diff options
| author |  tobi <31960611+tsmethurst@users.noreply.github.com> | 2021-11-13 12:29:08 +0100 |
|---|---|---|
| committer |  GitHub <noreply@github.com> | 2021-11-13 12:29:08 +0100 |
| commit | 829a934d23ab221049b4d54926305d8d5d64c9ad (patch) | |
| tree | f4e382b289c113d3ba8a3c7a183507a5609c46c0 /vendor/github.com/microcosm-cc/bluemonday/policy.go | |
| parent | smtp + email confirmation (#285) (diff) | |
| download | gotosocial-829a934d23ab221049b4d54926305d8d5d64c9ad.tar.xz | |
update dependencies (#296)
Diffstat (limited to 'vendor/github.com/microcosm-cc/bluemonday/policy.go')
| -rw-r--r-- | vendor/github.com/microcosm-cc/bluemonday/policy.go | 30 |
1 files changed, 30 insertions, 0 deletions
diff --git a/vendor/github.com/microcosm-cc/bluemonday/policy.go b/vendor/github.com/microcosm-cc/bluemonday/policy.go index 602a20379..71f6b8db8 100644 --- a/vendor/github.com/microcosm-cc/bluemonday/policy.go +++ b/vendor/github.com/microcosm-cc/bluemonday/policy.go @@ -134,6 +134,19 @@ type Policy struct { setOfElementsMatchingAllowedWithoutAttrs []*regexp.Regexp setOfElementsToSkipContent map[string]struct{} + + // Permits fundamentally unsafe elements. + // + // If false (default) then elements such as `style` and `script` will not be + // permitted even if declared in a policy. These elements when combined with + // untrusted input cannot be safely handled by bluemonday at this point in + // time. + // + // If true then `style` and `script` would be permitted by bluemonday if a + // policy declares them. However this is not recommended under any circumstance + // and can lead to XSS being rendered thus defeating the purpose of using a + // HTML sanitizer. + allowUnsafe bool } type attrPolicy struct { @@ -714,6 +727,23 @@ func (p *Policy) AllowElementsContent(names ...string) *Policy { return p } +// AllowUnsafe permits fundamentally unsafe elements. +// +// If false (default) then elements such as `style` and `script` will not be +// permitted even if declared in a policy. These elements when combined with +// untrusted input cannot be safely handled by bluemonday at this point in +// time. +// +// If true then `style` and `script` would be permitted by bluemonday if a +// policy declares them. However this is not recommended under any circumstance +// and can lead to XSS being rendered thus defeating the purpose of using a +// HTML sanitizer. +func (p *Policy) AllowUnsafe(allowUnsafe bool) *Policy { + p.init() + p.allowUnsafe = allowUnsafe + return p +} + // addDefaultElementsWithoutAttrs adds the HTML elements that we know are valid // without any attributes to an internal map. // i.e. we know that <table> is valid, but <bdo> isn't valid as the "dir" attr |