt

@@ -359,8 +359,8 @@ github.com/google/uuid
 # github.com/gorilla/context v1.1.2
 ## explicit; go 1.20
 github.com/gorilla/context
-# github.com/gorilla/css v1.0.0
-## explicit
+# github.com/gorilla/css v1.0.1
+## explicit; go 1.20
 github.com/gorilla/css/scanner
 # github.com/gorilla/feeds v1.2.0
 ## explicit; go 1.20
@@ -478,8 +478,8 @@ github.com/mailru/easyjson/jwriter
 # github.com/mattn/go-isatty v0.0.20
 ## explicit; go 1.15
 github.com/mattn/go-isatty
-# github.com/microcosm-cc/bluemonday v1.0.26
-## explicit; go 1.21
+# github.com/microcosm-cc/bluemonday v1.0.27
+## explicit; go 1.19
 github.com/microcosm-cc/bluemonday
 github.com/microcosm-cc/bluemonday/css
 # github.com/miekg/dns v1.1.61