From 961b8aacd95309c70f12e95b19df1ff82cbedc2f Mon Sep 17 00:00:00 2001
From: Umputun <umputun@gmail.com>
Date: Fri, 2 Apr 2021 19:37:39 -0500
Subject: [PATCH] update bluemonday to v1.0.5 to fix
 https://github.com/microcosm-cc/bluemonday/issues/111

---
 backend/app/store/comment_test.go             |  6 ++++
 backend/go.mod                                |  2 +-
 backend/go.sum                                |  2 ++
 .../microcosm-cc/bluemonday/sanitize.go       | 28 ++++++++++++++++---
 backend/vendor/modules.txt                    |  2 +-
 5 files changed, 34 insertions(+), 6 deletions(-)

diff --git a/backend/app/store/comment_test.go b/backend/app/store/comment_test.go
index ad1a99425a..4b5993b875 100644
--- a/backend/app/store/comment_test.go
+++ b/backend/app/store/comment_test.go
@@ -67,6 +67,12 @@ func TestComment_Sanitize(t *testing.T) {
 			out: Comment{Text: "blah blah",
 				Locator: Locator{URL: "/p/2021/03/23/prep-747/#remark42__comment-1b365913-7056-4920-b9ad-01304bdda085"}},
 		},
+		{
+			inp: Comment{Text: "<scrİpt>&lt;img src=x onerror=alert(1)&gt;",
+				Locator: Locator{URL: "/p/2021/03/23/prep-747/#remark42__comment-1b365913-7056-4920-b9ad-01304bdda085"}},
+			out: Comment{Text: "&lt;img src=x onerror=alert(1)&gt;",
+				Locator: Locator{URL: "/p/2021/03/23/prep-747/#remark42__comment-1b365913-7056-4920-b9ad-01304bdda085"}},
+		},
 	}
 
 	for n, tt := range tbl {
diff --git a/backend/go.mod b/backend/go.mod
index ebdfbf7ab9..6057fd2ab2 100644
--- a/backend/go.mod
+++ b/backend/go.mod
@@ -23,7 +23,7 @@ require (
 	github.com/gorilla/feeds v1.1.1
 	github.com/hashicorp/go-multierror v1.1.0
 	github.com/kyokomi/emoji v2.2.1+incompatible
-	github.com/microcosm-cc/bluemonday v1.0.4
+	github.com/microcosm-cc/bluemonday v1.0.5
 	github.com/pkg/errors v0.9.1
 	github.com/rakyll/statik v0.1.7
 	github.com/rs/xid v1.2.1
diff --git a/backend/go.sum b/backend/go.sum
index 3b63b47248..2c0f41306b 100644
--- a/backend/go.sum
+++ b/backend/go.sum
@@ -179,6 +179,8 @@ github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hd
 github.com/microcosm-cc/bluemonday v1.0.2/go.mod h1:iVP4YcDBq+n/5fb23BhYFvIMq/leAFZyRl6bYmGDlGc=
 github.com/microcosm-cc/bluemonday v1.0.4 h1:p0L+CTpo/PLFdkoPcJemLXG+fpMD7pYOoDEq1axMbGg=
 github.com/microcosm-cc/bluemonday v1.0.4/go.mod h1:8iwZnFn2CDDNZ0r6UXhF4xawGvzaqzCRa1n3/lO3W2w=
+github.com/microcosm-cc/bluemonday v1.0.5 h1:cF59UCKMmmUgqN1baLvqU/B1ZsMori+duLVTLpgiG3w=
+github.com/microcosm-cc/bluemonday v1.0.5/go.mod h1:8iwZnFn2CDDNZ0r6UXhF4xawGvzaqzCRa1n3/lO3W2w=
 github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
 github.com/montanaflynn/stats v0.0.0-20171201202039-1bf9dbcd8cbe/go.mod h1:wL8QJuTMNUDYhXwkmfOly8iTdp5TEcJFWZD2D7SIkUc=
 github.com/moul/http2curl v1.0.0 h1:dRMWoAtb+ePxMlLkrCbAqh4TlPHXvoGUSQ323/9Zahs=
diff --git a/backend/vendor/github.com/microcosm-cc/bluemonday/sanitize.go b/backend/vendor/github.com/microcosm-cc/bluemonday/sanitize.go
index 103f39f6e5..bda912452a 100644
--- a/backend/vendor/github.com/microcosm-cc/bluemonday/sanitize.go
+++ b/backend/vendor/github.com/microcosm-cc/bluemonday/sanitize.go
@@ -229,7 +229,7 @@ func (p *Policy) sanitize(r io.Reader) *bytes.Buffer {
 
 		case html.StartTagToken:
 
-			mostRecentlyStartedToken = strings.ToLower(token.Data)
+			mostRecentlyStartedToken = normaliseElementName(token.Data)
 
 			aps, ok := p.elsAndAttrs[token.Data]
 			if !ok {
@@ -272,7 +272,7 @@ func (p *Policy) sanitize(r io.Reader) *bytes.Buffer {
 
 		case html.EndTagToken:
 
-			if mostRecentlyStartedToken == strings.ToLower(token.Data) {
+			if mostRecentlyStartedToken == normaliseElementName(token.Data) {
 				mostRecentlyStartedToken = ""
 			}
 
@@ -350,11 +350,11 @@ func (p *Policy) sanitize(r io.Reader) *bytes.Buffer {
 
 			if !skipElementContent {
 				switch mostRecentlyStartedToken {
-				case "script":
+				case `script`:
 					// not encouraged, but if a policy allows JavaScript we
 					// should not HTML escape it as that would break the output
 					buff.WriteString(token.Data)
-				case "style":
+				case `style`:
 					// not encouraged, but if a policy allows CSS styles we
 					// should not HTML escape it as that would break the output
 					buff.WriteString(token.Data)
@@ -887,3 +887,23 @@ func (p *Policy) matchRegex(elementName string) (map[string]attrPolicy, bool) {
 	}
 	return aps, matched
 }
+
+
+// normaliseElementName takes a HTML element like <script> which is user input
+// and returns a lower case version of it that is immune to UTF-8 to ASCII
+// conversion tricks (like the use of upper case cyrillic i scrİpt which a
+// strings.ToLower would convert to script). Instead this func will preserve
+// all non-ASCII as their escaped equivalent, i.e. \u0130 which reveals the
+// characters when lower cased
+func normaliseElementName(str string) string {
+	// that useful QuoteToASCII put quote marks at the start and end
+	// so those are trimmed off
+	return strings.TrimSuffix(
+		strings.TrimPrefix(
+			strings.ToLower(
+				strconv.QuoteToASCII(str),
+			),
+			`"`),
+		`"`,
+	)
+}
\ No newline at end of file
diff --git a/backend/vendor/modules.txt b/backend/vendor/modules.txt
index 1150f89279..2ac4df03e8 100644
--- a/backend/vendor/modules.txt
+++ b/backend/vendor/modules.txt
@@ -168,7 +168,7 @@ github.com/klauspost/compress/zstd/internal/xxhash
 # github.com/kyokomi/emoji v2.2.1+incompatible
 ## explicit
 github.com/kyokomi/emoji
-# github.com/microcosm-cc/bluemonday v1.0.4
+# github.com/microcosm-cc/bluemonday v1.0.5
 ## explicit
 github.com/microcosm-cc/bluemonday
 # github.com/nullrocks/identicon v0.0.0-20180626043057-7875f45b0022