diff --git a/doc.go b/doc.go
index ba2d775..d95e8a9 100644
--- a/doc.go
+++ b/doc.go
@@ -35,31 +35,31 @@ the allowlist will be stripped.
The default bluemonday.UGCPolicy().Sanitize() turns this:
- Hello World
+ Hello World
Into the more harmless:
- Hello World
+ Hello World
And it turns this:
- XSS
+ XSS
Into this:
- XSS
+ XSS
Whilst still allowing this:
-
- 
-
+
+
+
To pass through mostly unaltered (it gained a rel="nofollow"):
-
-
-
+
+
+
The primary purpose of bluemonday is to take potentially unsafe user generated
content (from things like Markdown, HTML WYSIWYG tools, etc) and make it safe
@@ -95,10 +95,10 @@ attributes are considered safe for your scenario. OWASP provide an XSS
prevention cheat sheet ( https://www.google.com/search?q=xss+prevention+cheat+sheet )
to help explain the risks, but essentially:
- 1. Avoid allowing anything other than plain HTML elements
- 2. Avoid allowing `script`, `style`, `iframe`, `object`, `embed`, `base`
- elements
- 3. Avoid allowing anything other than plain HTML elements with simple
- values that you can match to a regexp
+ 1. Avoid allowing anything other than plain HTML elements
+ 2. Avoid allowing `script`, `style`, `iframe`, `object`, `embed`, `base`
+ elements
+ 3. Avoid allowing anything other than plain HTML elements with simple
+ values that you can match to a regexp
*/
package bluemonday
diff --git a/go.mod b/go.mod
index 34ff248..5f1ea10 100644
--- a/go.mod
+++ b/go.mod
@@ -4,10 +4,11 @@ go 1.19
require (
github.com/aymerick/douceur v0.2.0
- golang.org/x/net v0.0.0-20220826154423-83b083e8dc8b
+ golang.org/x/net v0.0.0-20221002022538-bcab6841153b
)
require github.com/gorilla/css v1.0.0 // indirect
retract [v1.0.0, v1.0.18] // Retract older versions as only latest is to be depended upon
+
retract v1.0.19 // Uses older version of golang.org/x/net
diff --git a/go.sum b/go.sum
index 81ad6ef..f13abe0 100644
--- a/go.sum
+++ b/go.sum
@@ -2,5 +2,5 @@ github.com/aymerick/douceur v0.2.0 h1:Mv+mAeH1Q+n9Fr+oyamOlAkUNPWPlA8PPGR0QAaYuP
github.com/aymerick/douceur v0.2.0/go.mod h1:wlT5vV2O3h55X9m7iVYN0TBM0NH/MmbLnd30/FjWUq4=
github.com/gorilla/css v1.0.0 h1:BQqNyPTi50JCFMTw/b67hByjMVXZRwGha6wxVGkeihY=
github.com/gorilla/css v1.0.0/go.mod h1:Dn721qIggHpt4+EFCcTLTU/vk5ySda2ReITrtgBl60c=
-golang.org/x/net v0.0.0-20220826154423-83b083e8dc8b h1:ZmngSVLe/wycRns9MKikG9OWIEjGcGAkacif7oYQaUY=
-golang.org/x/net v0.0.0-20220826154423-83b083e8dc8b/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk=
+golang.org/x/net v0.0.0-20221002022538-bcab6841153b h1:6e93nYa3hNqAvLr0pD4PN1fFS+gKzp2zAXqrnTCstqU=
+golang.org/x/net v0.0.0-20221002022538-bcab6841153b/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk=
diff --git a/helpers.go b/helpers.go
index d403949..2b03d7e 100644
--- a/helpers.go
+++ b/helpers.go
@@ -193,10 +193,11 @@ func (p *Policy) AllowImages() {
// http://en.wikipedia.org/wiki/Data_URI_scheme
//
// Images must have a mimetype matching:
-// image/gif
-// image/jpeg
-// image/png
-// image/webp
+//
+// image/gif
+// image/jpeg
+// image/png
+// image/webp
//
// NOTE: There is a potential security risk to allowing data URIs and you should
// only permit them on content you already trust.
diff --git a/sanitize_test.go b/sanitize_test.go
index 721e961..c13a23c 100644
--- a/sanitize_test.go
+++ b/sanitize_test.go
@@ -1151,7 +1151,7 @@ echo('IPT>alert("XSS")'); ?>`,
expected: ``,
},
{
- in: `;)
`,
+ in: ``,
expected: ``,
},
{