[chore]: Bump github.com/microcosm-cc/bluemonday from 1.0.20 to 1.0.21 (#1004)

Bumps [github.com/microcosm-cc/bluemonday](https://github.com/microcosm-cc/bluemonday) from 1.0.20 to 1.0.21. - [Release notes](https://github.com/microcosm-cc/bluemonday/releases) - [Commits](https://github.com/microcosm-cc/bluemonday/compare/v1.0.20...v1.0.21) --- updated-dependencies: - dependency-name: github.com/microcosm-cc/bluemonday dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-06-05 21:59:39 +02:00 · 2022-11-08 11:11:35 +01:00
parent 18e7e00732
commit a9a43beca2
11 changed files with 131 additions and 77 deletions
--- a/vendor/github.com/microcosm-cc/bluemonday/doc.go
+++ b/vendor/github.com/microcosm-cc/bluemonday/doc.go
@ -35,31 +35,31 @@ the allowlist will be stripped.

 The default bluemonday.UGCPolicy().Sanitize() turns this:

-    Hello <STYLE>.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><A CLASS=XSS></A>World
+	Hello <STYLE>.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><A CLASS=XSS></A>World

 Into the more harmless:

-    Hello World
+	Hello World

 And it turns this:

-    <a href="javascript:alert('XSS1')" onmouseover="alert('XSS2')">XSS<a>
+	<a href="javascript:alert('XSS1')" onmouseover="alert('XSS2')">XSS<a>

 Into this:

-    XSS
+	XSS

 Whilst still allowing this:

-    <a href="http://www.google.com/">
-      <img src="https://ssl.gstatic.com/accounts/ui/logo_2x.png"/>
-    </a>
+	<a href="http://www.google.com/">
+	  <img src="https://ssl.gstatic.com/accounts/ui/logo_2x.png"/>
+	</a>

 To pass through mostly unaltered (it gained a rel="nofollow"):

-    <a href="http://www.google.com/" rel="nofollow">
-      <img src="https://ssl.gstatic.com/accounts/ui/logo_2x.png"/>
-    </a>
+	<a href="http://www.google.com/" rel="nofollow">
+	  <img src="https://ssl.gstatic.com/accounts/ui/logo_2x.png"/>
+	</a>

 The primary purpose of bluemonday is to take potentially unsafe user generated
 content (from things like Markdown, HTML WYSIWYG tools, etc) and make it safe
@ -95,10 +95,10 @@ attributes are considered safe for your scenario. OWASP provide an XSS
 prevention cheat sheet ( https://www.google.com/search?q=xss+prevention+cheat+sheet )
 to help explain the risks, but essentially:

-    1. Avoid allowing anything other than plain HTML elements
-    2. Avoid allowing `script`, `style`, `iframe`, `object`, `embed`, `base`
-       elements
-    3. Avoid allowing anything other than plain HTML elements with simple
-       values that you can match to a regexp
+ 1. Avoid allowing anything other than plain HTML elements
+ 2. Avoid allowing `script`, `style`, `iframe`, `object`, `embed`, `base`
+    elements
+ 3. Avoid allowing anything other than plain HTML elements with simple
+    values that you can match to a regexp
 */
 package bluemonday
--- a/vendor/github.com/microcosm-cc/bluemonday/helpers.go
+++ b/vendor/github.com/microcosm-cc/bluemonday/helpers.go
@ -193,10 +193,11 @@ func (p *Policy) AllowImages() {
 // http://en.wikipedia.org/wiki/Data_URI_scheme
 //
 // Images must have a mimetype matching:
-//   image/gif
-//   image/jpeg
-//   image/png
-//   image/webp
+//
+//	image/gif
+//	image/jpeg
+//	image/png
+//	image/webp
 //
 // NOTE: There is a potential security risk to allowing data URIs and you should
 // only permit them on content you already trust.
--- a/vendor/github.com/microcosm-cc/bluemonday/sanitize.go
+++ b/vendor/github.com/microcosm-cc/bluemonday/sanitize.go
@ -440,8 +440,8 @@ func (p *Policy) sanitize(r io.Reader, w io.Writer) error {
 					if _, err := buff.WriteString(" "); err != nil {
 						return err
 					}
-					break
 				}
+				break
 			}
 			if !skipElementContent {
 				if _, err := buff.WriteString(token.String()); err != nil {