diff options
Diffstat (limited to 'vendor/github.com/microcosm-cc')
14 files changed, 18 insertions, 170 deletions
diff --git a/vendor/github.com/microcosm-cc/bluemonday/.coveralls.yml b/vendor/github.com/microcosm-cc/bluemonday/.coveralls.yml deleted file mode 100644 index e0c87602f..000000000 --- a/vendor/github.com/microcosm-cc/bluemonday/.coveralls.yml +++ /dev/null @@ -1 +0,0 @@ -repo_token: x2wlA1x0X8CK45ybWpZRCVRB4g7vtkhaw diff --git a/vendor/github.com/microcosm-cc/bluemonday/.editorconfig b/vendor/github.com/microcosm-cc/bluemonday/.editorconfig deleted file mode 100644 index 006bc2fc7..000000000 --- a/vendor/github.com/microcosm-cc/bluemonday/.editorconfig +++ /dev/null @@ -1,4 +0,0 @@ -root = true - -[*] -end_of_line = lf diff --git a/vendor/github.com/microcosm-cc/bluemonday/.gitattributes b/vendor/github.com/microcosm-cc/bluemonday/.gitattributes deleted file mode 100644 index 6313b56c5..000000000 --- a/vendor/github.com/microcosm-cc/bluemonday/.gitattributes +++ /dev/null @@ -1 +0,0 @@ -* text=auto eol=lf diff --git a/vendor/github.com/microcosm-cc/bluemonday/.gitignore b/vendor/github.com/microcosm-cc/bluemonday/.gitignore deleted file mode 100644 index c3df40e7c..000000000 --- a/vendor/github.com/microcosm-cc/bluemonday/.gitignore +++ /dev/null @@ -1,15 +0,0 @@ - # Binaries for programs and plugins -*.exe -*.exe~ -*.dll -*.so -*.dylib - -# Test binary, built with `go test -c` -*.test - -# Output of the go coverage tool, specifically when used with LiteIDE -*.out - -# goland idea folder -*.idea
\ No newline at end of file diff --git a/vendor/github.com/microcosm-cc/bluemonday/.travis.yml b/vendor/github.com/microcosm-cc/bluemonday/.travis.yml deleted file mode 100644 index 97175fbb8..000000000 --- a/vendor/github.com/microcosm-cc/bluemonday/.travis.yml +++ /dev/null @@ -1,26 +0,0 @@ -language: go -go: - - 1.2.x - - 1.3.x - - 1.4.x - - 1.5.x - - 1.6.x - - 1.7.x - - 1.8.x - - 1.9.x - - 1.10.x - - 1.11.x - - 1.12.x - - 1.13.x - - 1.14.x - - 1.15.x - - 1.16.x - - tip -matrix: - allow_failures: - - go: tip - fast_finish: true -install: - - go get . -script: - - go test -v ./... diff --git a/vendor/github.com/microcosm-cc/bluemonday/CONTRIBUTING.md b/vendor/github.com/microcosm-cc/bluemonday/CONTRIBUTING.md index 61b8cd352..d33909f81 100644 --- a/vendor/github.com/microcosm-cc/bluemonday/CONTRIBUTING.md +++ b/vendor/github.com/microcosm-cc/bluemonday/CONTRIBUTING.md @@ -8,7 +8,7 @@ Third-party patches are essential for keeping bluemonday secure and offering the ## Guidelines -1. Do not vendor dependencies. As a security package, were we to vendor dependencies the projects that then vendor bluemonday may not receive the latest security updates to the dependencies. By not vendoring dependencies the project that implements bluemonday will vendor the latest version of any dependent packages. Vendoring is a project problem, not a package problem. bluemonday will be tested against the latest version of dependencies periodically and during any PR/merge. +1. Do not vendor dependencies. Vendoring is a project problem, not a package problem. 2. I do not care about spelling mistakes or whitespace and I do not believe that you should either. PRs therefore must be functional in their nature or be substantial and impactful if documentation or examples. 3. This module does not participate in hacktober, please make your contributions meaningful. @@ -31,10 +31,9 @@ If you are reporting a security flaw, you may expect that we will provide the co 1. Include tests for your patch, 1 test should encapsulate the entire patch and should refer to the Github issue 1. If you have added new exposed/public functionality, you should ensure it is documented appropriately 1. If you have added new exposed/public functionality, you should consider demonstrating how to use it within one of the helpers or shipped policies if appropriate or within a test if modifying a helper or policy is not appropriate - 1. Run all of the tests `go test -v ./...` or `make test` and ensure all tests pass - 1. Run gofmt `gofmt -w ./$*` or `make fmt` - 1. Run vet `go tool vet *.go` or `make vet` and resolve any issues - 1. Install golint using `go get -u github.com/golang/lint/golint` and run vet `golint *.go` or `make lint` and resolve every warning + 1. Run all of the tests `go test -v ./...` and ensure all tests pass + 1. Run gofmt `go fmt ./...` + 1. Run vet `go vet ./...` and resolve any issues * When submitting the pull request you should 1. Note the issue(s) it resolves, i.e. `Closes #6` in the pull request comment to close issue #6 when the pull request is accepted diff --git a/vendor/github.com/microcosm-cc/bluemonday/LICENSE.md b/vendor/github.com/microcosm-cc/bluemonday/LICENSE.md index 2e6c493ba..f822458ed 100644 --- a/vendor/github.com/microcosm-cc/bluemonday/LICENSE.md +++ b/vendor/github.com/microcosm-cc/bluemonday/LICENSE.md @@ -1,6 +1,3 @@ -SPDX short identifier: BSD-3-Clause -https://opensource.org/licenses/BSD-3-Clause - Copyright (c) 2014, David Kitchen <david@buro9.com> All rights reserved. diff --git a/vendor/github.com/microcosm-cc/bluemonday/Makefile b/vendor/github.com/microcosm-cc/bluemonday/Makefile deleted file mode 100644 index 97e9541d6..000000000 --- a/vendor/github.com/microcosm-cc/bluemonday/Makefile +++ /dev/null @@ -1,48 +0,0 @@ -# Targets: -# -# all: Builds the code locally after testing -# -# fmt: Formats the source files -# fmt-check: Check if the source files are formated -# build: Builds the code locally -# vet: Vets the code -# staticcheck: Runs staticcheck over the code -# test: Runs the tests -# cover: Gives you the URL to a nice test coverage report -# -# install: Builds, tests and installs the code locally - -GOFILES_NOVENDOR = $(shell find . -type f -name '*.go' -not -path "./vendor/*" -not -path "./.git/*") - -.PHONY: all fmt build vet lint test cover install - -# The first target is always the default action if `make` is called without -# args we build and install into $GOPATH so that it can just be run - -all: fmt vet test install - -fmt: - @gofmt -s -w ${GOFILES_NOVENDOR} - -fmt-check: - @([ -z "$(shell gofmt -d $(GOFILES_NOVENDOR) | head)" ]) || (echo "Source is unformatted"; exit 1) - -build: - @go build - -vet: - @go vet - -staticcheck: - @staticcheck ./... - -test: - @go test -v ./... - -cover: COVERAGE_FILE := coverage.out -cover: - @go test -coverprofile=$(COVERAGE_FILE) && \ - go tool cover -html=$(COVERAGE_FILE) && rm $(COVERAGE_FILE) - -install: - @go install ./... diff --git a/vendor/github.com/microcosm-cc/bluemonday/README.md b/vendor/github.com/microcosm-cc/bluemonday/README.md index 8e658fea7..023a3041f 100644 --- a/vendor/github.com/microcosm-cc/bluemonday/README.md +++ b/vendor/github.com/microcosm-cc/bluemonday/README.md @@ -56,14 +56,6 @@ The policy containing the allowlist is applied using a fast non-validating, forw We expect to be supplied with well-formatted HTML (closing elements for every applicable open element, nested correctly) and so we do not focus on repairing badly nested or incomplete HTML. We focus on simply ensuring that whatever elements do exist are described in the policy allowlist and that attributes and links are safe for use on your web page. [GIGO](http://en.wikipedia.org/wiki/Garbage_in,_garbage_out) does apply and if you feed it bad HTML bluemonday is not tasked with figuring out how to make it good again. -### Supported Go Versions - -bluemonday is tested on all versions since Go 1.2 including tip. - -We do not support Go 1.0 as we depend on `golang.org/x/net/html` which includes a reference to `io.ErrNoProgress` which did not exist in Go 1.0. - -We support Go 1.1 but Travis no longer tests against it. - ## Is it production ready? *Yes* @@ -76,7 +68,7 @@ We invite pull requests and issues to help us ensure we are offering comprehensi ## Usage -Install in your `${GOPATH}` using `go get -u github.com/microcosm-cc/bluemonday` +Install using `go get github.com/microcosm-cc/bluemonday` Then call it: ```go @@ -388,30 +380,6 @@ It is not the job of bluemonday to fix your bad HTML, it is merely the job of bl * Investigate whether devs want to blacklist elements and attributes. This would allow devs to take an existing policy (such as the `bluemonday.UGCPolicy()` ) that encapsulates 90% of what they're looking for but does more than they need, and to remove the extra things they do not want to make it 100% what they want * Investigate whether devs want a validating HTML mode, in which the HTML elements are not just transformed into a balanced tree (every start tag has a closing tag at the correct depth) but also that elements and character data appear only in their allowed context (i.e. that a `table` element isn't a descendent of a `caption`, that `colgroup`, `thead`, `tbody`, `tfoot` and `tr` are permitted, and that character data is not permitted) -## Development - -If you have cloned this repo you will probably need the dependency: - -`go get golang.org/x/net/html` - -Gophers can use their familiar tools: - -`go build` - -`go test` - -I personally use a Makefile as it spares typing the same args over and over whilst providing consistency for those of us who jump from language to language and enjoy just typing `make` in a project directory and watch magic happen. - -`make` will build, vet, test and install the library. - -`make clean` will remove the library from a *single* `${GOPATH}/pkg` directory tree - -`make test` will run the tests - -`make cover` will run the tests and *open a browser window* with the coverage report - -`make lint` will run golint (install via `go get github.com/golang/lint/golint`) - ## Long term goals 1. Open the code to adversarial peer review similar to the [Attack Review Ground Rules](https://code.google.com/p/owasp-java-html-sanitizer/wiki/AttackReviewGroundRules) diff --git a/vendor/github.com/microcosm-cc/bluemonday/SECURITY.md b/vendor/github.com/microcosm-cc/bluemonday/SECURITY.md index a344e7c05..682364e37 100644 --- a/vendor/github.com/microcosm-cc/bluemonday/SECURITY.md +++ b/vendor/github.com/microcosm-cc/bluemonday/SECURITY.md @@ -4,12 +4,10 @@ Latest tag and tip are supported. -Older tags remain present but changes result in new tags and are not back ported... please verify any issue against the latest tag and tip. +Changes are not backported, please verify any issue against the latest tag and tip. ## Reporting a Vulnerability -Email: <bluemonday@buro9.com> +Report vulnerabilities either via [GitHub's private reporting flow](https://github.com/microcosm-cc/bluemonday/security/advisories/new) or via email to the security@ alias of geomys.org. -Bluemonday is pure OSS and not maintained by a company. As such there is no bug bounty program but security issues will be taken seriously and resolved as soon as possible. - -The maintainer lives in the United Kingdom and whilst the email is monitored expect a reply or ACK when the maintainer is awake. +There is no bug bounty program but security issues will be taken seriously and resolved as soon as possible. diff --git a/vendor/github.com/microcosm-cc/bluemonday/css/handlers.go b/vendor/github.com/microcosm-cc/bluemonday/css/handlers.go index f8b8b61af..41a00c8cb 100644 --- a/vendor/github.com/microcosm-cc/bluemonday/css/handlers.go +++ b/vendor/github.com/microcosm-cc/bluemonday/css/handlers.go @@ -291,7 +291,7 @@ var ( Font = regexp.MustCompile(`^('[a-z \-]+'|[a-z \-]+)$`) Grayscale = regexp.MustCompile(`^grayscale\(([0-9]{1,2}|100)%\)$`) GridTemplateAreas = regexp.MustCompile(`^['"]?[a-z ]+['"]?$`) - HexRGB = regexp.MustCompile(`^#([0-9a-f]{3}|[0-9a-f]{6}|[0-9a-f]{8})$`) + HexRGB = regexp.MustCompile(`^#([0-9a-f]{3,4}|[0-9a-f]{6}|[0-9a-f]{8})$`) HSL = regexp.MustCompile(`^hsl\([ ]*([012]?[0-9]{1,2}|3[0-5][0-9]|360),[ ]*([0-9]{0,2}|100)\%,[ ]*([0-9]{0,2}|100)\%\)$`) HSLA = regexp.MustCompile(`^hsla\(([ ]*[012]?[0-9]{1,2}|3[0-5][0-9]|360),[ ]*([0-9]{0,2}|100)\%,[ ]*([0-9]{0,2}|100)\%,[ ]*(1|1\.0|0|(0\.[0-9]+))\)$`) HueRotate = regexp.MustCompile(`^hue-rotate\(([12]?[0-9]{1,2}|3[0-5][0-9]|360)?\)$`) diff --git a/vendor/github.com/microcosm-cc/bluemonday/sanitize.go b/vendor/github.com/microcosm-cc/bluemonday/sanitize.go index 1f8d85526..47c31f7da 100644 --- a/vendor/github.com/microcosm-cc/bluemonday/sanitize.go +++ b/vendor/github.com/microcosm-cc/bluemonday/sanitize.go @@ -529,9 +529,11 @@ attrsLoop: if ap.regexp != nil { if ap.regexp.MatchString(htmlAttr.Val) { cleanAttrs = append(cleanAttrs, htmlAttr) + continue attrsLoop } } else { cleanAttrs = append(cleanAttrs, htmlAttr) + continue attrsLoop } } } @@ -762,10 +764,10 @@ attrsLoop: switch elementName { case "audio", "img", "link", "script", "video": var crossOriginFound bool - for _, htmlAttr := range cleanAttrs { + for i, htmlAttr := range cleanAttrs { if htmlAttr.Key == "crossorigin" { crossOriginFound = true - htmlAttr.Val = "anonymous" + cleanAttrs[i].Val = "anonymous" } } @@ -1087,3 +1089,8 @@ func normaliseElementName(str string) string { `"`, ) } + +type stringWriterWriter interface { + io.Writer + io.StringWriter +} diff --git a/vendor/github.com/microcosm-cc/bluemonday/stringwriterwriter_go1.12.go b/vendor/github.com/microcosm-cc/bluemonday/stringwriterwriter_go1.12.go deleted file mode 100644 index 5d96b9778..000000000 --- a/vendor/github.com/microcosm-cc/bluemonday/stringwriterwriter_go1.12.go +++ /dev/null @@ -1,11 +0,0 @@ -//go:build go1.12 -// +build go1.12 - -package bluemonday - -import "io" - -type stringWriterWriter interface { - io.Writer - io.StringWriter -} diff --git a/vendor/github.com/microcosm-cc/bluemonday/stringwriterwriter_ltgo1.12.go b/vendor/github.com/microcosm-cc/bluemonday/stringwriterwriter_ltgo1.12.go deleted file mode 100644 index ecdaa92ca..000000000 --- a/vendor/github.com/microcosm-cc/bluemonday/stringwriterwriter_ltgo1.12.go +++ /dev/null @@ -1,15 +0,0 @@ -//go:build go1.1 && !go1.12 -// +build go1.1,!go1.12 - -package bluemonday - -import "io" - -type stringWriterWriter interface { - io.Writer - StringWriter -} - -type StringWriter interface { - WriteString(s string) (n int, err error) -} |