Upgrade to bluemonday 1.0.7 (#15379)
* Upgrade to bluemonday 1.0.7 Fix #15349 Signed-off-by: Andrew Thornton <art27@cantab.net> * resolve unit test Co-authored-by: techknowlogick <techknowlogick@gitea.io>
This commit is contained in:
parent
07aa3845f8
commit
b9ed3cbc26
5 changed files with 18 additions and 13 deletions
2
go.mod
2
go.mod
|
@ -86,7 +86,7 @@ require (
|
||||||
github.com/mgechev/revive v1.0.3
|
github.com/mgechev/revive v1.0.3
|
||||||
github.com/mholt/acmez v0.1.3 // indirect
|
github.com/mholt/acmez v0.1.3 // indirect
|
||||||
github.com/mholt/archiver/v3 v3.5.0
|
github.com/mholt/archiver/v3 v3.5.0
|
||||||
github.com/microcosm-cc/bluemonday v1.0.6
|
github.com/microcosm-cc/bluemonday v1.0.7
|
||||||
github.com/miekg/dns v1.1.40 // indirect
|
github.com/miekg/dns v1.1.40 // indirect
|
||||||
github.com/minio/md5-simd v1.1.2 // indirect
|
github.com/minio/md5-simd v1.1.2 // indirect
|
||||||
github.com/minio/minio-go/v7 v7.0.10
|
github.com/minio/minio-go/v7 v7.0.10
|
||||||
|
|
4
go.sum
4
go.sum
|
@ -830,8 +830,8 @@ github.com/mholt/acmez v0.1.3 h1:J7MmNIk4Qf9b8mAGqAh4XkNeowv3f1zW816yf4zt7Qk=
|
||||||
github.com/mholt/acmez v0.1.3/go.mod h1:8qnn8QA/Ewx8E3ZSsmscqsIjhhpxuy9vqdgbX2ceceM=
|
github.com/mholt/acmez v0.1.3/go.mod h1:8qnn8QA/Ewx8E3ZSsmscqsIjhhpxuy9vqdgbX2ceceM=
|
||||||
github.com/mholt/archiver/v3 v3.5.0 h1:nE8gZIrw66cu4osS/U7UW7YDuGMHssxKutU8IfWxwWE=
|
github.com/mholt/archiver/v3 v3.5.0 h1:nE8gZIrw66cu4osS/U7UW7YDuGMHssxKutU8IfWxwWE=
|
||||||
github.com/mholt/archiver/v3 v3.5.0/go.mod h1:qqTTPUK/HZPFgFQ/TJ3BzvTpF/dPtFVJXdQbCmeMxwc=
|
github.com/mholt/archiver/v3 v3.5.0/go.mod h1:qqTTPUK/HZPFgFQ/TJ3BzvTpF/dPtFVJXdQbCmeMxwc=
|
||||||
github.com/microcosm-cc/bluemonday v1.0.6 h1:ZOvqHKtnx0fUpnbQm3m3zKFWE+DRC+XB1onh8JoEObE=
|
github.com/microcosm-cc/bluemonday v1.0.7 h1:6yAQfk4XT+PI/dk1ZeBp1gr3Q2Hd1DR0O3aEyPUJVTE=
|
||||||
github.com/microcosm-cc/bluemonday v1.0.6/go.mod h1:HOT/6NaBlR0f9XlxD3zolN6Z3N8Lp4pvhp+jLS5ihnI=
|
github.com/microcosm-cc/bluemonday v1.0.7/go.mod h1:HOT/6NaBlR0f9XlxD3zolN6Z3N8Lp4pvhp+jLS5ihnI=
|
||||||
github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
|
github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
|
||||||
github.com/miekg/dns v1.1.30/go.mod h1:KNUDUusw/aVsxyTYZM1oqvCicbwhgbNgztCETuNZ7xM=
|
github.com/miekg/dns v1.1.30/go.mod h1:KNUDUusw/aVsxyTYZM1oqvCicbwhgbNgztCETuNZ7xM=
|
||||||
github.com/miekg/dns v1.1.40 h1:pyyPFfGMnciYUk/mXpKkVmeMQjfXqt3FAJ2hy7tPiLA=
|
github.com/miekg/dns v1.1.40 h1:pyyPFfGMnciYUk/mXpKkVmeMQjfXqt3FAJ2hy7tPiLA=
|
||||||
|
|
|
@ -124,7 +124,7 @@ func TestRender_links(t *testing.T) {
|
||||||
`<p><a href="http://www.example.com/wpstyle/?p=364" rel="nofollow">http://www.example.com/wpstyle/?p=364</a></p>`)
|
`<p><a href="http://www.example.com/wpstyle/?p=364" rel="nofollow">http://www.example.com/wpstyle/?p=364</a></p>`)
|
||||||
test(
|
test(
|
||||||
"https://www.example.com/foo/?bar=baz&inga=42&quux",
|
"https://www.example.com/foo/?bar=baz&inga=42&quux",
|
||||||
`<p><a href="https://www.example.com/foo/?bar=baz&inga=42&quux=" rel="nofollow">https://www.example.com/foo/?bar=baz&inga=42&quux</a></p>`)
|
`<p><a href="https://www.example.com/foo/?bar=baz&inga=42&quux" rel="nofollow">https://www.example.com/foo/?bar=baz&inga=42&quux</a></p>`)
|
||||||
test(
|
test(
|
||||||
"http://142.42.1.1/",
|
"http://142.42.1.1/",
|
||||||
`<p><a href="http://142.42.1.1/" rel="nofollow">http://142.42.1.1/</a></p>`)
|
`<p><a href="http://142.42.1.1/" rel="nofollow">http://142.42.1.1/</a></p>`)
|
||||||
|
|
7
vendor/github.com/microcosm-cc/bluemonday/sanitize.go
generated
vendored
7
vendor/github.com/microcosm-cc/bluemonday/sanitize.go
generated
vendored
|
@ -126,6 +126,7 @@ func escapeUrlComponent(val string) string {
|
||||||
type Query struct {
|
type Query struct {
|
||||||
Key string
|
Key string
|
||||||
Value string
|
Value string
|
||||||
|
HasValue bool
|
||||||
}
|
}
|
||||||
|
|
||||||
func parseQuery(query string) (values []Query, err error) {
|
func parseQuery(query string) (values []Query, err error) {
|
||||||
|
@ -140,8 +141,10 @@ func parseQuery(query string) (values []Query, err error) {
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
value := ""
|
value := ""
|
||||||
|
hasValue := false
|
||||||
if i := strings.Index(key, "="); i >= 0 {
|
if i := strings.Index(key, "="); i >= 0 {
|
||||||
key, value = key[:i], key[i+1:]
|
key, value = key[:i], key[i+1:]
|
||||||
|
hasValue = true
|
||||||
}
|
}
|
||||||
key, err1 := url.QueryUnescape(key)
|
key, err1 := url.QueryUnescape(key)
|
||||||
if err1 != nil {
|
if err1 != nil {
|
||||||
|
@ -160,6 +163,7 @@ func parseQuery(query string) (values []Query, err error) {
|
||||||
values = append(values, Query{
|
values = append(values, Query{
|
||||||
Key: key,
|
Key: key,
|
||||||
Value: value,
|
Value: value,
|
||||||
|
HasValue: hasValue,
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
return values, err
|
return values, err
|
||||||
|
@ -169,8 +173,10 @@ func encodeQueries(queries []Query) string {
|
||||||
var b strings.Builder
|
var b strings.Builder
|
||||||
for i, query := range queries {
|
for i, query := range queries {
|
||||||
b.WriteString(url.QueryEscape(query.Key))
|
b.WriteString(url.QueryEscape(query.Key))
|
||||||
|
if query.HasValue {
|
||||||
b.WriteString("=")
|
b.WriteString("=")
|
||||||
b.WriteString(url.QueryEscape(query.Value))
|
b.WriteString(url.QueryEscape(query.Value))
|
||||||
|
}
|
||||||
if i < len(queries)-1 {
|
if i < len(queries)-1 {
|
||||||
b.WriteString("&")
|
b.WriteString("&")
|
||||||
}
|
}
|
||||||
|
@ -965,7 +971,6 @@ func (p *Policy) matchRegex(elementName string) (map[string]attrPolicy, bool) {
|
||||||
return aps, matched
|
return aps, matched
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
// normaliseElementName takes a HTML element like <script> which is user input
|
// normaliseElementName takes a HTML element like <script> which is user input
|
||||||
// and returns a lower case version of it that is immune to UTF-8 to ASCII
|
// and returns a lower case version of it that is immune to UTF-8 to ASCII
|
||||||
// conversion tricks (like the use of upper case cyrillic i scrİpt which a
|
// conversion tricks (like the use of upper case cyrillic i scrİpt which a
|
||||||
|
|
2
vendor/modules.txt
vendored
2
vendor/modules.txt
vendored
|
@ -596,7 +596,7 @@ github.com/mholt/acmez/acme
|
||||||
# github.com/mholt/archiver/v3 v3.5.0
|
# github.com/mholt/archiver/v3 v3.5.0
|
||||||
## explicit
|
## explicit
|
||||||
github.com/mholt/archiver/v3
|
github.com/mholt/archiver/v3
|
||||||
# github.com/microcosm-cc/bluemonday v1.0.6
|
# github.com/microcosm-cc/bluemonday v1.0.7
|
||||||
## explicit
|
## explicit
|
||||||
github.com/microcosm-cc/bluemonday
|
github.com/microcosm-cc/bluemonday
|
||||||
# github.com/miekg/dns v1.1.40
|
# github.com/miekg/dns v1.1.40
|
||||||
|
|
Reference in a new issue