Releases: microcosm-cc/bluemonday
Update golang.org/x/net to latest and force latest version
Bumping version and ensuring latest golang.org/x/net as the HTTP rapid reset is triggering primitive vuln scanners, we do not implement a HTTP2 server and are not vulnerable but a minor bump can still help reduce noise for those searching for what they need to upgrade and patch.
Nothing else is in this release aside from the dependency updates and some staticcheck messages being resolved that should not modify behaviour.
Added `src` rewriter to allow for proxying inline assets.
What's Changed
- Bump golang.org/x/net from 0.10.0 to 0.12.0 by @dependabot in #178
- Prefer explicit rules over regexp by @KN4CK3R in #182
- Added src rewriter by @yyewolf in #179
New Contributors
Full Changelog: v1.0.24...v1.0.25
Contributors
Assets 2
Added AllowURLSchemesMatching
This is a feature release, there are no security fixes in this release.
What's Changed
- Minor bug fix parsing style attribute with trailing spaces by @sergeyfedotov in #172
- Allow custom URL schemes by matching regex by @yardenshoham in #175
- Bump golang.org/x/net from 0.8.0 to 0.10.0 by @dependabot in #173
New Contributors
- @sergeyfedotov made their first contribution in #172
- @yardenshoham made their first contribution in #175
Full Changelog: v1.0.23...v1.0.24
Contributors
Assets 2
Resolve golang.org/x/net CVE-2022-41723
What's Changed
- Upgrade golang.org/x/net to 0.8.0 by @barshociaj in #165 to address CVE-2022-41723 which requires updating the x/net dependency
New Contributors
- @barshociaj made their first contribution in #165
Full Changelog: v1.0.22...v1.0.23
Contributors
Assets 2
Add `picture` to list of elements allowed without attributes
This is not a security update!
This is a usability update as some HTML elements are valid without attributes however the default behaviour is to strip these out of an abundance of caution. The picture element https://developer.mozilla.org/en-US/docs/Web/HTML/Element/picture is one such element where it merely changes the browser rendering such that one of the child elements will be rendered.
The picture element was not present in the allowlist when it should have been, and so this release fixes that as per #161 .
Very minor bug fix to remove empty elements without attributes
Contributors
Assets 2
Updated x/net/html
This is an update of dependencies, specifically it updates the HTML parser within go/net/html.
The update removes a capability, Microsoft style comments that allow browser conditionals no longer works. This is due to a fix on the part of the Go team to prevent XSS within HTML comments, and the commit in question is here golang/net@06994584 . There is no easy to see safe way to restore that functionality without adding more risk to those who .AllowComments() and so I am accepting that this non-standard use of HTML comments is no longer supported.
As part of this version, the older release of v1.0.19 is retracted.
Add SVG inline images, improve RGB color and length matching, fix bug
What's Changed
- css: improve RGB hex color and length matching by @hochhaus in #142
- css: add support for
image/svg+xmlfor data-uri inline images - html: fix double-escaping of content within HTML attributes
- tests: added more tests to provide examples of proofs of some open issues
New Contributors
Full Changelog: v1.0.18...v1.0.19
Contributors
Assets 2
Fix bug in iframe sandboxvalues
What's Changed
Full Changelog: v1.0.17...v1.0.18
Contributors
Assets 2
Add support for the "sandbox" attribute on the "iframe" element
As per #135 @kiwiz has added support to bluemonday that allows the iframe element to correctly declare the security attribute sandbox.
You can read about that attribute here: https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#attr-sandbox
No other change is in this release.