go mod && go fmt: update dependencies and format code

doc.go

@@ -35,31 +35,31 @@ the allowlist will be stripped.
 
 The default bluemonday.UGCPolicy().Sanitize() turns this:
 
-    Hello <STYLE>.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><A CLASS=XSS></A>World
+	Hello <STYLE>.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><A CLASS=XSS></A>World
 
 Into the more harmless:
 
-    Hello World
+	Hello World
 
 And it turns this:
 
-    <a href="javascript:alert('XSS1')" onmouseover="alert('XSS2')">XSS<a>
+	<a href="javascript:alert('XSS1')" onmouseover="alert('XSS2')">XSS<a>
 
 Into this:
 
-    XSS
+	XSS
 
 Whilst still allowing this:
 
-    <a href="http://www.google.com/">
-      <img src="https://ssl.gstatic.com/accounts/ui/logo_2x.png"/>
-    </a>
+	<a href="http://www.google.com/">
+	  <img src="https://ssl.gstatic.com/accounts/ui/logo_2x.png"/>
+	</a>
 
 To pass through mostly unaltered (it gained a rel="nofollow"):
 
-    <a href="http://www.google.com/" rel="nofollow">
-      <img src="https://ssl.gstatic.com/accounts/ui/logo_2x.png"/>
-    </a>
+	<a href="http://www.google.com/" rel="nofollow">
+	  <img src="https://ssl.gstatic.com/accounts/ui/logo_2x.png"/>
+	</a>
 
 The primary purpose of bluemonday is to take potentially unsafe user generated
 content (from things like Markdown, HTML WYSIWYG tools, etc) and make it safe
@@ -95,10 +95,10 @@ attributes are considered safe for your scenario. OWASP provide an XSS
 prevention cheat sheet ( https://www.google.com/search?q=xss+prevention+cheat+sheet )
 to help explain the risks, but essentially:
 
-    1. Avoid allowing anything other than plain HTML elements
-    2. Avoid allowing `script`, `style`, `iframe`, `object`, `embed`, `base`
-       elements
-    3. Avoid allowing anything other than plain HTML elements with simple
-       values that you can match to a regexp
+ 1. Avoid allowing anything other than plain HTML elements
+ 2. Avoid allowing `script`, `style`, `iframe`, `object`, `embed`, `base`
+    elements
+ 3. Avoid allowing anything other than plain HTML elements with simple
+    values that you can match to a regexp
 */
 package bluemonday

go.mod

@@ -4,10 +4,11 @@ go 1.19
 
 require (
 	github.com/aymerick/douceur v0.2.0
-	golang.org/x/net v0.0.0-20220826154423-83b083e8dc8b
+	golang.org/x/net v0.0.0-20221002022538-bcab6841153b
 )
 
 require github.com/gorilla/css v1.0.0 // indirect
 
 retract [v1.0.0, v1.0.18] // Retract older versions as only latest is to be depended upon
+
 retract v1.0.19 // Uses older version of golang.org/x/net

go.sum

@@ -2,5 +2,5 @@ github.com/aymerick/douceur v0.2.0 h1:Mv+mAeH1Q+n9Fr+oyamOlAkUNPWPlA8PPGR0QAaYuP
 github.com/aymerick/douceur v0.2.0/go.mod h1:wlT5vV2O3h55X9m7iVYN0TBM0NH/MmbLnd30/FjWUq4=
 github.com/gorilla/css v1.0.0 h1:BQqNyPTi50JCFMTw/b67hByjMVXZRwGha6wxVGkeihY=
 github.com/gorilla/css v1.0.0/go.mod h1:Dn721qIggHpt4+EFCcTLTU/vk5ySda2ReITrtgBl60c=
-golang.org/x/net v0.0.0-20220826154423-83b083e8dc8b h1:ZmngSVLe/wycRns9MKikG9OWIEjGcGAkacif7oYQaUY=
-golang.org/x/net v0.0.0-20220826154423-83b083e8dc8b/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk=
+golang.org/x/net v0.0.0-20221002022538-bcab6841153b h1:6e93nYa3hNqAvLr0pD4PN1fFS+gKzp2zAXqrnTCstqU=
+golang.org/x/net v0.0.0-20221002022538-bcab6841153b/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk=

helpers.go

@@ -193,10 +193,11 @@ func (p *Policy) AllowImages() {
 // http://en.wikipedia.org/wiki/Data_URI_scheme
 //
 // Images must have a mimetype matching:
-//   image/gif
-//   image/jpeg
-//   image/png
-//   image/webp
+//
+//	image/gif
+//	image/jpeg
+//	image/png
+//	image/webp
 //
 // NOTE: There is a potential security risk to allowing data URIs and you should
 // only permit them on content you already trust.

sanitize_test.go

@@ -1151,7 +1151,7 @@ echo('IPT>alert("XSS")</SCRIPT>'); ?>`,
 			expected: ``,
 		},
 		{
-			in: `<IMG SRC="jav	ascript:alert('XSS');">`,
+			in:       `<IMG SRC="jav	ascript:alert('XSS');">`,
 			expected: ``,
 		},
 		{