Skip to content

Releases: microcosm-cc/bluemonday

Update golang.org/x/net to latest and force latest version

12 Oct 08:26
0eb99d2
Compare
Choose a tag to compare

Bumping version and ensuring latest golang.org/x/net as the HTTP rapid reset is triggering primitive vuln scanners, we do not implement a HTTP2 server and are not vulnerable but a minor bump can still help reduce noise for those searching for what they need to upgrade and patch.

Nothing else is in this release aside from the dependency updates and some staticcheck messages being resolved that should not modify behaviour.

Added `src` rewriter to allow for proxying inline assets.

18 Jul 11:28
Compare
Choose a tag to compare

What's Changed

New Contributors

Full Changelog: v1.0.24...v1.0.25

Added AllowURLSchemesMatching

18 May 15:14
965798e
Compare
Choose a tag to compare

This is a feature release, there are no security fixes in this release.

What's Changed

New Contributors

Full Changelog: v1.0.23...v1.0.24

Resolve golang.org/x/net CVE-2022-41723

07 Mar 11:08
3572176
Compare
Choose a tag to compare

What's Changed

New Contributors

Full Changelog: v1.0.22...v1.0.23

Add `picture` to list of elements allowed without attributes

28 Jan 12:04
fc539b0
Compare
Choose a tag to compare

This is not a security update!

This is a usability update as some HTML elements are valid without attributes however the default behaviour is to strip these out of an abundance of caution. The picture element https://developer.mozilla.org/en-US/docs/Web/HTML/Element/picture is one such element where it merely changes the browser rendering such that one of the child elements will be rendered.

The picture element was not present in the allowlist when it should have been, and so this release fixes that as per #161 .

Very minor bug fix to remove empty elements without attributes

03 Oct 08:46
Compare
Choose a tag to compare

Thanks to @Gusted for #151 which fixes a bug that allowed a policy to be defined in a way that input could've allowed an empty and meaningless element to be left in the output when it should not have done so.

This is not a security issue, and the details can be seen in the PR comment.

Updated x/net/html

04 Sep 10:24
Compare
Choose a tag to compare

This is an update of dependencies, specifically it updates the HTML parser within go/net/html.

The update removes a capability, Microsoft style comments that allow browser conditionals no longer works. This is due to a fix on the part of the Go team to prevent XSS within HTML comments, and the commit in question is here golang/net@06994584 . There is no easy to see safe way to restore that functionality without adding more risk to those who .AllowComments() and so I am accepting that this non-standard use of HTML comments is no longer supported.

As part of this version, the older release of v1.0.19 is retracted.

Add SVG inline images, improve RGB color and length matching, fix bug

01 Jul 14:05
Compare
Choose a tag to compare

What's Changed

  • css: improve RGB hex color and length matching by @hochhaus in #142
  • css: add support for image/svg+xml for data-uri inline images
  • html: fix double-escaping of content within HTML attributes
  • tests: added more tests to provide examples of proofs of some open issues

New Contributors

Full Changelog: v1.0.18...v1.0.19

Fix bug in iframe sandboxvalues

07 Feb 14:38
078c4be
Compare
Choose a tag to compare

What's Changed

  • Fix incorrect handling of iframe SandboxValues by @kiwiz in #138

Full Changelog: v1.0.17...v1.0.18

Add support for the "sandbox" attribute on the "iframe" element

31 Dec 10:52
ce0adc5
Compare
Choose a tag to compare

As per #135 @kiwiz has added support to bluemonday that allows the iframe element to correctly declare the security attribute sandbox.

You can read about that attribute here: https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#attr-sandbox

No other change is in this release.