From 829a934d23ab221049b4d54926305d8d5d64c9ad Mon Sep 17 00:00:00 2001
From: tobi <31960611+tsmethurst@users.noreply.github.com>
Date: Sat, 13 Nov 2021 12:29:08 +0100
Subject: update dependencies (#296)

---
 .../microcosm-cc/bluemonday/.editorconfig          |  4 ++
 .../microcosm-cc/bluemonday/.gitattributes         |  1 +
 .../github.com/microcosm-cc/bluemonday/CREDITS.md  |  3 +-
 vendor/github.com/microcosm-cc/bluemonday/Makefile |  8 ++-
 .../github.com/microcosm-cc/bluemonday/README.md   |  6 ++-
 .../github.com/microcosm-cc/bluemonday/policy.go   | 30 ++++++++++++
 .../github.com/microcosm-cc/bluemonday/sanitize.go | 57 +++++++++++++++++++---
 .../bluemonday/stringwriterwriter_go1.12.go        |  1 +
 .../bluemonday/stringwriterwriter_ltgo1.12.go      |  1 +
 9 files changed, 99 insertions(+), 12 deletions(-)
 create mode 100644 vendor/github.com/microcosm-cc/bluemonday/.editorconfig
 create mode 100644 vendor/github.com/microcosm-cc/bluemonday/.gitattributes

(limited to 'vendor/github.com/microcosm-cc')

diff --git a/vendor/github.com/microcosm-cc/bluemonday/.editorconfig b/vendor/github.com/microcosm-cc/bluemonday/.editorconfig
new file mode 100644
index 000000000..006bc2fc7
--- /dev/null
+++ b/vendor/github.com/microcosm-cc/bluemonday/.editorconfig
@@ -0,0 +1,4 @@
+root = true
+
+[*]
+end_of_line = lf
diff --git a/vendor/github.com/microcosm-cc/bluemonday/.gitattributes b/vendor/github.com/microcosm-cc/bluemonday/.gitattributes
new file mode 100644
index 000000000..6313b56c5
--- /dev/null
+++ b/vendor/github.com/microcosm-cc/bluemonday/.gitattributes
@@ -0,0 +1 @@
+* text=auto eol=lf
diff --git a/vendor/github.com/microcosm-cc/bluemonday/CREDITS.md b/vendor/github.com/microcosm-cc/bluemonday/CREDITS.md
index b3185f543..68fa88da8 100644
--- a/vendor/github.com/microcosm-cc/bluemonday/CREDITS.md
+++ b/vendor/github.com/microcosm-cc/bluemonday/CREDITS.md
@@ -4,4 +4,5 @@
 1. Andrew Krasichkov @buglloc https://github.com/buglloc
 1. Mike Samuel mikesamuel@gmail.com
 1. Dmitri Shuralyov shurcooL@gmail.com
-1. https://github.com/opennota
\ No newline at end of file
+1. opennota https://github.com/opennota https://gitlab.com/opennota
+1. Tom Anthony https://www.tomanthony.co.uk/
\ No newline at end of file
diff --git a/vendor/github.com/microcosm-cc/bluemonday/Makefile b/vendor/github.com/microcosm-cc/bluemonday/Makefile
index b5903a2e8..dcd042a71 100644
--- a/vendor/github.com/microcosm-cc/bluemonday/Makefile
+++ b/vendor/github.com/microcosm-cc/bluemonday/Makefile
@@ -3,6 +3,7 @@
 #   all:          Builds the code locally after testing
 #
 #   fmt:          Formats the source files
+#   fmt-check:    Check if the source files are formated
 #   build:        Builds the code locally
 #   vet:          Vets the code
 #   lint:         Runs lint over the code (you do not need to fix everything)
@@ -11,6 +12,8 @@
 #
 #   install:      Builds, tests and installs the code locally
 
+GOFILES_NOVENDOR = $(shell find . -type f -name '*.go' -not -path "./vendor/*" -not -path "./.git/*")
+
 .PHONY: all fmt build vet lint test cover install
 
 # The first target is always the default action if `make` is called without
@@ -19,7 +22,10 @@
 all: fmt vet test install
 
 fmt:
-	@gofmt -s -w ./$*
+	@gofmt -s -w ${GOFILES_NOVENDOR}
+
+fmt-check:
+	@([ -z "$(shell gofmt -d $(GOFILES_NOVENDOR) | head)" ]) || (echo "Source is unformatted"; exit 1)
 
 build:
 	@go build
diff --git a/vendor/github.com/microcosm-cc/bluemonday/README.md b/vendor/github.com/microcosm-cc/bluemonday/README.md
index 6a34473ef..d20debf0e 100644
--- a/vendor/github.com/microcosm-cc/bluemonday/README.md
+++ b/vendor/github.com/microcosm-cc/bluemonday/README.md
@@ -180,7 +180,7 @@ p.AllowElementsMatching(regex.MustCompile(`^my-element-`))
 
 Or add elements as a virtue of adding an attribute:
 ```go
-// Not the recommended pattern, see the recommendation on using .Matching() below
+// Note the recommended pattern, see the recommendation on using .Matching() below
 p.AllowAttrs("nowrap").OnElements("td", "th")
 ```
 
@@ -222,7 +222,7 @@ p.AllowElements("fieldset", "select", "option")
 
 Although it's possible to handle inline CSS using `AllowAttrs` with a `Matching` rule, writing a single monolithic regular expression to safely process all inline CSS which you wish to allow is not a trivial task.  Instead of attempting to do so, you can allow the `style` attribute on whichever element(s) you desire and use style policies to control and sanitize inline styles.
 
-It is suggested that you use `Matching` (with a suitable regular expression)
+It is strongly recommended that you use `Matching` (with a suitable regular expression)
 `MatchingEnum`, or `MatchingHandler` to ensure each style matches your needs,
 but default handlers are supplied for most widely used styles.
 
@@ -379,6 +379,8 @@ Both examples exhibit the same issue, they declare attributes but do not then sp
 
 We are not yet including any tools to help allow and sanitize CSS. Which means that unless you wish to do the heavy lifting in a single regular expression (inadvisable), **you should not allow the "style" attribute anywhere**.
 
+In the same theme, both `<script>` and `<style>` are considered harmful. These elements (and their content) will not be rendered by default, and require you to explicitly set `p.AllowUnsafe(true)`. You should be aware that allowing these elements defeats the purpose of using a HTML sanitizer as you would be explicitly allowing either JavaScript (and any plainly written XSS) and CSS (which can modify a DOM to insert JS), and additionally but limitations in this library mean it is not aware of whether HTML is validly structured and that can allow these elements to bypass some of the safety mechanisms built into the [WhatWG HTML parser standard](https://html.spec.whatwg.org/multipage/parsing.html#parsing-main-inselect).
+
 It is not the job of bluemonday to fix your bad HTML, it is merely the job of bluemonday to prevent malicious HTML getting through. If you have mismatched HTML elements, or non-conforming nesting of elements, those will remain. But if you have well-structured HTML bluemonday will not break it.
 
 ## TODO
diff --git a/vendor/github.com/microcosm-cc/bluemonday/policy.go b/vendor/github.com/microcosm-cc/bluemonday/policy.go
index 602a20379..71f6b8db8 100644
--- a/vendor/github.com/microcosm-cc/bluemonday/policy.go
+++ b/vendor/github.com/microcosm-cc/bluemonday/policy.go
@@ -134,6 +134,19 @@ type Policy struct {
 	setOfElementsMatchingAllowedWithoutAttrs []*regexp.Regexp
 
 	setOfElementsToSkipContent map[string]struct{}
+
+	// Permits fundamentally unsafe elements.
+	//
+	// If false (default) then elements such as `style` and `script` will not be
+	// permitted even if declared in a policy. These elements when combined with
+	// untrusted input cannot be safely handled by bluemonday at this point in
+	// time.
+	//
+	// If true then `style` and `script` would be permitted by bluemonday if a
+	// policy declares them. However this is not recommended under any circumstance
+	// and can lead to XSS being rendered thus defeating the purpose of using a
+	// HTML sanitizer.
+	allowUnsafe bool
 }
 
 type attrPolicy struct {
@@ -714,6 +727,23 @@ func (p *Policy) AllowElementsContent(names ...string) *Policy {
 	return p
 }
 
+// AllowUnsafe permits fundamentally unsafe elements.
+//
+// If false (default) then elements such as `style` and `script` will not be
+// permitted even if declared in a policy. These elements when combined with
+// untrusted input cannot be safely handled by bluemonday at this point in
+// time.
+//
+// If true then `style` and `script` would be permitted by bluemonday if a
+// policy declares them. However this is not recommended under any circumstance
+// and can lead to XSS being rendered thus defeating the purpose of using a
+// HTML sanitizer.
+func (p *Policy) AllowUnsafe(allowUnsafe bool) *Policy {
+	p.init()
+	p.allowUnsafe = allowUnsafe
+	return p
+}
+
 // addDefaultElementsWithoutAttrs adds the HTML elements that we know are valid
 // without any attributes to an internal map.
 // i.e. we know that <table> is valid, but <bdo> isn't valid as the "dir" attr
diff --git a/vendor/github.com/microcosm-cc/bluemonday/sanitize.go b/vendor/github.com/microcosm-cc/bluemonday/sanitize.go
index 5f4b60d71..97628ce30 100644
--- a/vendor/github.com/microcosm-cc/bluemonday/sanitize.go
+++ b/vendor/github.com/microcosm-cc/bluemonday/sanitize.go
@@ -130,7 +130,7 @@ func escapeUrlComponent(w stringWriterWriter, val string) error {
 	return err
 }
 
-// Query represents a single part of the query string, a query param 
+// Query represents a single part of the query string, a query param
 type Query struct {
 	Key      string
 	Value    string
@@ -293,6 +293,17 @@ func (p *Policy) sanitize(r io.Reader, w io.Writer) error {
 
 			mostRecentlyStartedToken = normaliseElementName(token.Data)
 
+			switch normaliseElementName(token.Data) {
+			case `script`:
+				if !p.allowUnsafe {
+					continue
+				}
+			case `style`:
+				if !p.allowUnsafe {
+					continue
+				}
+			}
+
 			aps, ok := p.elsAndAttrs[token.Data]
 			if !ok {
 				aa, matched := p.matchRegex(token.Data)
@@ -341,6 +352,17 @@ func (p *Policy) sanitize(r io.Reader, w io.Writer) error {
 				mostRecentlyStartedToken = ""
 			}
 
+			switch normaliseElementName(token.Data) {
+			case `script`:
+				if !p.allowUnsafe {
+					continue
+				}
+			case `style`:
+				if !p.allowUnsafe {
+					continue
+				}
+			}
+
 			if skipClosingTag && closingTagToSkipStack[len(closingTagToSkipStack)-1] == token.Data {
 				closingTagToSkipStack = closingTagToSkipStack[:len(closingTagToSkipStack)-1]
 				if len(closingTagToSkipStack) == 0 {
@@ -386,6 +408,17 @@ func (p *Policy) sanitize(r io.Reader, w io.Writer) error {
 
 		case html.SelfClosingTagToken:
 
+			switch normaliseElementName(token.Data) {
+			case `script`:
+				if !p.allowUnsafe {
+					continue
+				}
+			case `style`:
+				if !p.allowUnsafe {
+					continue
+				}
+			}
+
 			aps, ok := p.elsAndAttrs[token.Data]
 			if !ok {
 				aa, matched := p.matchRegex(token.Data)
@@ -425,14 +458,22 @@ func (p *Policy) sanitize(r io.Reader, w io.Writer) error {
 				case `script`:
 					// not encouraged, but if a policy allows JavaScript we
 					// should not HTML escape it as that would break the output
-					if _, err := buff.WriteString(token.Data); err != nil {
-						return err
+					//
+					// requires p.AllowUnsafe()
+					if p.allowUnsafe {
+						if _, err := buff.WriteString(token.Data); err != nil {
+							return err
+						}
 					}
 				case "style":
 					// not encouraged, but if a policy allows CSS styles we
 					// should not HTML escape it as that would break the output
-					if _, err := buff.WriteString(token.Data); err != nil {
-						return err
+					//
+					// requires p.AllowUnsafe()
+					if p.allowUnsafe {
+						if _, err := buff.WriteString(token.Data); err != nil {
+							return err
+						}
 					}
 				default:
 					// HTML escape the text
@@ -524,11 +565,11 @@ attrsLoop:
 			for _, ap := range apl {
 				if ap.regexp != nil {
 					if ap.regexp.MatchString(htmlAttr.Val) {
-				htmlAttr.Val = escapeAttribute(htmlAttr.Val)
+						htmlAttr.Val = escapeAttribute(htmlAttr.Val)
 						cleanAttrs = append(cleanAttrs, htmlAttr)
 					}
 				} else {
-				htmlAttr.Val = escapeAttribute(htmlAttr.Val)
+					htmlAttr.Val = escapeAttribute(htmlAttr.Val)
 					cleanAttrs = append(cleanAttrs, htmlAttr)
 				}
 			}
@@ -1058,4 +1099,4 @@ func escapeAttribute(val string) string {
 	val = strings.Replace(val, string([]rune{'\u00A0'}), `&nbsp;`, -1)
 	val = strings.Replace(val, `"`, `&quot;`, -1)
 	return val
-}
\ No newline at end of file
+}
diff --git a/vendor/github.com/microcosm-cc/bluemonday/stringwriterwriter_go1.12.go b/vendor/github.com/microcosm-cc/bluemonday/stringwriterwriter_go1.12.go
index afa011e02..5d96b9778 100644
--- a/vendor/github.com/microcosm-cc/bluemonday/stringwriterwriter_go1.12.go
+++ b/vendor/github.com/microcosm-cc/bluemonday/stringwriterwriter_go1.12.go
@@ -1,3 +1,4 @@
+//go:build go1.12
 // +build go1.12
 
 package bluemonday
diff --git a/vendor/github.com/microcosm-cc/bluemonday/stringwriterwriter_ltgo1.12.go b/vendor/github.com/microcosm-cc/bluemonday/stringwriterwriter_ltgo1.12.go
index 9bc674798..ecdaa92ca 100644
--- a/vendor/github.com/microcosm-cc/bluemonday/stringwriterwriter_ltgo1.12.go
+++ b/vendor/github.com/microcosm-cc/bluemonday/stringwriterwriter_ltgo1.12.go
@@ -1,3 +1,4 @@
+//go:build go1.1 && !go1.12
 // +build go1.1,!go1.12
 
 package bluemonday
-- 
cgit v1.3