bluemonday: a fast golang HTML sanitizer (inspired by the OWASP Java HTML Sanitizer) to scrub user generated content of XSS
Bumping version and ensuring latest golang.org/x/net as the HTTP rapid reset is triggering primitive vuln scanners, we do not implement a HTTP2 server and are not vulnerable but a minor bump can still help reduce noise for those searching for what they need to upgrade and patch.
Nothing else is in this release aside from the dependency updates and some staticcheck messages being resolved that should not modify behaviour.
Full Changelog: https://github.com/microcosm-cc/bluemonday/compare/v1.0.24...v1.0.25
This is a feature release, there are no security fixes in this release.
Full Changelog: https://github.com/microcosm-cc/bluemonday/compare/v1.0.23...v1.0.24
Full Changelog: https://github.com/microcosm-cc/bluemonday/compare/v1.0.22...v1.0.23
This is not a security update!
This is a usability update as some HTML elements are valid without attributes however the default behaviour is to strip these out of an abundance of caution. The picture element https://developer.mozilla.org/en-US/docs/Web/HTML/Element/picture is one such element where it merely changes the browser rendering such that one of the child elements will be rendered.
The picture element was not present in the allowlist when it should have been, and so this release fixes that as per #161 .
Thanks to @Gusted for https://github.com/microcosm-cc/bluemonday/pull/151 which fixes a bug that allowed a policy to be defined in a way that input could've allowed an empty and meaningless element to be left in the output when it should not have done so.
This is not a security issue, and the details can be seen in the PR comment.
This is an update of dependencies, specifically it updates the HTML parser within go/net/html.
The update removes a capability, Microsoft style comments that allow browser conditionals no longer works. This is due to a fix on the part of the Go team to prevent XSS within HTML comments, and the commit in question is here https://github.com/golang/net/commit/06994584 . There is no easy to see safe way to restore that functionality without adding more risk to those who .AllowComments() and so I am accepting that this non-standard use of HTML comments is no longer supported.
As part of this version, the older release of v1.0.19 is retracted.
image/svg+xml for data-uri inline imagesFull Changelog: https://github.com/microcosm-cc/bluemonday/compare/v1.0.18...v1.0.19
Full Changelog: https://github.com/microcosm-cc/bluemonday/compare/v1.0.17...v1.0.18
As per https://github.com/microcosm-cc/bluemonday/issues/135 @kiwiz has added support to bluemonday that allows the iframe element to correctly declare the security attribute sandbox.
You can read about that attribute here: https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#attr-sandbox
No other change is in this release.