diff --git a/go.mod b/go.mod index ec3bd02c..6bd97998 100644 --- a/go.mod +++ b/go.mod @@ -34,7 +34,7 @@ require ( github.com/h2non/filetype v1.1.3 github.com/jackc/pgconn v1.14.0 github.com/jackc/pgx/v5 v5.3.1 - github.com/microcosm-cc/bluemonday v1.0.23 + github.com/microcosm-cc/bluemonday v1.0.24 github.com/miekg/dns v1.1.54 github.com/minio/minio-go/v7 v7.0.55 github.com/mitchellh/mapstructure v1.5.0 diff --git a/go.sum b/go.sum index 06d18dc7..cd78a43d 100644 --- a/go.sum +++ b/go.sum @@ -443,8 +443,8 @@ github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27k github.com/mattn/go-isatty v0.0.18 h1:DOKFKCQ7FNG2L1rbrmstDN4QVRdS89Nkh85u68Uwp98= github.com/mattn/go-isatty v0.0.18/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y= github.com/mattn/go-sqlite3 v2.0.3+incompatible h1:gXHsfypPkaMZrKbD5209QV9jbUTJKjyR5WD3HYQSd+U= -github.com/microcosm-cc/bluemonday v1.0.23 h1:SMZe2IGa0NuHvnVNAZ+6B38gsTbi5e4sViiWJyDDqFY= -github.com/microcosm-cc/bluemonday v1.0.23/go.mod h1:mN70sk7UkkF8TUr2IGBpNN0jAgStuPzlK76QuruE/z4= +github.com/microcosm-cc/bluemonday v1.0.24 h1:NGQoPtwGVcbGkKfvyYk1yRqknzBuoMiUrO6R7uFTPlw= +github.com/microcosm-cc/bluemonday v1.0.24/go.mod h1:ArQySAMps0790cHSkdPEJ7bGkF2VePWH773hsJNSHf8= github.com/miekg/dns v1.1.54 h1:5jon9mWcb0sFJGpnI99tOMhCPyJ+RPVz5b63MQG0VWI= github.com/miekg/dns v1.1.54/go.mod h1:uInx36IzPl7FYnDcMeVWxj9byh7DutNykX4G9Sj60FY= github.com/minio/md5-simd v1.1.2 h1:Gdi1DZK69+ZVMoNHRXJyNcxrMA4dSxoYHZSQbirFg34= diff --git a/vendor/github.com/microcosm-cc/bluemonday/policy.go b/vendor/github.com/microcosm-cc/bluemonday/policy.go index c446fad0..995f46c2 100644 --- a/vendor/github.com/microcosm-cc/bluemonday/policy.go +++ b/vendor/github.com/microcosm-cc/bluemonday/policy.go @@ -117,6 +117,10 @@ type Policy struct { // returning true are allowed. allowURLSchemes map[string][]urlPolicy + // These regexps are used to match allowed URL schemes, for example + // if one would want to allow all URL schemes, they would add `.+` + allowURLSchemeRegexps []*regexp.Regexp + // If an element has had all attributes removed as a result of a policy // being applied, then the element would be removed from the output. // @@ -221,6 +225,7 @@ func (p *Policy) init() { p.elsMatchingAndStyles = make(map[*regexp.Regexp]map[string][]stylePolicy) p.globalStyles = make(map[string][]stylePolicy) p.allowURLSchemes = make(map[string][]urlPolicy) + p.allowURLSchemeRegexps = make([]*regexp.Regexp, 0) p.setOfElementsAllowedWithoutAttrs = make(map[string]struct{}) p.setOfElementsToSkipContent = make(map[string]struct{}) p.initialized = true @@ -563,6 +568,13 @@ func (p *Policy) AllowElementsMatching(regex *regexp.Regexp) *Policy { return p } +// AllowURLSchemesMatching will append URL schemes to the allowlist if they +// match a regexp. +func (p *Policy) AllowURLSchemesMatching(r *regexp.Regexp) *Policy { + p.allowURLSchemeRegexps = append(p.allowURLSchemeRegexps, r) + return p +} + // RequireNoFollowOnLinks will result in all a, area, link tags having a // rel="nofollow"added to them if one does not already exist // diff --git a/vendor/github.com/microcosm-cc/bluemonday/sanitize.go b/vendor/github.com/microcosm-cc/bluemonday/sanitize.go index 10461458..9121aefb 100644 --- a/vendor/github.com/microcosm-cc/bluemonday/sanitize.go +++ b/vendor/github.com/microcosm-cc/bluemonday/sanitize.go @@ -852,6 +852,7 @@ func (p *Policy) sanitizeStyles(attr html.Attribute, elementName string) html.At } //Add semi-colon to end to fix parsing issue + attr.Val = strings.TrimRight(attr.Val, " ") if len(attr.Val) > 0 && attr.Val[len(attr.Val)-1] != ';' { attr.Val = attr.Val + ";" } @@ -969,6 +970,11 @@ func (p *Policy) validURL(rawurl string) (string, bool) { } if u.Scheme != "" { + for _, r := range p.allowURLSchemeRegexps { + if r.MatchString(u.Scheme) { + return u.String(), true + } + } urlPolicies, ok := p.allowURLSchemes[u.Scheme] if !ok { diff --git a/vendor/modules.txt b/vendor/modules.txt index 3977421e..ae48d100 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -374,7 +374,7 @@ github.com/magiconair/properties # github.com/mattn/go-isatty v0.0.18 ## explicit; go 1.15 github.com/mattn/go-isatty -# github.com/microcosm-cc/bluemonday v1.0.23 +# github.com/microcosm-cc/bluemonday v1.0.24 ## explicit; go 1.19 github.com/microcosm-cc/bluemonday github.com/microcosm-cc/bluemonday/css