diff options
Diffstat (limited to 'vendor/github.com/microcosm-cc/bluemonday/sanitize.go')
| -rw-r--r-- | vendor/github.com/microcosm-cc/bluemonday/sanitize.go | 57 |
1 files changed, 49 insertions, 8 deletions
diff --git a/vendor/github.com/microcosm-cc/bluemonday/sanitize.go b/vendor/github.com/microcosm-cc/bluemonday/sanitize.go index 5f4b60d71..97628ce30 100644 --- a/vendor/github.com/microcosm-cc/bluemonday/sanitize.go +++ b/vendor/github.com/microcosm-cc/bluemonday/sanitize.go @@ -130,7 +130,7 @@ func escapeUrlComponent(w stringWriterWriter, val string) error { return err } -// Query represents a single part of the query string, a query param +// Query represents a single part of the query string, a query param type Query struct { Key string Value string @@ -293,6 +293,17 @@ func (p *Policy) sanitize(r io.Reader, w io.Writer) error { mostRecentlyStartedToken = normaliseElementName(token.Data) + switch normaliseElementName(token.Data) { + case `script`: + if !p.allowUnsafe { + continue + } + case `style`: + if !p.allowUnsafe { + continue + } + } + aps, ok := p.elsAndAttrs[token.Data] if !ok { aa, matched := p.matchRegex(token.Data) @@ -341,6 +352,17 @@ func (p *Policy) sanitize(r io.Reader, w io.Writer) error { mostRecentlyStartedToken = "" } + switch normaliseElementName(token.Data) { + case `script`: + if !p.allowUnsafe { + continue + } + case `style`: + if !p.allowUnsafe { + continue + } + } + if skipClosingTag && closingTagToSkipStack[len(closingTagToSkipStack)-1] == token.Data { closingTagToSkipStack = closingTagToSkipStack[:len(closingTagToSkipStack)-1] if len(closingTagToSkipStack) == 0 { @@ -386,6 +408,17 @@ func (p *Policy) sanitize(r io.Reader, w io.Writer) error { case html.SelfClosingTagToken: + switch normaliseElementName(token.Data) { + case `script`: + if !p.allowUnsafe { + continue + } + case `style`: + if !p.allowUnsafe { + continue + } + } + aps, ok := p.elsAndAttrs[token.Data] if !ok { aa, matched := p.matchRegex(token.Data) @@ -425,14 +458,22 @@ func (p *Policy) sanitize(r io.Reader, w io.Writer) error { case `script`: // not encouraged, but if a policy allows JavaScript we // should not HTML escape it as that would break the output - if _, err := buff.WriteString(token.Data); err != nil { - return err + // + // requires p.AllowUnsafe() + if p.allowUnsafe { + if _, err := buff.WriteString(token.Data); err != nil { + return err + } } case "style": // not encouraged, but if a policy allows CSS styles we // should not HTML escape it as that would break the output - if _, err := buff.WriteString(token.Data); err != nil { - return err + // + // requires p.AllowUnsafe() + if p.allowUnsafe { + if _, err := buff.WriteString(token.Data); err != nil { + return err + } } default: // HTML escape the text @@ -524,11 +565,11 @@ attrsLoop: for _, ap := range apl { if ap.regexp != nil { if ap.regexp.MatchString(htmlAttr.Val) { - htmlAttr.Val = escapeAttribute(htmlAttr.Val) + htmlAttr.Val = escapeAttribute(htmlAttr.Val) cleanAttrs = append(cleanAttrs, htmlAttr) } } else { - htmlAttr.Val = escapeAttribute(htmlAttr.Val) + htmlAttr.Val = escapeAttribute(htmlAttr.Val) cleanAttrs = append(cleanAttrs, htmlAttr) } } @@ -1058,4 +1099,4 @@ func escapeAttribute(val string) string { val = strings.Replace(val, string([]rune{'\u00A0'}), ` `, -1) val = strings.Replace(val, `"`, `"`, -1) return val -}
\ No newline at end of file +} |