diff options
Diffstat (limited to 'vendor/github.com')
| -rw-r--r-- | vendor/github.com/microcosm-cc/bluemonday/doc.go | 30 | ||||
| -rw-r--r-- | vendor/github.com/microcosm-cc/bluemonday/helpers.go | 9 | ||||
| -rw-r--r-- | vendor/github.com/microcosm-cc/bluemonday/sanitize.go | 2 |
3 files changed, 21 insertions, 20 deletions
diff --git a/vendor/github.com/microcosm-cc/bluemonday/doc.go b/vendor/github.com/microcosm-cc/bluemonday/doc.go index ba2d775ac..d95e8a9d2 100644 --- a/vendor/github.com/microcosm-cc/bluemonday/doc.go +++ b/vendor/github.com/microcosm-cc/bluemonday/doc.go @@ -35,31 +35,31 @@ the allowlist will be stripped. The default bluemonday.UGCPolicy().Sanitize() turns this: - Hello <STYLE>.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><A CLASS=XSS></A>World + Hello <STYLE>.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><A CLASS=XSS></A>World Into the more harmless: - Hello World + Hello World And it turns this: - <a href="javascript:alert('XSS1')" onmouseover="alert('XSS2')">XSS<a> + <a href="javascript:alert('XSS1')" onmouseover="alert('XSS2')">XSS<a> Into this: - XSS + XSS Whilst still allowing this: - <a href="http://www.google.com/"> - <img src="https://ssl.gstatic.com/accounts/ui/logo_2x.png"/> - </a> + <a href="http://www.google.com/"> + <img src="https://ssl.gstatic.com/accounts/ui/logo_2x.png"/> + </a> To pass through mostly unaltered (it gained a rel="nofollow"): - <a href="http://www.google.com/" rel="nofollow"> - <img src="https://ssl.gstatic.com/accounts/ui/logo_2x.png"/> - </a> + <a href="http://www.google.com/" rel="nofollow"> + <img src="https://ssl.gstatic.com/accounts/ui/logo_2x.png"/> + </a> The primary purpose of bluemonday is to take potentially unsafe user generated content (from things like Markdown, HTML WYSIWYG tools, etc) and make it safe @@ -95,10 +95,10 @@ attributes are considered safe for your scenario. OWASP provide an XSS prevention cheat sheet ( https://www.google.com/search?q=xss+prevention+cheat+sheet ) to help explain the risks, but essentially: - 1. Avoid allowing anything other than plain HTML elements - 2. Avoid allowing `script`, `style`, `iframe`, `object`, `embed`, `base` - elements - 3. Avoid allowing anything other than plain HTML elements with simple - values that you can match to a regexp + 1. Avoid allowing anything other than plain HTML elements + 2. Avoid allowing `script`, `style`, `iframe`, `object`, `embed`, `base` + elements + 3. Avoid allowing anything other than plain HTML elements with simple + values that you can match to a regexp */ package bluemonday diff --git a/vendor/github.com/microcosm-cc/bluemonday/helpers.go b/vendor/github.com/microcosm-cc/bluemonday/helpers.go index d4039492e..2b03d7e7d 100644 --- a/vendor/github.com/microcosm-cc/bluemonday/helpers.go +++ b/vendor/github.com/microcosm-cc/bluemonday/helpers.go @@ -193,10 +193,11 @@ func (p *Policy) AllowImages() { // http://en.wikipedia.org/wiki/Data_URI_scheme // // Images must have a mimetype matching: -// image/gif -// image/jpeg -// image/png -// image/webp +// +// image/gif +// image/jpeg +// image/png +// image/webp // // NOTE: There is a potential security risk to allowing data URIs and you should // only permit them on content you already trust. diff --git a/vendor/github.com/microcosm-cc/bluemonday/sanitize.go b/vendor/github.com/microcosm-cc/bluemonday/sanitize.go index 904ee82e1..104614583 100644 --- a/vendor/github.com/microcosm-cc/bluemonday/sanitize.go +++ b/vendor/github.com/microcosm-cc/bluemonday/sanitize.go @@ -440,8 +440,8 @@ func (p *Policy) sanitize(r io.Reader, w io.Writer) error { if _, err := buff.WriteString(" "); err != nil { return err } - break } + break } if !skipElementContent { if _, err := buff.WriteString(token.String()); err != nil { |