* Upgrade to bluemonday 1.0.7 Fix #15349 Signed-off-by: Andrew Thornton <art27@cantab.net> * resolve unit test Co-authored-by: techknowlogick <techknowlogick@gitea.io>tags/v1.15.0-rc1
@@ -86,7 +86,7 @@ require ( | |||
github.com/mgechev/revive v1.0.3 | |||
github.com/mholt/acmez v0.1.3 // indirect | |||
github.com/mholt/archiver/v3 v3.5.0 | |||
github.com/microcosm-cc/bluemonday v1.0.6 | |||
github.com/microcosm-cc/bluemonday v1.0.7 | |||
github.com/miekg/dns v1.1.40 // indirect | |||
github.com/minio/md5-simd v1.1.2 // indirect | |||
github.com/minio/minio-go/v7 v7.0.10 |
@@ -830,8 +830,8 @@ github.com/mholt/acmez v0.1.3 h1:J7MmNIk4Qf9b8mAGqAh4XkNeowv3f1zW816yf4zt7Qk= | |||
github.com/mholt/acmez v0.1.3/go.mod h1:8qnn8QA/Ewx8E3ZSsmscqsIjhhpxuy9vqdgbX2ceceM= | |||
github.com/mholt/archiver/v3 v3.5.0 h1:nE8gZIrw66cu4osS/U7UW7YDuGMHssxKutU8IfWxwWE= | |||
github.com/mholt/archiver/v3 v3.5.0/go.mod h1:qqTTPUK/HZPFgFQ/TJ3BzvTpF/dPtFVJXdQbCmeMxwc= | |||
github.com/microcosm-cc/bluemonday v1.0.6 h1:ZOvqHKtnx0fUpnbQm3m3zKFWE+DRC+XB1onh8JoEObE= | |||
github.com/microcosm-cc/bluemonday v1.0.6/go.mod h1:HOT/6NaBlR0f9XlxD3zolN6Z3N8Lp4pvhp+jLS5ihnI= | |||
github.com/microcosm-cc/bluemonday v1.0.7 h1:6yAQfk4XT+PI/dk1ZeBp1gr3Q2Hd1DR0O3aEyPUJVTE= | |||
github.com/microcosm-cc/bluemonday v1.0.7/go.mod h1:HOT/6NaBlR0f9XlxD3zolN6Z3N8Lp4pvhp+jLS5ihnI= | |||
github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg= | |||
github.com/miekg/dns v1.1.30/go.mod h1:KNUDUusw/aVsxyTYZM1oqvCicbwhgbNgztCETuNZ7xM= | |||
github.com/miekg/dns v1.1.40 h1:pyyPFfGMnciYUk/mXpKkVmeMQjfXqt3FAJ2hy7tPiLA= |
@@ -124,7 +124,7 @@ func TestRender_links(t *testing.T) { | |||
`<p><a href="http://www.example.com/wpstyle/?p=364" rel="nofollow">http://www.example.com/wpstyle/?p=364</a></p>`) | |||
test( | |||
"https://www.example.com/foo/?bar=baz&inga=42&quux", | |||
`<p><a href="https://www.example.com/foo/?bar=baz&inga=42&quux=" rel="nofollow">https://www.example.com/foo/?bar=baz&inga=42&quux</a></p>`) | |||
`<p><a href="https://www.example.com/foo/?bar=baz&inga=42&quux" rel="nofollow">https://www.example.com/foo/?bar=baz&inga=42&quux</a></p>`) | |||
test( | |||
"http://142.42.1.1/", | |||
`<p><a href="http://142.42.1.1/" rel="nofollow">http://142.42.1.1/</a></p>`) |
@@ -124,8 +124,9 @@ func escapeUrlComponent(val string) string { | |||
// Query represents a query | |||
type Query struct { | |||
Key string | |||
Value string | |||
Key string | |||
Value string | |||
HasValue bool | |||
} | |||
func parseQuery(query string) (values []Query, err error) { | |||
@@ -140,8 +141,10 @@ func parseQuery(query string) (values []Query, err error) { | |||
continue | |||
} | |||
value := "" | |||
hasValue := false | |||
if i := strings.Index(key, "="); i >= 0 { | |||
key, value = key[:i], key[i+1:] | |||
hasValue = true | |||
} | |||
key, err1 := url.QueryUnescape(key) | |||
if err1 != nil { | |||
@@ -158,8 +161,9 @@ func parseQuery(query string) (values []Query, err error) { | |||
continue | |||
} | |||
values = append(values, Query{ | |||
Key: key, | |||
Value: value, | |||
Key: key, | |||
Value: value, | |||
HasValue: hasValue, | |||
}) | |||
} | |||
return values, err | |||
@@ -169,8 +173,10 @@ func encodeQueries(queries []Query) string { | |||
var b strings.Builder | |||
for i, query := range queries { | |||
b.WriteString(url.QueryEscape(query.Key)) | |||
b.WriteString("=") | |||
b.WriteString(url.QueryEscape(query.Value)) | |||
if query.HasValue { | |||
b.WriteString("=") | |||
b.WriteString(url.QueryEscape(query.Value)) | |||
} | |||
if i < len(queries)-1 { | |||
b.WriteString("&") | |||
} | |||
@@ -965,7 +971,6 @@ func (p *Policy) matchRegex(elementName string) (map[string]attrPolicy, bool) { | |||
return aps, matched | |||
} | |||
// normaliseElementName takes a HTML element like <script> which is user input | |||
// and returns a lower case version of it that is immune to UTF-8 to ASCII | |||
// conversion tricks (like the use of upper case cyrillic i scrİpt which a | |||
@@ -983,4 +988,4 @@ func normaliseElementName(str string) string { | |||
`"`), | |||
`"`, | |||
) | |||
} | |||
} |
@@ -596,7 +596,7 @@ github.com/mholt/acmez/acme | |||
# github.com/mholt/archiver/v3 v3.5.0 | |||
## explicit | |||
github.com/mholt/archiver/v3 | |||
# github.com/microcosm-cc/bluemonday v1.0.6 | |||
# github.com/microcosm-cc/bluemonday v1.0.7 | |||
## explicit | |||
github.com/microcosm-cc/bluemonday | |||
# github.com/miekg/dns v1.1.40 |