New Upstream Release - golang-github-microcosm-cc-bluemonday
Ready changes
Summary
Merged new upstream version: 1.0.23 (was: 1.0.22).
Diff
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 350375d..f02c42d 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -5,7 +5,7 @@ jobs:
strategy:
fail-fast: false
matrix:
- go-version: [1.17.x, 1.18.x]
+ go-version: [1.19.x, 1.20.x]
os: [ubuntu-latest, macos-latest, windows-latest]
runs-on: ${{ matrix.os }}
steps:
@@ -24,8 +24,6 @@ jobs:
- name: Install Go
uses: actions/setup-go@v2
with:
- go-version: 1.16.x
+ go-version: 1.20.x
- name: Checkout code
uses: actions/checkout@v2
- - name: Check Code Formation
- run: make fmt-check
diff --git a/debian/changelog b/debian/changelog
index cba3df2..a82fedd 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+golang-github-microcosm-cc-bluemonday (1.0.23-1) UNRELEASED; urgency=low
+
+ * New upstream release.
+ * New upstream release.
+
+ -- Debian Janitor <janitor@jelmer.uk> Tue, 25 Apr 2023 13:12:12 -0000
+
golang-github-microcosm-cc-bluemonday (1.0.20-1) unstable; urgency=medium
* Team upload
diff --git a/doc.go b/doc.go
index ba2d775..d95e8a9 100644
--- a/doc.go
+++ b/doc.go
@@ -35,31 +35,31 @@ the allowlist will be stripped.
The default bluemonday.UGCPolicy().Sanitize() turns this:
- Hello <STYLE>.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><A CLASS=XSS></A>World
+ Hello <STYLE>.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><A CLASS=XSS></A>World
Into the more harmless:
- Hello World
+ Hello World
And it turns this:
- <a href="javascript:alert('XSS1')" onmouseover="alert('XSS2')">XSS<a>
+ <a href="javascript:alert('XSS1')" onmouseover="alert('XSS2')">XSS<a>
Into this:
- XSS
+ XSS
Whilst still allowing this:
- <a href="http://www.google.com/">
- <img src="https://ssl.gstatic.com/accounts/ui/logo_2x.png"/>
- </a>
+ <a href="http://www.google.com/">
+ <img src="https://ssl.gstatic.com/accounts/ui/logo_2x.png"/>
+ </a>
To pass through mostly unaltered (it gained a rel="nofollow"):
- <a href="http://www.google.com/" rel="nofollow">
- <img src="https://ssl.gstatic.com/accounts/ui/logo_2x.png"/>
- </a>
+ <a href="http://www.google.com/" rel="nofollow">
+ <img src="https://ssl.gstatic.com/accounts/ui/logo_2x.png"/>
+ </a>
The primary purpose of bluemonday is to take potentially unsafe user generated
content (from things like Markdown, HTML WYSIWYG tools, etc) and make it safe
@@ -95,10 +95,10 @@ attributes are considered safe for your scenario. OWASP provide an XSS
prevention cheat sheet ( https://www.google.com/search?q=xss+prevention+cheat+sheet )
to help explain the risks, but essentially:
- 1. Avoid allowing anything other than plain HTML elements
- 2. Avoid allowing `script`, `style`, `iframe`, `object`, `embed`, `base`
- elements
- 3. Avoid allowing anything other than plain HTML elements with simple
- values that you can match to a regexp
+ 1. Avoid allowing anything other than plain HTML elements
+ 2. Avoid allowing `script`, `style`, `iframe`, `object`, `embed`, `base`
+ elements
+ 3. Avoid allowing anything other than plain HTML elements with simple
+ values that you can match to a regexp
*/
package bluemonday
diff --git a/go.mod b/go.mod
index 34ff248..41b51ce 100644
--- a/go.mod
+++ b/go.mod
@@ -4,10 +4,9 @@ go 1.19
require (
github.com/aymerick/douceur v0.2.0
- golang.org/x/net v0.0.0-20220826154423-83b083e8dc8b
+ golang.org/x/net v0.8.0
)
require github.com/gorilla/css v1.0.0 // indirect
-retract [v1.0.0, v1.0.18] // Retract older versions as only latest is to be depended upon
-retract v1.0.19 // Uses older version of golang.org/x/net
+retract [v1.0.0, v1.0.22] // Retract older versions as only latest is to be depended upon
diff --git a/go.sum b/go.sum
index 81ad6ef..0de18c6 100644
--- a/go.sum
+++ b/go.sum
@@ -2,5 +2,5 @@ github.com/aymerick/douceur v0.2.0 h1:Mv+mAeH1Q+n9Fr+oyamOlAkUNPWPlA8PPGR0QAaYuP
github.com/aymerick/douceur v0.2.0/go.mod h1:wlT5vV2O3h55X9m7iVYN0TBM0NH/MmbLnd30/FjWUq4=
github.com/gorilla/css v1.0.0 h1:BQqNyPTi50JCFMTw/b67hByjMVXZRwGha6wxVGkeihY=
github.com/gorilla/css v1.0.0/go.mod h1:Dn721qIggHpt4+EFCcTLTU/vk5ySda2ReITrtgBl60c=
-golang.org/x/net v0.0.0-20220826154423-83b083e8dc8b h1:ZmngSVLe/wycRns9MKikG9OWIEjGcGAkacif7oYQaUY=
-golang.org/x/net v0.0.0-20220826154423-83b083e8dc8b/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk=
+golang.org/x/net v0.8.0 h1:Zrh2ngAOFYneWTAIAPethzeaQLuHwhuBkuV6ZiRnUaQ=
+golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
diff --git a/helpers.go b/helpers.go
index d403949..2b03d7e 100644
--- a/helpers.go
+++ b/helpers.go
@@ -193,10 +193,11 @@ func (p *Policy) AllowImages() {
// http://en.wikipedia.org/wiki/Data_URI_scheme
//
// Images must have a mimetype matching:
-// image/gif
-// image/jpeg
-// image/png
-// image/webp
+//
+// image/gif
+// image/jpeg
+// image/png
+// image/webp
//
// NOTE: There is a potential security risk to allowing data URIs and you should
// only permit them on content you already trust.
diff --git a/policy.go b/policy.go
index 1a5e00c..c446fad 100644
--- a/policy.go
+++ b/policy.go
@@ -879,6 +879,7 @@ func (p *Policy) addDefaultElementsWithoutAttrs() {
p.setOfElementsAllowedWithoutAttrs["optgroup"] = struct{}{}
p.setOfElementsAllowedWithoutAttrs["option"] = struct{}{}
p.setOfElementsAllowedWithoutAttrs["p"] = struct{}{}
+ p.setOfElementsAllowedWithoutAttrs["picture"] = struct{}{}
p.setOfElementsAllowedWithoutAttrs["pre"] = struct{}{}
p.setOfElementsAllowedWithoutAttrs["q"] = struct{}{}
p.setOfElementsAllowedWithoutAttrs["rp"] = struct{}{}
diff --git a/sanitize.go b/sanitize.go
index 904ee82..1046145 100644
--- a/sanitize.go
+++ b/sanitize.go
@@ -440,8 +440,8 @@ func (p *Policy) sanitize(r io.Reader, w io.Writer) error {
if _, err := buff.WriteString(" "); err != nil {
return err
}
- break
}
+ break
}
if !skipElementContent {
if _, err := buff.WriteString(token.String()); err != nil {
diff --git a/sanitize_test.go b/sanitize_test.go
index 3a0345d..ee2596e 100644
--- a/sanitize_test.go
+++ b/sanitize_test.go
@@ -1151,7 +1151,7 @@ echo('IPT>alert("XSS")</SCRIPT>'); ?>`,
expected: ``,
},
{
- in: `<IMG SRC="jav ascript:alert('XSS');">`,
+ in: `<IMG SRC="jav ascript:alert('XSS');">`,
expected: ``,
},
{
@@ -1612,7 +1612,7 @@ func TestComments(t *testing.T) {
// for every user of bluemonday that utilises .AllowComments()
{
in: `<!--[if gte mso 9]>Hello<![endif]-->`,
- expected: `<!--[if gte mso 9]>Hello<![endif]-->`,
+ expected: `<!--[if gte mso 9]>Hello<![endif]-->`,
},
}
@@ -3913,3 +3913,55 @@ func TestIssue147(t *testing.T) {
expected)
}
}
+
+func TestRemovingEmptySelfClosingTag(t *testing.T) {
+ p := NewPolicy()
+
+ // Only broke when attribute policy was specified.
+ p.AllowAttrs("type").OnElements("input")
+
+ input := `<input/>`
+ out := p.Sanitize(input)
+ expected := ``
+ if out != expected {
+ t.Errorf(
+ "test failed;\ninput : %s\noutput : %s\nexpected: %s",
+ input,
+ out,
+ expected)
+ }
+}
+
+func TestIssue161(t *testing.T) {
+ // https://github.com/microcosm-cc/bluemonday/issues/161
+ //
+ // ```
+ // p.AllowElementsMatching(regexp.MustCompile(`^custom-`))
+ // p.AllowNoAttrs().Matching(regexp.MustCompile(`^custom-`))
+ // ```
+ // This does not work as expected. This looks like a limitation, and the
+ // question is whether the matching has to be applied in a second location
+ // to overcome the limitation.
+ //
+ // However the issue is really that the `.Matching()` returns an attribute
+ // test that has to be bound to some elements, it isn't a global test.
+ //
+ // This should work:
+ // ```
+ // p.AllowNoAttrs().Matching(regexp.MustCompile(`^custom-`)).OnElementsMatching(regexp.MustCompile(`^custom-`))
+ // ```
+ p := UGCPolicy()
+ p.AllowElements("picture", "source")
+ p.AllowAttrs("srcset", "src", "type", "media").OnElements("source")
+
+ input := `<picture><source src="b.jpg" media="(prefers-color-scheme: dark)"></source><img src="a.jpg"></picture>`
+ out := p.Sanitize(input)
+ expected := input
+ if out != expected {
+ t.Errorf(
+ "test failed;\ninput : %s\noutput : %s\nexpected: %s",
+ input,
+ out,
+ expected)
+ }
+}
More details
Historical runs
- failed: FAIL github.com/microcosm-cc/bluemonday 0.719s
- success: Merged new upstream version 1.0.22
- push-failed: Failed to push result branch: Connection closed: Connection closed early The remote server unexpectedly closed the connection.
- nothing-to-do: Last upstream version 1.0.20 already imported.
- unable-to-find-upstream-tarball: Unable to find the needed upstream tarball for golang-github-microcosm-cc-bluemonday, version 2.6.1.