mirror of
https://github.com/superseriousbusiness/gotosocial.git
synced 2024-11-26 05:36:38 +00:00
[chore]: Bump github.com/microcosm-cc/bluemonday from 1.0.24 to 1.0.25 (#2021)
This commit is contained in:
parent
b05f6c8f56
commit
81fe59dadc
2
go.mod
2
go.mod
|
@ -34,7 +34,7 @@ require (
|
||||||
github.com/h2non/filetype v1.1.3
|
github.com/h2non/filetype v1.1.3
|
||||||
github.com/jackc/pgconn v1.14.1
|
github.com/jackc/pgconn v1.14.1
|
||||||
github.com/jackc/pgx/v5 v5.4.2
|
github.com/jackc/pgx/v5 v5.4.2
|
||||||
github.com/microcosm-cc/bluemonday v1.0.24
|
github.com/microcosm-cc/bluemonday v1.0.25
|
||||||
github.com/miekg/dns v1.1.55
|
github.com/miekg/dns v1.1.55
|
||||||
github.com/minio/minio-go/v7 v7.0.60
|
github.com/minio/minio-go/v7 v7.0.60
|
||||||
github.com/mitchellh/mapstructure v1.5.0
|
github.com/mitchellh/mapstructure v1.5.0
|
||||||
|
|
4
go.sum
4
go.sum
|
@ -444,8 +444,8 @@ github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27k
|
||||||
github.com/mattn/go-isatty v0.0.19 h1:JITubQf0MOLdlGRuRq+jtsDlekdYPia9ZFsB8h/APPA=
|
github.com/mattn/go-isatty v0.0.19 h1:JITubQf0MOLdlGRuRq+jtsDlekdYPia9ZFsB8h/APPA=
|
||||||
github.com/mattn/go-isatty v0.0.19/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
|
github.com/mattn/go-isatty v0.0.19/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
|
||||||
github.com/mattn/go-sqlite3 v2.0.3+incompatible h1:gXHsfypPkaMZrKbD5209QV9jbUTJKjyR5WD3HYQSd+U=
|
github.com/mattn/go-sqlite3 v2.0.3+incompatible h1:gXHsfypPkaMZrKbD5209QV9jbUTJKjyR5WD3HYQSd+U=
|
||||||
github.com/microcosm-cc/bluemonday v1.0.24 h1:NGQoPtwGVcbGkKfvyYk1yRqknzBuoMiUrO6R7uFTPlw=
|
github.com/microcosm-cc/bluemonday v1.0.25 h1:4NEwSfiJ+Wva0VxN5B8OwMicaJvD8r9tlJWm9rtloEg=
|
||||||
github.com/microcosm-cc/bluemonday v1.0.24/go.mod h1:ArQySAMps0790cHSkdPEJ7bGkF2VePWH773hsJNSHf8=
|
github.com/microcosm-cc/bluemonday v1.0.25/go.mod h1:ZIOjCQp1OrzBBPIJmfX4qDYFuhU02nx4bn030ixfHLE=
|
||||||
github.com/miekg/dns v1.1.55 h1:GoQ4hpsj0nFLYe+bWiCToyrBEJXkQfOOIvFGFy0lEgo=
|
github.com/miekg/dns v1.1.55 h1:GoQ4hpsj0nFLYe+bWiCToyrBEJXkQfOOIvFGFy0lEgo=
|
||||||
github.com/miekg/dns v1.1.55/go.mod h1:uInx36IzPl7FYnDcMeVWxj9byh7DutNykX4G9Sj60FY=
|
github.com/miekg/dns v1.1.55/go.mod h1:uInx36IzPl7FYnDcMeVWxj9byh7DutNykX4G9Sj60FY=
|
||||||
github.com/minio/md5-simd v1.1.2 h1:Gdi1DZK69+ZVMoNHRXJyNcxrMA4dSxoYHZSQbirFg34=
|
github.com/minio/md5-simd v1.1.2 h1:Gdi1DZK69+ZVMoNHRXJyNcxrMA4dSxoYHZSQbirFg34=
|
||||||
|
|
6
vendor/github.com/microcosm-cc/bluemonday/helpers.go
generated
vendored
6
vendor/github.com/microcosm-cc/bluemonday/helpers.go
generated
vendored
|
@ -222,11 +222,7 @@ func(url *url.URL) (allowUrl bool) {
|
||||||
}
|
}
|
||||||
|
|
||||||
_, err := base64.StdEncoding.DecodeString(url.Opaque[len(matched):])
|
_, err := base64.StdEncoding.DecodeString(url.Opaque[len(matched):])
|
||||||
if err != nil {
|
return err == nil
|
||||||
return false
|
|
||||||
}
|
|
||||||
|
|
||||||
return true
|
|
||||||
},
|
},
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
|
40
vendor/github.com/microcosm-cc/bluemonday/policy.go
generated
vendored
40
vendor/github.com/microcosm-cc/bluemonday/policy.go
generated
vendored
|
@ -118,9 +118,18 @@ type Policy struct {
|
||||||
allowURLSchemes map[string][]urlPolicy
|
allowURLSchemes map[string][]urlPolicy
|
||||||
|
|
||||||
// These regexps are used to match allowed URL schemes, for example
|
// These regexps are used to match allowed URL schemes, for example
|
||||||
// if one would want to allow all URL schemes, they would add `.+`
|
// if one would want to allow all URL schemes, they would add `.+`.
|
||||||
|
// However pay attention as this can lead to XSS being rendered thus
|
||||||
|
// defeating the purpose of using a HTML sanitizer.
|
||||||
|
// The regexps are only considered if a schema was not explicitly
|
||||||
|
// handled by `AllowURLSchemes` or `AllowURLSchemeWithCustomPolicy`.
|
||||||
allowURLSchemeRegexps []*regexp.Regexp
|
allowURLSchemeRegexps []*regexp.Regexp
|
||||||
|
|
||||||
|
// If srcRewriter is not nil, it is used to rewrite the src attribute
|
||||||
|
// of tags that download resources, such as <img> and <script>.
|
||||||
|
// It requires that the URL is parsable by "net/url" url.Parse().
|
||||||
|
srcRewriter urlRewriter
|
||||||
|
|
||||||
// If an element has had all attributes removed as a result of a policy
|
// If an element has had all attributes removed as a result of a policy
|
||||||
// being applied, then the element would be removed from the output.
|
// being applied, then the element would be removed from the output.
|
||||||
//
|
//
|
||||||
|
@ -196,6 +205,8 @@ type stylePolicyBuilder struct {
|
||||||
|
|
||||||
type urlPolicy func(url *url.URL) (allowUrl bool)
|
type urlPolicy func(url *url.URL) (allowUrl bool)
|
||||||
|
|
||||||
|
type urlRewriter func(*url.URL)
|
||||||
|
|
||||||
type SandboxValue int64
|
type SandboxValue int64
|
||||||
|
|
||||||
const (
|
const (
|
||||||
|
@ -575,6 +586,33 @@ func (p *Policy) AllowURLSchemesMatching(r *regexp.Regexp) *Policy {
|
||||||
return p
|
return p
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// RewriteSrc will rewrite the src attribute of a resource downloading tag
|
||||||
|
// (e.g. <img>, <script>, <iframe>) using the provided function.
|
||||||
|
//
|
||||||
|
// Typically the use case here is that if the content that we're sanitizing
|
||||||
|
// is untrusted then the content that is inlined is also untrusted.
|
||||||
|
// To prevent serving this content on the same domain as the content appears
|
||||||
|
// on it is good practise to proxy the content through an additional domain
|
||||||
|
// name as this will force the web client to consider the inline content as
|
||||||
|
// third party to the main content, thus providing browser isolation around
|
||||||
|
// the inline content.
|
||||||
|
//
|
||||||
|
// An example of this is a web mail provider like fastmail.com , when an
|
||||||
|
// email (user generated content) is displayed, the email text is shown on
|
||||||
|
// fastmail.com but the inline attachments and content are rendered from
|
||||||
|
// fastmailusercontent.com . This proxying of the external content on a
|
||||||
|
// domain that is different to the content domain forces the browser domain
|
||||||
|
// security model to kick in. Note that this only applies to differences
|
||||||
|
// below the suffix (as per the publix suffix list).
|
||||||
|
//
|
||||||
|
// This is a good practise to adopt as it prevents the content from being
|
||||||
|
// able to set cookies on the main domain and thus prevents the content on
|
||||||
|
// the main domain from being able to read those cookies.
|
||||||
|
func (p *Policy) RewriteSrc(fn urlRewriter) *Policy {
|
||||||
|
p.srcRewriter = fn
|
||||||
|
return p
|
||||||
|
}
|
||||||
|
|
||||||
// RequireNoFollowOnLinks will result in all a, area, link tags having a
|
// RequireNoFollowOnLinks will result in all a, area, link tags having a
|
||||||
// rel="nofollow"added to them if one does not already exist
|
// rel="nofollow"added to them if one does not already exist
|
||||||
//
|
//
|
||||||
|
|
49
vendor/github.com/microcosm-cc/bluemonday/sanitize.go
generated
vendored
49
vendor/github.com/microcosm-cc/bluemonday/sanitize.go
generated
vendored
|
@ -95,41 +95,6 @@ func (p *Policy) SanitizeReaderToWriter(r io.Reader, w io.Writer) error {
|
||||||
return p.sanitize(r, w)
|
return p.sanitize(r, w)
|
||||||
}
|
}
|
||||||
|
|
||||||
const escapedURLChars = "'<>\"\r"
|
|
||||||
|
|
||||||
func escapeUrlComponent(w stringWriterWriter, val string) error {
|
|
||||||
i := strings.IndexAny(val, escapedURLChars)
|
|
||||||
for i != -1 {
|
|
||||||
if _, err := w.WriteString(val[:i]); err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
var esc string
|
|
||||||
switch val[i] {
|
|
||||||
case '\'':
|
|
||||||
// "'" is shorter than "'" and apos was not in HTML until HTML5.
|
|
||||||
esc = "'"
|
|
||||||
case '<':
|
|
||||||
esc = "<"
|
|
||||||
case '>':
|
|
||||||
esc = ">"
|
|
||||||
case '"':
|
|
||||||
// """ is shorter than """.
|
|
||||||
esc = """
|
|
||||||
case '\r':
|
|
||||||
esc = " "
|
|
||||||
default:
|
|
||||||
panic("unrecognized escape character")
|
|
||||||
}
|
|
||||||
val = val[i+1:]
|
|
||||||
if _, err := w.WriteString(esc); err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
i = strings.IndexAny(val, escapedURLChars)
|
|
||||||
}
|
|
||||||
_, err := w.WriteString(val)
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
// Query represents a single part of the query string, a query param
|
// Query represents a single part of the query string, a query param
|
||||||
type Query struct {
|
type Query struct {
|
||||||
Key string
|
Key string
|
||||||
|
@ -612,6 +577,14 @@ func (p *Policy) sanitizeAttrs(
|
||||||
case "audio", "embed", "iframe", "img", "script", "source", "track", "video":
|
case "audio", "embed", "iframe", "img", "script", "source", "track", "video":
|
||||||
if htmlAttr.Key == "src" {
|
if htmlAttr.Key == "src" {
|
||||||
if u, ok := p.validURL(htmlAttr.Val); ok {
|
if u, ok := p.validURL(htmlAttr.Val); ok {
|
||||||
|
if p.srcRewriter != nil {
|
||||||
|
parsedURL, err := url.Parse(u)
|
||||||
|
if err != nil {
|
||||||
|
fmt.Println(err)
|
||||||
|
}
|
||||||
|
p.srcRewriter(parsedURL)
|
||||||
|
u = parsedURL.String()
|
||||||
|
}
|
||||||
htmlAttr.Val = u
|
htmlAttr.Val = u
|
||||||
tmpAttrs = append(tmpAttrs, htmlAttr)
|
tmpAttrs = append(tmpAttrs, htmlAttr)
|
||||||
}
|
}
|
||||||
|
@ -970,14 +943,14 @@ func (p *Policy) validURL(rawurl string) (string, bool) {
|
||||||
}
|
}
|
||||||
|
|
||||||
if u.Scheme != "" {
|
if u.Scheme != "" {
|
||||||
|
urlPolicies, ok := p.allowURLSchemes[u.Scheme]
|
||||||
|
if !ok {
|
||||||
for _, r := range p.allowURLSchemeRegexps {
|
for _, r := range p.allowURLSchemeRegexps {
|
||||||
if r.MatchString(u.Scheme) {
|
if r.MatchString(u.Scheme) {
|
||||||
return u.String(), true
|
return u.String(), true
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
urlPolicies, ok := p.allowURLSchemes[u.Scheme]
|
|
||||||
if !ok {
|
|
||||||
return "", false
|
return "", false
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -986,7 +959,7 @@ func (p *Policy) validURL(rawurl string) (string, bool) {
|
||||||
}
|
}
|
||||||
|
|
||||||
for _, urlPolicy := range urlPolicies {
|
for _, urlPolicy := range urlPolicies {
|
||||||
if urlPolicy(u) == true {
|
if urlPolicy(u) {
|
||||||
return u.String(), true
|
return u.String(), true
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
2
vendor/modules.txt
vendored
2
vendor/modules.txt
vendored
|
@ -376,7 +376,7 @@ github.com/magiconair/properties
|
||||||
# github.com/mattn/go-isatty v0.0.19
|
# github.com/mattn/go-isatty v0.0.19
|
||||||
## explicit; go 1.15
|
## explicit; go 1.15
|
||||||
github.com/mattn/go-isatty
|
github.com/mattn/go-isatty
|
||||||
# github.com/microcosm-cc/bluemonday v1.0.24
|
# github.com/microcosm-cc/bluemonday v1.0.25
|
||||||
## explicit; go 1.19
|
## explicit; go 1.19
|
||||||
github.com/microcosm-cc/bluemonday
|
github.com/microcosm-cc/bluemonday
|
||||||
github.com/microcosm-cc/bluemonday/css
|
github.com/microcosm-cc/bluemonday/css
|
||||||
|
|
Loading…
Reference in a new issue