microcosm-cc/bluemonday
### [`v1.0.20`](https://togithub.com/microcosm-cc/bluemonday/releases/tag/v1.0.20)
[Compare Source](https://togithub.com/microcosm-cc/bluemonday/compare/v1.0.19...v1.0.20)
This is an update of dependencies, specifically it updates the HTML parser within go/net/html.
The update removes a capability, Microsoft style comments that allow browser conditionals no longer works. This is due to a fix on the part of the Go team to prevent XSS within HTML comments, and the commit in question is here https://github.com/golang/net/commit/06994584 . There is no easy to see safe way to restore that functionality without adding more risk to those who `.AllowComments()` and so I am accepting that this non-standard use of HTML comments is no longer supported.
As part of this version, the older release of v1.0.19 is retracted.
### [`v1.0.19`](https://togithub.com/microcosm-cc/bluemonday/releases/tag/v1.0.19)
[Compare Source](https://togithub.com/microcosm-cc/bluemonday/compare/v1.0.18...v1.0.19)
#### What's Changed
- css: improve RGB hex color and length matching by [@hochhaus](https://togithub.com/hochhaus) in [https://github.com/microcosm-cc/bluemonday/pull/142](https://togithub.com/microcosm-cc/bluemonday/pull/142)
- css: add support for `image/svg+xml` for data-uri inline images
- html: fix double-escaping of content within HTML attributes
- tests: added more tests to provide examples of proofs of some open issues
#### New Contributors
- [@hochhaus](https://togithub.com/hochhaus) made their first contribution in [https://github.com/microcosm-cc/bluemonday/pull/142](https://togithub.com/microcosm-cc/bluemonday/pull/142)
**Full Changelog**: https://github.com/microcosm-cc/bluemonday/compare/v1.0.18...v1.0.19
### [`v1.0.18`](https://togithub.com/microcosm-cc/bluemonday/releases/tag/v1.0.18)
[Compare Source](https://togithub.com/microcosm-cc/bluemonday/compare/v1.0.17...v1.0.18)
#### What's Changed
- Fix incorrect handling of iframe SandboxValues by [@kiwiz](https://togithub.com/kiwiz) in [https://github.com/microcosm-cc/bluemonday/pull/138](https://togithub.com/microcosm-cc/bluemonday/pull/138)
**Full Changelog**: https://github.com/microcosm-cc/bluemonday/compare/v1.0.17...v1.0.18
### [`v1.0.17`](https://togithub.com/microcosm-cc/bluemonday/releases/tag/v1.0.17)
[Compare Source](https://togithub.com/microcosm-cc/bluemonday/compare/v1.0.16...v1.0.17)
As per [https://github.com/microcosm-cc/bluemonday/issues/135](https://togithub.com/microcosm-cc/bluemonday/issues/135) [@kiwiz](https://togithub.com/kiwiz) has added support to bluemonday that allows the `iframe` element to correctly declare the security attribute `sandbox`.
You can read about that attribute here: https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#attr-sandbox
No other change is in this release.
### [`v1.0.16`](https://togithub.com/microcosm-cc/bluemonday/releases/tag/v1.0.16)
[Compare Source](https://togithub.com/microcosm-cc/bluemonday/compare/v1.0.15...v1.0.16)
CVE-2021-42576
A vulnerability was discovered by https://github.com/TomAnthony https://www.tomanthony.co.uk/ which allowed the contents of a `style` tag to be leaked unsanitized by bluemonday into the HTML output. Further it was demonstrated that if the form elements `select` and `option` were allowed by the policy that this could result in a successful XSS.
You would only be vulnerable to if if you allowed `style`, `select` and `option` in your HTML sanitization policy:
```go
p := bluemonday.NewPolicy()
p.AllowElements("style","select")
html := p.Sanitize(`
This PR contains the following updates:
v1.0.4
->v1.0.20
Release Notes
microcosm-cc/bluemonday
### [`v1.0.20`](https://togithub.com/microcosm-cc/bluemonday/releases/tag/v1.0.20) [Compare Source](https://togithub.com/microcosm-cc/bluemonday/compare/v1.0.19...v1.0.20) This is an update of dependencies, specifically it updates the HTML parser within go/net/html. The update removes a capability, Microsoft style comments that allow browser conditionals no longer works. This is due to a fix on the part of the Go team to prevent XSS within HTML comments, and the commit in question is here https://github.com/golang/net/commit/06994584 . There is no easy to see safe way to restore that functionality without adding more risk to those who `.AllowComments()` and so I am accepting that this non-standard use of HTML comments is no longer supported. As part of this version, the older release of v1.0.19 is retracted. ### [`v1.0.19`](https://togithub.com/microcosm-cc/bluemonday/releases/tag/v1.0.19) [Compare Source](https://togithub.com/microcosm-cc/bluemonday/compare/v1.0.18...v1.0.19) #### What's Changed - css: improve RGB hex color and length matching by [@hochhaus](https://togithub.com/hochhaus) in [https://github.com/microcosm-cc/bluemonday/pull/142](https://togithub.com/microcosm-cc/bluemonday/pull/142) - css: add support for `image/svg+xml` for data-uri inline images - html: fix double-escaping of content within HTML attributes - tests: added more tests to provide examples of proofs of some open issues #### New Contributors - [@hochhaus](https://togithub.com/hochhaus) made their first contribution in [https://github.com/microcosm-cc/bluemonday/pull/142](https://togithub.com/microcosm-cc/bluemonday/pull/142) **Full Changelog**: https://github.com/microcosm-cc/bluemonday/compare/v1.0.18...v1.0.19 ### [`v1.0.18`](https://togithub.com/microcosm-cc/bluemonday/releases/tag/v1.0.18) [Compare Source](https://togithub.com/microcosm-cc/bluemonday/compare/v1.0.17...v1.0.18) #### What's Changed - Fix incorrect handling of iframe SandboxValues by [@kiwiz](https://togithub.com/kiwiz) in [https://github.com/microcosm-cc/bluemonday/pull/138](https://togithub.com/microcosm-cc/bluemonday/pull/138) **Full Changelog**: https://github.com/microcosm-cc/bluemonday/compare/v1.0.17...v1.0.18 ### [`v1.0.17`](https://togithub.com/microcosm-cc/bluemonday/releases/tag/v1.0.17) [Compare Source](https://togithub.com/microcosm-cc/bluemonday/compare/v1.0.16...v1.0.17) As per [https://github.com/microcosm-cc/bluemonday/issues/135](https://togithub.com/microcosm-cc/bluemonday/issues/135) [@kiwiz](https://togithub.com/kiwiz) has added support to bluemonday that allows the `iframe` element to correctly declare the security attribute `sandbox`. You can read about that attribute here: https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#attr-sandbox No other change is in this release. ### [`v1.0.16`](https://togithub.com/microcosm-cc/bluemonday/releases/tag/v1.0.16) [Compare Source](https://togithub.com/microcosm-cc/bluemonday/compare/v1.0.15...v1.0.16) CVE-2021-42576 A vulnerability was discovered by https://github.com/TomAnthony https://www.tomanthony.co.uk/ which allowed the contents of a `style` tag to be leaked unsanitized by bluemonday into the HTML output. Further it was demonstrated that if the form elements `select` and `option` were allowed by the policy that this could result in a successful XSS. You would only be vulnerable to if if you allowed `style`, `select` and `option` in your HTML sanitization policy: ```go p := bluemonday.NewPolicy() p.AllowElements("style","select") html := p.Sanitize(`