lavender-legacy/gitea
7
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Upgrade to bluemonday 1.0.7 (#15379)

Browse source 
* Upgrade to bluemonday 1.0.7

Fix #15349

Signed-off-by: Andrew Thornton <art27@cantab.net>

* resolve unit test

Co-authored-by: techknowlogick <techknowlogick@gitea.io>
This commit is contained in:
zeripath 2021-04-10 00:13:06 +01:00 committed by GitHub
parent 07aa3845f8
commit b9ed3cbc26
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 18 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
go.mod
View file

@ -86,7 +86,7 @@ require (
github.com/mgechev/revive v1.0.3 github.com/mgechev/revive v1.0.3
github.com/mholt/acmez v0.1.3 // indirect github.com/mholt/acmez v0.1.3 // indirect
github.com/mholt/archiver/v3 v3.5.0 github.com/mholt/archiver/v3 v3.5.0
github.com/microcosm-cc/bluemonday v1.0.6 github.com/microcosm-cc/bluemonday v1.0.7
github.com/miekg/dns v1.1.40 // indirect github.com/miekg/dns v1.1.40 // indirect
github.com/minio/md5-simd v1.1.2 // indirect github.com/minio/md5-simd v1.1.2 // indirect
github.com/minio/minio-go/v7 v7.0.10 github.com/minio/minio-go/v7 v7.0.10

4
go.sum
View file

@ -830,8 +830,8 @@ github.com/mholt/acmez v0.1.3 h1:J7MmNIk4Qf9b8mAGqAh4XkNeowv3f1zW816yf4zt7Qk=
github.com/mholt/acmez v0.1.3/go.mod h1:8qnn8QA/Ewx8E3ZSsmscqsIjhhpxuy9vqdgbX2ceceM= github.com/mholt/acmez v0.1.3/go.mod h1:8qnn8QA/Ewx8E3ZSsmscqsIjhhpxuy9vqdgbX2ceceM=
github.com/mholt/archiver/v3 v3.5.0 h1:nE8gZIrw66cu4osS/U7UW7YDuGMHssxKutU8IfWxwWE= github.com/mholt/archiver/v3 v3.5.0 h1:nE8gZIrw66cu4osS/U7UW7YDuGMHssxKutU8IfWxwWE=
github.com/mholt/archiver/v3 v3.5.0/go.mod h1:qqTTPUK/HZPFgFQ/TJ3BzvTpF/dPtFVJXdQbCmeMxwc= github.com/mholt/archiver/v3 v3.5.0/go.mod h1:qqTTPUK/HZPFgFQ/TJ3BzvTpF/dPtFVJXdQbCmeMxwc=
github.com/microcosm-cc/bluemonday v1.0.6 h1:ZOvqHKtnx0fUpnbQm3m3zKFWE+DRC+XB1onh8JoEObE= github.com/microcosm-cc/bluemonday v1.0.7 h1:6yAQfk4XT+PI/dk1ZeBp1gr3Q2Hd1DR0O3aEyPUJVTE=
github.com/microcosm-cc/bluemonday v1.0.6/go.mod h1:HOT/6NaBlR0f9XlxD3zolN6Z3N8Lp4pvhp+jLS5ihnI= github.com/microcosm-cc/bluemonday v1.0.7/go.mod h1:HOT/6NaBlR0f9XlxD3zolN6Z3N8Lp4pvhp+jLS5ihnI=
github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg= github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
github.com/miekg/dns v1.1.30/go.mod h1:KNUDUusw/aVsxyTYZM1oqvCicbwhgbNgztCETuNZ7xM= github.com/miekg/dns v1.1.30/go.mod h1:KNUDUusw/aVsxyTYZM1oqvCicbwhgbNgztCETuNZ7xM=
github.com/miekg/dns v1.1.40 h1:pyyPFfGMnciYUk/mXpKkVmeMQjfXqt3FAJ2hy7tPiLA= github.com/miekg/dns v1.1.40 h1:pyyPFfGMnciYUk/mXpKkVmeMQjfXqt3FAJ2hy7tPiLA=

2
modules/markup/html_test.go
View file

@ -124,7 +124,7 @@ func TestRender_links(t *testing.T) {
`<p><a href="http://www.example.com/wpstyle/?p=364" rel="nofollow">http://www.example.com/wpstyle/?p=364</a></p>`) `<p><a href="http://www.example.com/wpstyle/?p=364" rel="nofollow">http://www.example.com/wpstyle/?p=364</a></p>`)
test( test(
"https://www.example.com/foo/?bar=baz&inga=42&quux", "https://www.example.com/foo/?bar=baz&inga=42&quux",
`<p><a href="https://www.example.com/foo/?bar=baz&inga=42&quux=" rel="nofollow">https://www.example.com/foo/?bar=baz&amp;inga=42&amp;quux</a></p>`) `<p><a href="https://www.example.com/foo/?bar=baz&inga=42&quux" rel="nofollow">https://www.example.com/foo/?bar=baz&amp;inga=42&amp;quux</a></p>`)
test( test(
"http://142.42.1.1/", "http://142.42.1.1/",
`<p><a href="http://142.42.1.1/" rel="nofollow">http://142.42.1.1/</a></p>`) `<p><a href="http://142.42.1.1/" rel="nofollow">http://142.42.1.1/</a></p>`)

19
vendor/github.com/microcosm-cc/bluemonday/sanitize.go generated vendored
View file

@ -124,8 +124,9 @@ func escapeUrlComponent(val string) string {
// Query represents a query // Query represents a query
type Query struct { type Query struct {
Key string Key string
Value string Value string
HasValue bool
} }
func parseQuery(query string) (values []Query, err error) { func parseQuery(query string) (values []Query, err error) {
@ -140,8 +141,10 @@ func parseQuery(query string) (values []Query, err error) {
continue continue
} }
value := "" value := ""
hasValue := false
if i := strings.Index(key, "="); i >= 0 { if i := strings.Index(key, "="); i >= 0 {
key, value = key[:i], key[i+1:] key, value = key[:i], key[i+1:]
hasValue = true
} }
key, err1 := url.QueryUnescape(key) key, err1 := url.QueryUnescape(key)
if err1 != nil { if err1 != nil {
@ -158,8 +161,9 @@ func parseQuery(query string) (values []Query, err error) {
continue continue
} }
values = append(values, Query{ values = append(values, Query{
Key: key, Key: key,
Value: value, Value: value,
HasValue: hasValue,
}) })
} }
return values, err return values, err
@ -169,8 +173,10 @@ func encodeQueries(queries []Query) string {
var b strings.Builder var b strings.Builder
for i, query := range queries { for i, query := range queries {
b.WriteString(url.QueryEscape(query.Key)) b.WriteString(url.QueryEscape(query.Key))
b.WriteString("=") if query.HasValue {
b.WriteString(url.QueryEscape(query.Value)) b.WriteString("=")
b.WriteString(url.QueryEscape(query.Value))
}
if i < len(queries)-1 { if i < len(queries)-1 {
b.WriteString("&") b.WriteString("&")
} }
@ -965,7 +971,6 @@ func (p *Policy) matchRegex(elementName string) (map[string]attrPolicy, bool) {
return aps, matched return aps, matched
} }
// normaliseElementName takes a HTML element like <script> which is user input // normaliseElementName takes a HTML element like <script> which is user input
// and returns a lower case version of it that is immune to UTF-8 to ASCII // and returns a lower case version of it that is immune to UTF-8 to ASCII
// conversion tricks (like the use of upper case cyrillic i scrİpt which a // conversion tricks (like the use of upper case cyrillic i scrİpt which a

2
vendor/modules.txt vendored
View file

@ -596,7 +596,7 @@ github.com/mholt/acmez/acme
# github.com/mholt/archiver/v3 v3.5.0 # github.com/mholt/archiver/v3 v3.5.0
## explicit ## explicit
github.com/mholt/archiver/v3 github.com/mholt/archiver/v3
# github.com/microcosm-cc/bluemonday v1.0.6 # github.com/microcosm-cc/bluemonday v1.0.7
## explicit ## explicit
github.com/microcosm-cc/bluemonday github.com/microcosm-cc/bluemonday
# github.com/miekg/dns v1.1.40 # github.com/miekg/dns v1.1.40