search

microcosm-cc / bluemonday

bluemonday: a fast golang HTML sanitizer (inspired by the OWASP Java HTML Sanitizer) to scrub user generated content of XSS
https://github.com/microcosm-cc/bluemonday
BSD 3-Clause "New" or "Revised" License
3.12k stars 176 forks source link

undefined: strings.Builder #116

Closed anrizal closed 3 years ago

anrizal commented 3 years ago

Recently, I received the following error when I ran go get -u github.com/microcosm-cc/bluemonday command. I am using go1.9.2

# github.com/microcosm-cc/bluemonday
go/src/github.com/microcosm-cc/bluemonday/sanitize.go:173:8: undefined: strings.Builder

seems like the declaration of var b strings.Builder caused the issue. Unfortunately I did not have time to dig deeper. Maybe someone could continue.

Thank you

buro9 commented 3 years ago

https://github.com/microcosm-cc/bluemonday/blame/master/sanitize.go#L173

The change was introduced 4 months ago and merged into v1.0.6 as of 8 days ago.

https://golang.org/pkg/strings/#Builder Builder was introduced in go 1.10

So this is confirmed, I'll make the change later this evening to make this back compatible again.

However... as a workaround if this is immediately critical are:

  1. Use the v1.0.5 tag (please see later releases to determine the risk to you for doing that - at time of writing both subsequent tags are feature improvements rather than security risks)
  2. Update to go 1.10 or later

I realise neither workaround may be ideal, so will assess the impact and will offer an update the fixes it.

buro9 commented 3 years ago

Resolved by changing the strings.Builder to bytes.Buffer