drone-plugins / drone-matrix

Drone plugin for sending Matrix notifications
http://plugins.drone.io/drone-plugins/drone-matrix
Apache License 2.0
8 stars 4 forks source link

Update module github.com/microcosm-cc/bluemonday to v1.0.20 - autoclosed #22

Closed renovate[bot] closed 1 year ago

renovate[bot] commented 3 years ago

Mend Renovate

This PR contains the following updates:

Package Type Update Change
github.com/microcosm-cc/bluemonday require patch v1.0.4 -> v1.0.20

Release Notes

microcosm-cc/bluemonday ### [`v1.0.20`](https://togithub.com/microcosm-cc/bluemonday/releases/tag/v1.0.20) [Compare Source](https://togithub.com/microcosm-cc/bluemonday/compare/v1.0.19...v1.0.20) This is an update of dependencies, specifically it updates the HTML parser within go/net/html. The update removes a capability, Microsoft style comments that allow browser conditionals no longer works. This is due to a fix on the part of the Go team to prevent XSS within HTML comments, and the commit in question is here https://github.com/golang/net/commit/06994584 . There is no easy to see safe way to restore that functionality without adding more risk to those who `.AllowComments()` and so I am accepting that this non-standard use of HTML comments is no longer supported. As part of this version, the older release of v1.0.19 is retracted. ### [`v1.0.19`](https://togithub.com/microcosm-cc/bluemonday/releases/tag/v1.0.19) [Compare Source](https://togithub.com/microcosm-cc/bluemonday/compare/v1.0.18...v1.0.19) #### What's Changed - css: improve RGB hex color and length matching by [@​hochhaus](https://togithub.com/hochhaus) in [https://github.com/microcosm-cc/bluemonday/pull/142](https://togithub.com/microcosm-cc/bluemonday/pull/142) - css: add support for `image/svg+xml` for data-uri inline images - html: fix double-escaping of content within HTML attributes - tests: added more tests to provide examples of proofs of some open issues #### New Contributors - [@​hochhaus](https://togithub.com/hochhaus) made their first contribution in [https://github.com/microcosm-cc/bluemonday/pull/142](https://togithub.com/microcosm-cc/bluemonday/pull/142) **Full Changelog**: https://github.com/microcosm-cc/bluemonday/compare/v1.0.18...v1.0.19 ### [`v1.0.18`](https://togithub.com/microcosm-cc/bluemonday/releases/tag/v1.0.18) [Compare Source](https://togithub.com/microcosm-cc/bluemonday/compare/v1.0.17...v1.0.18) #### What's Changed - Fix incorrect handling of iframe SandboxValues by [@​kiwiz](https://togithub.com/kiwiz) in [https://github.com/microcosm-cc/bluemonday/pull/138](https://togithub.com/microcosm-cc/bluemonday/pull/138) **Full Changelog**: https://github.com/microcosm-cc/bluemonday/compare/v1.0.17...v1.0.18 ### [`v1.0.17`](https://togithub.com/microcosm-cc/bluemonday/releases/tag/v1.0.17) [Compare Source](https://togithub.com/microcosm-cc/bluemonday/compare/v1.0.16...v1.0.17) As per [https://github.com/microcosm-cc/bluemonday/issues/135](https://togithub.com/microcosm-cc/bluemonday/issues/135) [@​kiwiz](https://togithub.com/kiwiz) has added support to bluemonday that allows the `iframe` element to correctly declare the security attribute `sandbox`. You can read about that attribute here: https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#attr-sandbox No other change is in this release. ### [`v1.0.16`](https://togithub.com/microcosm-cc/bluemonday/releases/tag/v1.0.16) [Compare Source](https://togithub.com/microcosm-cc/bluemonday/compare/v1.0.15...v1.0.16) CVE-2021-42576 A vulnerability was discovered by https://github.com/TomAnthony https://www.tomanthony.co.uk/ which allowed the contents of a `style` tag to be leaked unsanitized by bluemonday into the HTML output. Further it was demonstrated that if the form elements `select` and `option` were allowed by the policy that this could result in a successful XSS. You would only be vulnerable to if if you allowed `style`, `select` and `option` in your HTML sanitization policy: ```go p := bluemonday.NewPolicy() p.AllowElements("style","select") html := p.Sanitize(`