mirror of
https://github.com/superseriousbusiness/gotosocial.git
synced 2024-11-22 11:46:40 +00:00
[chore]: Bump github.com/microcosm-cc/bluemonday from 1.0.24 to 1.0.25 (#2021)
This commit is contained in:
parent
b05f6c8f56
commit
81fe59dadc
2
go.mod
2
go.mod
|
@ -34,7 +34,7 @@ require (
|
|||
github.com/h2non/filetype v1.1.3
|
||||
github.com/jackc/pgconn v1.14.1
|
||||
github.com/jackc/pgx/v5 v5.4.2
|
||||
github.com/microcosm-cc/bluemonday v1.0.24
|
||||
github.com/microcosm-cc/bluemonday v1.0.25
|
||||
github.com/miekg/dns v1.1.55
|
||||
github.com/minio/minio-go/v7 v7.0.60
|
||||
github.com/mitchellh/mapstructure v1.5.0
|
||||
|
|
4
go.sum
4
go.sum
|
@ -444,8 +444,8 @@ github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27k
|
|||
github.com/mattn/go-isatty v0.0.19 h1:JITubQf0MOLdlGRuRq+jtsDlekdYPia9ZFsB8h/APPA=
|
||||
github.com/mattn/go-isatty v0.0.19/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
|
||||
github.com/mattn/go-sqlite3 v2.0.3+incompatible h1:gXHsfypPkaMZrKbD5209QV9jbUTJKjyR5WD3HYQSd+U=
|
||||
github.com/microcosm-cc/bluemonday v1.0.24 h1:NGQoPtwGVcbGkKfvyYk1yRqknzBuoMiUrO6R7uFTPlw=
|
||||
github.com/microcosm-cc/bluemonday v1.0.24/go.mod h1:ArQySAMps0790cHSkdPEJ7bGkF2VePWH773hsJNSHf8=
|
||||
github.com/microcosm-cc/bluemonday v1.0.25 h1:4NEwSfiJ+Wva0VxN5B8OwMicaJvD8r9tlJWm9rtloEg=
|
||||
github.com/microcosm-cc/bluemonday v1.0.25/go.mod h1:ZIOjCQp1OrzBBPIJmfX4qDYFuhU02nx4bn030ixfHLE=
|
||||
github.com/miekg/dns v1.1.55 h1:GoQ4hpsj0nFLYe+bWiCToyrBEJXkQfOOIvFGFy0lEgo=
|
||||
github.com/miekg/dns v1.1.55/go.mod h1:uInx36IzPl7FYnDcMeVWxj9byh7DutNykX4G9Sj60FY=
|
||||
github.com/minio/md5-simd v1.1.2 h1:Gdi1DZK69+ZVMoNHRXJyNcxrMA4dSxoYHZSQbirFg34=
|
||||
|
|
6
vendor/github.com/microcosm-cc/bluemonday/helpers.go
generated
vendored
6
vendor/github.com/microcosm-cc/bluemonday/helpers.go
generated
vendored
|
@ -222,11 +222,7 @@ func(url *url.URL) (allowUrl bool) {
|
|||
}
|
||||
|
||||
_, err := base64.StdEncoding.DecodeString(url.Opaque[len(matched):])
|
||||
if err != nil {
|
||||
return false
|
||||
}
|
||||
|
||||
return true
|
||||
return err == nil
|
||||
},
|
||||
)
|
||||
}
|
||||
|
|
40
vendor/github.com/microcosm-cc/bluemonday/policy.go
generated
vendored
40
vendor/github.com/microcosm-cc/bluemonday/policy.go
generated
vendored
|
@ -118,9 +118,18 @@ type Policy struct {
|
|||
allowURLSchemes map[string][]urlPolicy
|
||||
|
||||
// These regexps are used to match allowed URL schemes, for example
|
||||
// if one would want to allow all URL schemes, they would add `.+`
|
||||
// if one would want to allow all URL schemes, they would add `.+`.
|
||||
// However pay attention as this can lead to XSS being rendered thus
|
||||
// defeating the purpose of using a HTML sanitizer.
|
||||
// The regexps are only considered if a schema was not explicitly
|
||||
// handled by `AllowURLSchemes` or `AllowURLSchemeWithCustomPolicy`.
|
||||
allowURLSchemeRegexps []*regexp.Regexp
|
||||
|
||||
// If srcRewriter is not nil, it is used to rewrite the src attribute
|
||||
// of tags that download resources, such as <img> and <script>.
|
||||
// It requires that the URL is parsable by "net/url" url.Parse().
|
||||
srcRewriter urlRewriter
|
||||
|
||||
// If an element has had all attributes removed as a result of a policy
|
||||
// being applied, then the element would be removed from the output.
|
||||
//
|
||||
|
@ -196,6 +205,8 @@ type stylePolicyBuilder struct {
|
|||
|
||||
type urlPolicy func(url *url.URL) (allowUrl bool)
|
||||
|
||||
type urlRewriter func(*url.URL)
|
||||
|
||||
type SandboxValue int64
|
||||
|
||||
const (
|
||||
|
@ -575,6 +586,33 @@ func (p *Policy) AllowURLSchemesMatching(r *regexp.Regexp) *Policy {
|
|||
return p
|
||||
}
|
||||
|
||||
// RewriteSrc will rewrite the src attribute of a resource downloading tag
|
||||
// (e.g. <img>, <script>, <iframe>) using the provided function.
|
||||
//
|
||||
// Typically the use case here is that if the content that we're sanitizing
|
||||
// is untrusted then the content that is inlined is also untrusted.
|
||||
// To prevent serving this content on the same domain as the content appears
|
||||
// on it is good practise to proxy the content through an additional domain
|
||||
// name as this will force the web client to consider the inline content as
|
||||
// third party to the main content, thus providing browser isolation around
|
||||
// the inline content.
|
||||
//
|
||||
// An example of this is a web mail provider like fastmail.com , when an
|
||||
// email (user generated content) is displayed, the email text is shown on
|
||||
// fastmail.com but the inline attachments and content are rendered from
|
||||
// fastmailusercontent.com . This proxying of the external content on a
|
||||
// domain that is different to the content domain forces the browser domain
|
||||
// security model to kick in. Note that this only applies to differences
|
||||
// below the suffix (as per the publix suffix list).
|
||||
//
|
||||
// This is a good practise to adopt as it prevents the content from being
|
||||
// able to set cookies on the main domain and thus prevents the content on
|
||||
// the main domain from being able to read those cookies.
|
||||
func (p *Policy) RewriteSrc(fn urlRewriter) *Policy {
|
||||
p.srcRewriter = fn
|
||||
return p
|
||||
}
|
||||
|
||||
// RequireNoFollowOnLinks will result in all a, area, link tags having a
|
||||
// rel="nofollow"added to them if one does not already exist
|
||||
//
|
||||
|
|
49
vendor/github.com/microcosm-cc/bluemonday/sanitize.go
generated
vendored
49
vendor/github.com/microcosm-cc/bluemonday/sanitize.go
generated
vendored
|
@ -95,41 +95,6 @@ func (p *Policy) SanitizeReaderToWriter(r io.Reader, w io.Writer) error {
|
|||
return p.sanitize(r, w)
|
||||
}
|
||||
|
||||
const escapedURLChars = "'<>\"\r"
|
||||
|
||||
func escapeUrlComponent(w stringWriterWriter, val string) error {
|
||||
i := strings.IndexAny(val, escapedURLChars)
|
||||
for i != -1 {
|
||||
if _, err := w.WriteString(val[:i]); err != nil {
|
||||
return err
|
||||
}
|
||||
var esc string
|
||||
switch val[i] {
|
||||
case '\'':
|
||||
// "'" is shorter than "'" and apos was not in HTML until HTML5.
|
||||
esc = "'"
|
||||
case '<':
|
||||
esc = "<"
|
||||
case '>':
|
||||
esc = ">"
|
||||
case '"':
|
||||
// """ is shorter than """.
|
||||
esc = """
|
||||
case '\r':
|
||||
esc = " "
|
||||
default:
|
||||
panic("unrecognized escape character")
|
||||
}
|
||||
val = val[i+1:]
|
||||
if _, err := w.WriteString(esc); err != nil {
|
||||
return err
|
||||
}
|
||||
i = strings.IndexAny(val, escapedURLChars)
|
||||
}
|
||||
_, err := w.WriteString(val)
|
||||
return err
|
||||
}
|
||||
|
||||
// Query represents a single part of the query string, a query param
|
||||
type Query struct {
|
||||
Key string
|
||||
|
@ -612,6 +577,14 @@ func (p *Policy) sanitizeAttrs(
|
|||
case "audio", "embed", "iframe", "img", "script", "source", "track", "video":
|
||||
if htmlAttr.Key == "src" {
|
||||
if u, ok := p.validURL(htmlAttr.Val); ok {
|
||||
if p.srcRewriter != nil {
|
||||
parsedURL, err := url.Parse(u)
|
||||
if err != nil {
|
||||
fmt.Println(err)
|
||||
}
|
||||
p.srcRewriter(parsedURL)
|
||||
u = parsedURL.String()
|
||||
}
|
||||
htmlAttr.Val = u
|
||||
tmpAttrs = append(tmpAttrs, htmlAttr)
|
||||
}
|
||||
|
@ -970,14 +943,14 @@ func (p *Policy) validURL(rawurl string) (string, bool) {
|
|||
}
|
||||
|
||||
if u.Scheme != "" {
|
||||
urlPolicies, ok := p.allowURLSchemes[u.Scheme]
|
||||
if !ok {
|
||||
for _, r := range p.allowURLSchemeRegexps {
|
||||
if r.MatchString(u.Scheme) {
|
||||
return u.String(), true
|
||||
}
|
||||
}
|
||||
|
||||
urlPolicies, ok := p.allowURLSchemes[u.Scheme]
|
||||
if !ok {
|
||||
return "", false
|
||||
}
|
||||
|
||||
|
@ -986,7 +959,7 @@ func (p *Policy) validURL(rawurl string) (string, bool) {
|
|||
}
|
||||
|
||||
for _, urlPolicy := range urlPolicies {
|
||||
if urlPolicy(u) == true {
|
||||
if urlPolicy(u) {
|
||||
return u.String(), true
|
||||
}
|
||||
}
|
||||
|
|
2
vendor/modules.txt
vendored
2
vendor/modules.txt
vendored
|
@ -376,7 +376,7 @@ github.com/magiconair/properties
|
|||
# github.com/mattn/go-isatty v0.0.19
|
||||
## explicit; go 1.15
|
||||
github.com/mattn/go-isatty
|
||||
# github.com/microcosm-cc/bluemonday v1.0.24
|
||||
# github.com/microcosm-cc/bluemonday v1.0.25
|
||||
## explicit; go 1.19
|
||||
github.com/microcosm-cc/bluemonday
|
||||
github.com/microcosm-cc/bluemonday/css
|
||||
|
|
Loading…
Reference in a new issue