From a9a43beca238516d5296829d13982e96ad7f8f2c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 8 Nov 2022 11:11:35 +0100 Subject: [chore]: Bump github.com/microcosm-cc/bluemonday from 1.0.20 to 1.0.21 (#1004) Bumps [github.com/microcosm-cc/bluemonday](https://github.com/microcosm-cc/bluemonday) from 1.0.20 to 1.0.21. - [Release notes](https://github.com/microcosm-cc/bluemonday/releases) - [Commits](https://github.com/microcosm-cc/bluemonday/compare/v1.0.20...v1.0.21) --- updated-dependencies: - dependency-name: github.com/microcosm-cc/bluemonday dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- vendor/github.com/microcosm-cc/bluemonday/doc.go | 30 +++++++++++----------- .../github.com/microcosm-cc/bluemonday/helpers.go | 9 ++++--- .../github.com/microcosm-cc/bluemonday/sanitize.go | 2 +- 3 files changed, 21 insertions(+), 20 deletions(-) (limited to 'vendor/github.com/microcosm-cc') diff --git a/vendor/github.com/microcosm-cc/bluemonday/doc.go b/vendor/github.com/microcosm-cc/bluemonday/doc.go index ba2d775ac..d95e8a9d2 100644 --- a/vendor/github.com/microcosm-cc/bluemonday/doc.go +++ b/vendor/github.com/microcosm-cc/bluemonday/doc.go @@ -35,31 +35,31 @@ the allowlist will be stripped. The default bluemonday.UGCPolicy().Sanitize() turns this: - Hello World + Hello World Into the more harmless: - Hello World + Hello World And it turns this: - XSS + XSS Into this: - XSS + XSS Whilst still allowing this: - - - + + + To pass through mostly unaltered (it gained a rel="nofollow"): - - - + + + The primary purpose of bluemonday is to take potentially unsafe user generated content (from things like Markdown, HTML WYSIWYG tools, etc) and make it safe @@ -95,10 +95,10 @@ attributes are considered safe for your scenario. OWASP provide an XSS prevention cheat sheet ( https://www.google.com/search?q=xss+prevention+cheat+sheet ) to help explain the risks, but essentially: - 1. Avoid allowing anything other than plain HTML elements - 2. Avoid allowing `script`, `style`, `iframe`, `object`, `embed`, `base` - elements - 3. Avoid allowing anything other than plain HTML elements with simple - values that you can match to a regexp + 1. Avoid allowing anything other than plain HTML elements + 2. Avoid allowing `script`, `style`, `iframe`, `object`, `embed`, `base` + elements + 3. Avoid allowing anything other than plain HTML elements with simple + values that you can match to a regexp */ package bluemonday diff --git a/vendor/github.com/microcosm-cc/bluemonday/helpers.go b/vendor/github.com/microcosm-cc/bluemonday/helpers.go index d4039492e..2b03d7e7d 100644 --- a/vendor/github.com/microcosm-cc/bluemonday/helpers.go +++ b/vendor/github.com/microcosm-cc/bluemonday/helpers.go @@ -193,10 +193,11 @@ func (p *Policy) AllowImages() { // http://en.wikipedia.org/wiki/Data_URI_scheme // // Images must have a mimetype matching: -// image/gif -// image/jpeg -// image/png -// image/webp +// +// image/gif +// image/jpeg +// image/png +// image/webp // // NOTE: There is a potential security risk to allowing data URIs and you should // only permit them on content you already trust. diff --git a/vendor/github.com/microcosm-cc/bluemonday/sanitize.go b/vendor/github.com/microcosm-cc/bluemonday/sanitize.go index 904ee82e1..104614583 100644 --- a/vendor/github.com/microcosm-cc/bluemonday/sanitize.go +++ b/vendor/github.com/microcosm-cc/bluemonday/sanitize.go @@ -440,8 +440,8 @@ func (p *Policy) sanitize(r io.Reader, w io.Writer) error { if _, err := buff.WriteString(" "); err != nil { return err } - break } + break } if !skipElementContent { if _, err := buff.WriteString(token.String()); err != nil { -- cgit v1.2.3