update bluemonday to v1.0.5 to fix microcosm-cc/bluemonday#111

umputun · Apr 3, 2021 · 961b8aa · 961b8aa
1 parent 8ef87f4
commit 961b8aa
Show file tree

Hide file tree

Showing 5 changed files with 34 additions and 6 deletions.
diff --git a/backend/app/store/comment_test.go b/backend/app/store/comment_test.go
@@ -67,6 +67,12 @@ func TestComment_Sanitize(t *testing.T) {
 			out: Comment{Text: "blah blah",
 				Locator: Locator{URL: "/p/2021/03/23/prep-747/#remark42__comment-1b365913-7056-4920-b9ad-01304bdda085"}},
 		},
+		{
+			inp: Comment{Text: "<scrİpt>&lt;img src=x onerror=alert(1)&gt;",
+				Locator: Locator{URL: "/p/2021/03/23/prep-747/#remark42__comment-1b365913-7056-4920-b9ad-01304bdda085"}},
+			out: Comment{Text: "&lt;img src=x onerror=alert(1)&gt;",
+				Locator: Locator{URL: "/p/2021/03/23/prep-747/#remark42__comment-1b365913-7056-4920-b9ad-01304bdda085"}},
+		},
 	}
 
 	for n, tt := range tbl {

diff --git a/backend/go.mod b/backend/go.mod
@@ -23,7 +23,7 @@ require (
 	github.com/gorilla/feeds v1.1.1
 	github.com/hashicorp/go-multierror v1.1.0
 	github.com/kyokomi/emoji v2.2.1+incompatible
-	github.com/microcosm-cc/bluemonday v1.0.4
+	github.com/microcosm-cc/bluemonday v1.0.5
 	github.com/pkg/errors v0.9.1
 	github.com/rakyll/statik v0.1.7
 	github.com/rs/xid v1.2.1

diff --git a/backend/go.sum b/backend/go.sum
@@ -179,6 +179,8 @@ github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hd
 github.com/microcosm-cc/bluemonday v1.0.2/go.mod h1:iVP4YcDBq+n/5fb23BhYFvIMq/leAFZyRl6bYmGDlGc=
 github.com/microcosm-cc/bluemonday v1.0.4 h1:p0L+CTpo/PLFdkoPcJemLXG+fpMD7pYOoDEq1axMbGg=
 github.com/microcosm-cc/bluemonday v1.0.4/go.mod h1:8iwZnFn2CDDNZ0r6UXhF4xawGvzaqzCRa1n3/lO3W2w=
+github.com/microcosm-cc/bluemonday v1.0.5 h1:cF59UCKMmmUgqN1baLvqU/B1ZsMori+duLVTLpgiG3w=
+github.com/microcosm-cc/bluemonday v1.0.5/go.mod h1:8iwZnFn2CDDNZ0r6UXhF4xawGvzaqzCRa1n3/lO3W2w=
 github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
 github.com/montanaflynn/stats v0.0.0-20171201202039-1bf9dbcd8cbe/go.mod h1:wL8QJuTMNUDYhXwkmfOly8iTdp5TEcJFWZD2D7SIkUc=
 github.com/moul/http2curl v1.0.0 h1:dRMWoAtb+ePxMlLkrCbAqh4TlPHXvoGUSQ323/9Zahs=

diff --git a/backend/vendor/github.com/microcosm-cc/bluemonday/sanitize.go b/backend/vendor/github.com/microcosm-cc/bluemonday/sanitize.go
diff --git a/backend/vendor/modules.txt b/backend/vendor/modules.txt
@@ -168,7 +168,7 @@ github.com/klauspost/compress/zstd/internal/xxhash
 # github.com/kyokomi/emoji v2.2.1+incompatible
 ## explicit
 github.com/kyokomi/emoji
-# github.com/microcosm-cc/bluemonday v1.0.4
+# github.com/microcosm-cc/bluemonday v1.0.5
 ## explicit
 github.com/microcosm-cc/bluemonday
 # github.com/nullrocks/identicon v0.0.0-20180626043057-7875f45b0022