diff options
author | 6543 | 2021-04-06 02:35:50 +0200 |
---|---|---|
committer | GitHub | 2021-04-06 01:35:50 +0100 |
commit | 711ca0c410a618b1e269d4348f545cec68347436 (patch) | |
tree | c38ca791425fb572685e477de3eba53cc23e0daf | |
parent | 013639b13f6591176f50b978f5c33802001ecadb (diff) |
Update to bluemonday-1.0.6 (#15294) (#15298)
Signed-off-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: zeripath <art27@cantab.net>
-rw-r--r-- | go.mod | 6 | ||||
-rw-r--r-- | go.sum | 9 | ||||
-rw-r--r-- | modules/markup/sanitizer.go | 4 | ||||
-rw-r--r-- | modules/markup/sanitizer_test.go | 12 | ||||
-rw-r--r-- | vendor/github.com/aymerick/douceur/parser/parser.go (renamed from vendor/github.com/chris-ramon/douceur/parser/parser.go) | 0 | ||||
-rw-r--r-- | vendor/github.com/chris-ramon/douceur/LICENSE | 22 | ||||
-rw-r--r-- | vendor/github.com/microcosm-cc/bluemonday/SECURITY.md | 15 | ||||
-rw-r--r-- | vendor/github.com/microcosm-cc/bluemonday/go.mod | 7 | ||||
-rw-r--r-- | vendor/github.com/microcosm-cc/bluemonday/go.sum | 11 | ||||
-rw-r--r-- | vendor/github.com/microcosm-cc/bluemonday/handlers.go | 1 | ||||
-rw-r--r-- | vendor/github.com/microcosm-cc/bluemonday/policy.go | 43 | ||||
-rw-r--r-- | vendor/github.com/microcosm-cc/bluemonday/sanitize.go | 52 | ||||
-rw-r--r-- | vendor/modules.txt | 8 |
13 files changed, 124 insertions, 66 deletions
@@ -70,7 +70,7 @@ require ( github.com/mgechev/dots v0.0.0-20190921121421-c36f7dcfbb81 github.com/mgechev/revive v1.0.3-0.20200921231451-246eac737dc7 github.com/mholt/archiver/v3 v3.3.0 - github.com/microcosm-cc/bluemonday v1.0.5 + github.com/microcosm-cc/bluemonday v1.0.6 github.com/minio/minio-go/v7 v7.0.4 github.com/mitchellh/go-homedir v1.1.0 github.com/msteinert/pam v0.0.0-20151204160544-02ccfbfaf0cc @@ -105,7 +105,7 @@ require ( go.jolheiser.com/hcaptcha v0.0.4 go.jolheiser.com/pwn v0.0.3 golang.org/x/crypto v0.0.0-20201217014255-9d1352758620 - golang.org/x/net v0.0.0-20210331212208-0fccb6fa2b5c + golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4 golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44 golang.org/x/text v0.3.3 @@ -124,5 +124,3 @@ require ( ) replace github.com/hashicorp/go-version => github.com/6543/go-version v1.2.4 - -replace github.com/microcosm-cc/bluemonday => github.com/lunny/bluemonday v1.0.5-0.20201227154428-ca34796141e8 @@ -140,8 +140,6 @@ github.com/bradfitz/gomemcache v0.0.0-20190329173943-551aad21a668 h1:U/lr3Dgy4WK github.com/bradfitz/gomemcache v0.0.0-20190329173943-551aad21a668/go.mod h1:H0wQNHz2YrLsuXOZozoeDmnHXkNCRmMW0gwFWDfEZDA= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc= -github.com/chris-ramon/douceur v0.2.0 h1:IDMEdxlEUUBYBKE4z/mJnFyVXox+MjuEVDJNN27glkU= -github.com/chris-ramon/douceur v0.2.0/go.mod h1:wDW5xjJdeoMm1mRt4sD4c/LbF/mWdEpRXQKjTR8nIBE= github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= github.com/cockroachdb/apd v1.1.0 h1:3LFP3629v+1aKXU5Q37mxmRxX/pIu1nijXydLShEq5I= github.com/cockroachdb/apd v1.1.0/go.mod h1:8Sl8LxpKi29FqWXR16WEFZRNSz3SoPzUzeMeY4+DwBQ= @@ -598,8 +596,6 @@ github.com/lib/pq v1.3.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo= github.com/lib/pq v1.7.0/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= github.com/lib/pq v1.8.1-0.20200908161135-083382b7e6fc h1:ERSU1OvZ6MdWhHieo2oT7xwR/HCksqKdgK6iYPU5pHI= github.com/lib/pq v1.8.1-0.20200908161135-083382b7e6fc/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= -github.com/lunny/bluemonday v1.0.5-0.20201227154428-ca34796141e8 h1:1omo92DLtxQu6VwVPSZAmduHaK5zssed6cvkHyl1XOg= -github.com/lunny/bluemonday v1.0.5-0.20201227154428-ca34796141e8/go.mod h1:8iwZnFn2CDDNZ0r6UXhF4xawGvzaqzCRa1n3/lO3W2w= github.com/lunny/dingtalk_webhook v0.0.0-20171025031554-e3534c89ef96 h1:uNwtsDp7ci48vBTTxDuwcoTXz4lwtDTe7TjCQ0noaWY= github.com/lunny/dingtalk_webhook v0.0.0-20171025031554-e3534c89ef96/go.mod h1:mmIfjCSQlGYXmJ95jFN84AkQFnVABtKuJL8IrzwvUKQ= github.com/lunny/log v0.0.0-20160921050905-7887c61bf0de h1:nyxwRdWHAVxpFcDThedEgQ07DbcRc5xgNObtbTp76fk= @@ -651,6 +647,8 @@ github.com/mgechev/revive v1.0.3-0.20200921231451-246eac737dc7 h1:ydVkpU/M4/c45y github.com/mgechev/revive v1.0.3-0.20200921231451-246eac737dc7/go.mod h1:no/hfevHbndpXR5CaJahkYCfM/FFpmM/dSOwFGU7Z1o= github.com/mholt/archiver/v3 v3.3.0 h1:vWjhY8SQp5yzM9P6OJ/eZEkmi3UAbRrxCq48MxjAzig= github.com/mholt/archiver/v3 v3.3.0/go.mod h1:YnQtqsp+94Rwd0D/rk5cnLrxusUBUXg+08Ebtr1Mqao= +github.com/microcosm-cc/bluemonday v1.0.6 h1:ZOvqHKtnx0fUpnbQm3m3zKFWE+DRC+XB1onh8JoEObE= +github.com/microcosm-cc/bluemonday v1.0.6/go.mod h1:HOT/6NaBlR0f9XlxD3zolN6Z3N8Lp4pvhp+jLS5ihnI= github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg= github.com/minio/md5-simd v1.1.0 h1:QPfiOqlZH+Cj9teu0t9b1nTBfPbyTl16Of5MeuShdK4= github.com/minio/md5-simd v1.1.0/go.mod h1:XpBqgZULrMYD3R+M28PcmP0CkI7PEMzB3U77ZrKZ0Gw= @@ -996,8 +994,9 @@ golang.org/x/net v0.0.0-20200602114024-627f9648deb9/go.mod h1:qpuaurCH72eLCgpAm/ golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= -golang.org/x/net v0.0.0-20210331212208-0fccb6fa2b5c h1:KHUzaHIpjWVlVVNh65G3hhuj3KB1HnjY6Cq5cTvRQT8= golang.org/x/net v0.0.0-20210331212208-0fccb6fa2b5c/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM= +golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4 h1:4nGaVu0QrbjT/AK2PRLuQfQuh6DJve+pELhqTdAj3x0= +golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM= golang.org/x/oauth2 v0.0.0-20180620175406-ef147856a6dd/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20181106182150-f42d05182288/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= diff --git a/modules/markup/sanitizer.go b/modules/markup/sanitizer.go index ba73650bd..23b109c8d 100644 --- a/modules/markup/sanitizer.go +++ b/modules/markup/sanitizer.go @@ -46,7 +46,9 @@ func ReplaceSanitizer() { sanitizer.policy.AllowAttrs("checked", "disabled", "readonly").OnElements("input") // Custom URL-Schemes - sanitizer.policy.AllowURLSchemes(setting.Markdown.CustomURLSchemes...) + if len(setting.Markdown.CustomURLSchemes) > 0 { + sanitizer.policy.AllowURLSchemes(setting.Markdown.CustomURLSchemes...) + } // Allow keyword markup sanitizer.policy.AllowAttrs("class").Matching(regexp.MustCompile(`^` + keywordClass + `$`)).OnElements("span") diff --git a/modules/markup/sanitizer_test.go b/modules/markup/sanitizer_test.go index 3e8dcecd5..633408530 100644 --- a/modules/markup/sanitizer_test.go +++ b/modules/markup/sanitizer_test.go @@ -6,6 +6,8 @@ package markup import ( + "html/template" + "strings" "testing" "github.com/stretchr/testify/assert" @@ -50,3 +52,13 @@ func Test_Sanitizer(t *testing.T) { assert.Equal(t, testCases[i+1], string(SanitizeBytes([]byte(testCases[i])))) } } + +func TestSanitizeNonEscape(t *testing.T) { + descStr := "<scrİpt><script>alert(document.domain)</script></scrİpt>" + + output := template.HTML(Sanitize(string(descStr))) + if strings.Contains(string(output), "<script>") { + t.Errorf("un-escaped <script> in output: %q", output) + } + +} diff --git a/vendor/github.com/chris-ramon/douceur/parser/parser.go b/vendor/github.com/aymerick/douceur/parser/parser.go index 6c4917ccf..6c4917ccf 100644 --- a/vendor/github.com/chris-ramon/douceur/parser/parser.go +++ b/vendor/github.com/aymerick/douceur/parser/parser.go diff --git a/vendor/github.com/chris-ramon/douceur/LICENSE b/vendor/github.com/chris-ramon/douceur/LICENSE deleted file mode 100644 index 6ce87cd37..000000000 --- a/vendor/github.com/chris-ramon/douceur/LICENSE +++ /dev/null @@ -1,22 +0,0 @@ -The MIT License (MIT) - -Copyright (c) 2015 Aymerick JEHANNE - -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all -copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -SOFTWARE. - diff --git a/vendor/github.com/microcosm-cc/bluemonday/SECURITY.md b/vendor/github.com/microcosm-cc/bluemonday/SECURITY.md new file mode 100644 index 000000000..a344e7c05 --- /dev/null +++ b/vendor/github.com/microcosm-cc/bluemonday/SECURITY.md @@ -0,0 +1,15 @@ +# Security Policy + +## Supported Versions + +Latest tag and tip are supported. + +Older tags remain present but changes result in new tags and are not back ported... please verify any issue against the latest tag and tip. + +## Reporting a Vulnerability + +Email: <bluemonday@buro9.com> + +Bluemonday is pure OSS and not maintained by a company. As such there is no bug bounty program but security issues will be taken seriously and resolved as soon as possible. + +The maintainer lives in the United Kingdom and whilst the email is monitored expect a reply or ACK when the maintainer is awake. diff --git a/vendor/github.com/microcosm-cc/bluemonday/go.mod b/vendor/github.com/microcosm-cc/bluemonday/go.mod index 47b521a75..0ff3d77b0 100644 --- a/vendor/github.com/microcosm-cc/bluemonday/go.mod +++ b/vendor/github.com/microcosm-cc/bluemonday/go.mod @@ -1,10 +1,9 @@ module github.com/microcosm-cc/bluemonday -go 1.9 +go 1.16 require ( - github.com/aymerick/douceur v0.2.0 // indirect - github.com/chris-ramon/douceur v0.2.0 + github.com/aymerick/douceur v0.2.0 github.com/gorilla/css v1.0.0 // indirect - golang.org/x/net v0.0.0-20181220203305-927f97764cc3 + golang.org/x/net v0.0.0-20210331212208-0fccb6fa2b5c ) diff --git a/vendor/github.com/microcosm-cc/bluemonday/go.sum b/vendor/github.com/microcosm-cc/bluemonday/go.sum index 8c34e7a40..7955d9eb0 100644 --- a/vendor/github.com/microcosm-cc/bluemonday/go.sum +++ b/vendor/github.com/microcosm-cc/bluemonday/go.sum @@ -1,8 +1,11 @@ github.com/aymerick/douceur v0.2.0 h1:Mv+mAeH1Q+n9Fr+oyamOlAkUNPWPlA8PPGR0QAaYuPk= github.com/aymerick/douceur v0.2.0/go.mod h1:wlT5vV2O3h55X9m7iVYN0TBM0NH/MmbLnd30/FjWUq4= -github.com/chris-ramon/douceur v0.2.0 h1:IDMEdxlEUUBYBKE4z/mJnFyVXox+MjuEVDJNN27glkU= -github.com/chris-ramon/douceur v0.2.0/go.mod h1:wDW5xjJdeoMm1mRt4sD4c/LbF/mWdEpRXQKjTR8nIBE= github.com/gorilla/css v1.0.0 h1:BQqNyPTi50JCFMTw/b67hByjMVXZRwGha6wxVGkeihY= github.com/gorilla/css v1.0.0/go.mod h1:Dn721qIggHpt4+EFCcTLTU/vk5ySda2ReITrtgBl60c= -golang.org/x/net v0.0.0-20181220203305-927f97764cc3 h1:eH6Eip3UpmR+yM/qI9Ijluzb1bNv/cAU/n+6l8tRSis= -golang.org/x/net v0.0.0-20181220203305-927f97764cc3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20210331212208-0fccb6fa2b5c h1:KHUzaHIpjWVlVVNh65G3hhuj3KB1HnjY6Cq5cTvRQT8= +golang.org/x/net v0.0.0-20210331212208-0fccb6fa2b5c/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM= +golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= +golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= diff --git a/vendor/github.com/microcosm-cc/bluemonday/handlers.go b/vendor/github.com/microcosm-cc/bluemonday/handlers.go index 1ef4c8acd..9753d6e95 100644 --- a/vendor/github.com/microcosm-cc/bluemonday/handlers.go +++ b/vendor/github.com/microcosm-cc/bluemonday/handlers.go @@ -26,6 +26,7 @@ // CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, // OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + package bluemonday import ( diff --git a/vendor/github.com/microcosm-cc/bluemonday/policy.go b/vendor/github.com/microcosm-cc/bluemonday/policy.go index 739d302c3..9c7e662fc 100644 --- a/vendor/github.com/microcosm-cc/bluemonday/policy.go +++ b/vendor/github.com/microcosm-cc/bluemonday/policy.go @@ -69,6 +69,9 @@ type Policy struct { // Will skip for href="/foo" or href="foo" requireNoReferrerFullyQualifiedLinks bool + // When true, add crossorigin="anonymous" to HTML audio, img, link, script, and video tags + requireCrossOriginAnonymous bool + // When true add target="_blank" to fully qualified links // Will add for href="http://foo" // Will skip for href="/foo" or href="foo" @@ -433,24 +436,24 @@ func (spb *stylePolicyBuilder) OnElements(elements ...string) *Policy { // and return the updated policy func (spb *stylePolicyBuilder) OnElementsMatching(regex *regexp.Regexp) *Policy { - for _, attr := range spb.propertyNames { + for _, attr := range spb.propertyNames { - if _, ok := spb.p.elsMatchingAndStyles[regex]; !ok { - spb.p.elsMatchingAndStyles[regex] = make(map[string]stylePolicy) - } + if _, ok := spb.p.elsMatchingAndStyles[regex]; !ok { + spb.p.elsMatchingAndStyles[regex] = make(map[string]stylePolicy) + } - sp := stylePolicy{} - if spb.handler != nil { - sp.handler = spb.handler - } else if len(spb.enum) > 0 { - sp.enum = spb.enum - } else if spb.regexp != nil { - sp.regexp = spb.regexp - } else { - sp.handler = getDefaultHandler(attr) - } - spb.p.elsMatchingAndStyles[regex][attr] = sp + sp := stylePolicy{} + if spb.handler != nil { + sp.handler = spb.handler + } else if len(spb.enum) > 0 { + sp.enum = spb.enum + } else if spb.regexp != nil { + sp.regexp = spb.regexp + } else { + sp.handler = getDefaultHandler(attr) } + spb.p.elsMatchingAndStyles[regex][attr] = sp + } return spb.p } @@ -558,6 +561,16 @@ func (p *Policy) RequireNoReferrerOnFullyQualifiedLinks(require bool) *Policy { return p } +// RequireCrossOriginAnonymous will result in all audio, img, link, script, and +// video tags having a crossorigin="anonymous" added to them if one does not +// already exist +func (p *Policy) RequireCrossOriginAnonymous(require bool) *Policy { + + p.requireCrossOriginAnonymous = require + + return p +} + // AddTargetBlankToFullyQualifiedLinks will result in all a, area and link tags // that point to a non-local destination (i.e. starts with a protocol and has a // host) having a target="_blank" added to them if one does not already exist diff --git a/vendor/github.com/microcosm-cc/bluemonday/sanitize.go b/vendor/github.com/microcosm-cc/bluemonday/sanitize.go index a58333aa6..99559bbab 100644 --- a/vendor/github.com/microcosm-cc/bluemonday/sanitize.go +++ b/vendor/github.com/microcosm-cc/bluemonday/sanitize.go @@ -39,7 +39,7 @@ import ( "golang.org/x/net/html" - cssparser "github.com/chris-ramon/douceur/parser" + "github.com/aymerick/douceur/parser" ) var ( @@ -286,7 +286,7 @@ func (p *Policy) sanitize(r io.Reader) *bytes.Buffer { case html.StartTagToken: - mostRecentlyStartedToken = strings.ToLower(token.Data) + mostRecentlyStartedToken = normaliseElementName(token.Data) aps, ok := p.elsAndAttrs[token.Data] if !ok { @@ -329,7 +329,7 @@ func (p *Policy) sanitize(r io.Reader) *bytes.Buffer { case html.EndTagToken: - if mostRecentlyStartedToken == strings.ToLower(token.Data) { + if mostRecentlyStartedToken == normaliseElementName(token.Data) { mostRecentlyStartedToken = "" } @@ -407,11 +407,11 @@ func (p *Policy) sanitize(r io.Reader) *bytes.Buffer { if !skipElementContent { switch mostRecentlyStartedToken { - case "script": + case `script`: // not encouraged, but if a policy allows JavaScript we // should not HTML escape it as that would break the output buff.WriteString(token.Data) - case "style": + case `style`: // not encouraged, but if a policy allows CSS styles we // should not HTML escape it as that would break the output buff.WriteString(token.Data) @@ -721,6 +721,26 @@ func (p *Policy) sanitizeAttrs( } } + if p.requireCrossOriginAnonymous && len(cleanAttrs) > 0 { + switch elementName { + case "audio", "img", "link", "script", "video": + var crossOriginFound bool + for _, htmlAttr := range cleanAttrs { + if htmlAttr.Key == "crossorigin" { + crossOriginFound = true + htmlAttr.Val = "anonymous" + } + } + + if !crossOriginFound { + crossOrigin := html.Attribute{} + crossOrigin.Key = "crossorigin" + crossOrigin.Val = "anonymous" + cleanAttrs = append(cleanAttrs, crossOrigin) + } + } + } + return cleanAttrs } @@ -744,7 +764,7 @@ func (p *Policy) sanitizeStyles(attr html.Attribute, elementName string) html.At if len(attr.Val) > 0 && attr.Val[len(attr.Val)-1] != ';' { attr.Val = attr.Val + ";" } - decs, err := cssparser.ParseDeclarations(attr.Val) + decs, err := parser.ParseDeclarations(attr.Val) if err != nil { attr.Val = "" return attr @@ -944,3 +964,23 @@ func (p *Policy) matchRegex(elementName string) (map[string]attrPolicy, bool) { } return aps, matched } + + +// normaliseElementName takes a HTML element like <script> which is user input +// and returns a lower case version of it that is immune to UTF-8 to ASCII +// conversion tricks (like the use of upper case cyrillic i scrİpt which a +// strings.ToLower would convert to script). Instead this func will preserve +// all non-ASCII as their escaped equivalent, i.e. \u0130 which reveals the +// characters when lower cased +func normaliseElementName(str string) string { + // that useful QuoteToASCII put quote marks at the start and end + // so those are trimmed off + return strings.TrimSuffix( + strings.TrimPrefix( + strings.ToLower( + strconv.QuoteToASCII(str), + ), + `"`), + `"`, + ) +}
\ No newline at end of file diff --git a/vendor/modules.txt b/vendor/modules.txt index d5bcdaedc..45db44aed 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -103,6 +103,7 @@ github.com/anmitsu/go-shlex github.com/asaskevich/govalidator # github.com/aymerick/douceur v0.2.0 github.com/aymerick/douceur/css +github.com/aymerick/douceur/parser # github.com/beorn7/perks v1.0.1 github.com/beorn7/perks/quantile # github.com/blevesearch/bleve v1.0.10 @@ -169,8 +170,6 @@ github.com/boombuler/barcode/qr github.com/boombuler/barcode/utils # github.com/bradfitz/gomemcache v0.0.0-20190329173943-551aad21a668 github.com/bradfitz/gomemcache/memcache -# github.com/chris-ramon/douceur v0.2.0 -github.com/chris-ramon/douceur/parser # github.com/couchbase/gomemcached v0.0.0-20191004160342-7b5da2ec40b2 ## explicit github.com/couchbase/gomemcached @@ -566,7 +565,7 @@ github.com/mgechev/revive/rule # github.com/mholt/archiver/v3 v3.3.0 ## explicit github.com/mholt/archiver/v3 -# github.com/microcosm-cc/bluemonday v1.0.5 => github.com/lunny/bluemonday v1.0.5-0.20201227154428-ca34796141e8 +# github.com/microcosm-cc/bluemonday v1.0.6 ## explicit github.com/microcosm-cc/bluemonday # github.com/minio/md5-simd v1.1.0 @@ -809,7 +808,7 @@ golang.org/x/crypto/ssh/knownhosts # golang.org/x/mod v0.3.0 golang.org/x/mod/module golang.org/x/mod/semver -# golang.org/x/net v0.0.0-20210331212208-0fccb6fa2b5c +# golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4 ## explicit golang.org/x/net/context golang.org/x/net/context/ctxhttp @@ -979,4 +978,3 @@ xorm.io/xorm/names xorm.io/xorm/schemas xorm.io/xorm/tags # github.com/hashicorp/go-version => github.com/6543/go-version v1.2.4 -# github.com/microcosm-cc/bluemonday => github.com/lunny/bluemonday v1.0.5-0.20201227154428-ca34796141e8 |