Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update module github.com/microcosm-cc/bluemonday to v1.0.26 #438

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Update module github.com/microcosm-cc/bluemonday to v1.0.26 #438

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Feb 19, 2024

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
github.com/microcosm-cc/bluemonday v1.0.18 -> v1.0.26 age adoption passing confidence

Release Notes

microcosm-cc/bluemonday (github.com/microcosm-cc/bluemonday)

v1.0.26: Update golang.org/x/net to latest and force latest version

Compare Source

Bumping version and ensuring latest golang.org/x/net as the HTTP rapid reset is triggering primitive vuln scanners, we do not implement a HTTP2 server and are not vulnerable but a minor bump can still help reduce noise for those searching for what they need to upgrade and patch.

Nothing else is in this release aside from the dependency updates and some staticcheck messages being resolved that should not modify behaviour.

v1.0.25: Added src rewriter to allow for proxying inline assets.

Compare Source

What's Changed

New Contributors

Full Changelog: microcosm-cc/bluemonday@v1.0.24...v1.0.25

v1.0.24: Added AllowURLSchemesMatching

Compare Source

This is a feature release, there are no security fixes in this release.

What's Changed

New Contributors

Full Changelog: microcosm-cc/bluemonday@v1.0.23...v1.0.24

v1.0.23: Resolve golang.org/x/net CVE-2022-41723

Compare Source

What's Changed

New Contributors

Full Changelog: microcosm-cc/bluemonday@v1.0.22...v1.0.23

v1.0.22: Add picture to list of elements allowed without attributes

Compare Source

This is not a security update!

This is a usability update as some HTML elements are valid without attributes however the default behaviour is to strip these out of an abundance of caution. The picture element https://developer.mozilla.org/en-US/docs/Web/HTML/Element/picture is one such element where it merely changes the browser rendering such that one of the child elements will be rendered.

The picture element was not present in the allowlist when it should have been, and so this release fixes that as per #​161 .

v1.0.21: Very minor bug fix to remove empty elements without attributes

Compare Source

Thanks to @​Gusted for https://github.com/microcosm-cc/bluemonday/pull/151 which fixes a bug that allowed a policy to be defined in a way that input could've allowed an empty and meaningless element to be left in the output when it should not have done so.

This is not a security issue, and the details can be seen in the PR comment.

v1.0.20: Updated x/net/html

Compare Source

This is an update of dependencies, specifically it updates the HTML parser within go/net/html.

The update removes a capability, Microsoft style comments that allow browser conditionals no longer works. This is due to a fix on the part of the Go team to prevent XSS within HTML comments, and the commit in question is here golang/net@06994584 . There is no easy to see safe way to restore that functionality without adding more risk to those who .AllowComments() and so I am accepting that this non-standard use of HTML comments is no longer supported.

As part of this version, the older release of v1.0.19 is retracted.

v1.0.19: Add SVG inline images, improve RGB color and length matching, fix bug

Compare Source

What's Changed

  • css: improve RGB hex color and length matching by @​hochhaus in https://github.com/microcosm-cc/bluemonday/pull/142
  • css: add support for image/svg+xml for data-uri inline images
  • html: fix double-escaping of content within HTML attributes
  • tests: added more tests to provide examples of proofs of some open issues

New Contributors

Full Changelog: microcosm-cc/bluemonday@v1.0.18...v1.0.19

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot requested a review from a team as a code owner February 19, 2024 18:58
@renovate renovate bot added dependencies Pull requests that update a dependency file renovate PR created by RenovateBot labels Feb 19, 2024
@renovate renovate bot enabled auto-merge (squash) February 19, 2024 18:58
@renovate renovate bot force-pushed the renovate/github.com-microcosm-cc-bluemonday-1.x branch from b5ef50b to c0195df Compare March 26, 2024 13:44
@renovate renovate bot force-pushed the renovate/github.com-microcosm-cc-bluemonday-1.x branch 2 times, most recently from 499d408 to 05ee424 Compare May 7, 2024 14:36
@renovate renovate bot force-pushed the renovate/github.com-microcosm-cc-bluemonday-1.x branch from 05ee424 to 4120ad9 Compare May 16, 2024 10:43
@renovate renovate bot force-pushed the renovate/github.com-microcosm-cc-bluemonday-1.x branch from 4120ad9 to 22650c4 Compare May 16, 2024 10:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file renovate PR created by RenovateBot
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
0 participants