Skip to content

Commit 00698da

Browse files
matloobmatloob
committed
internal/frontend: replace bluemonday with the simple sanitizer
The simple sanitizer has very few diffs compared to bluemonday and they're all accounted for. For #61399 Change-Id: Ib22b5828e8c1073a6fe3c2f87eee658eda3165a0 Reviewed-on: https://go-review.googlesource.com/c/pkgsite/+/547875 kokoro-CI: kokoro <[email protected]> LUCI-TryBot-Result: Go LUCI <[email protected]> Reviewed-by: Jonathan Amsterdam <[email protected]>
1 parent a7abb35 commit 00698da

File tree

3 files changed

+3
-24
lines changed

3 files changed

+3
-24
lines changed

go.mod

Lines changed: 0 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -26,7 +26,6 @@ require (
2626
github.com/jackc/pgx/v4 v4.14.1
2727
github.com/jba/templatecheck v0.6.0
2828
github.com/lib/pq v1.10.9
29-
github.com/microcosm-cc/bluemonday v1.0.25
3029
github.com/russross/blackfriday/v2 v2.1.0
3130
github.com/yuin/goldmark v1.4.13
3231
github.com/yuin/goldmark-emoji v1.0.1
@@ -55,7 +54,6 @@ require (
5554
cloud.google.com/go/trace v1.9.0 // indirect
5655
github.com/alicebob/gopher-json v0.0.0-20200520072559-a9ecdc9d1d3a // indirect
5756
github.com/aws/aws-sdk-go v1.34.29 // indirect
58-
github.com/aymerick/douceur v0.2.0 // indirect
5957
github.com/beorn7/perks v1.0.1 // indirect
6058
github.com/census-instrumentation/opencensus-proto v0.4.1 // indirect
6159
github.com/cespare/xxhash/v2 v2.2.0 // indirect
@@ -68,7 +66,6 @@ require (
6866
github.com/google/uuid v1.3.0 // indirect
6967
github.com/googleapis/enterprise-certificate-proxy v0.2.3 // indirect
7068
github.com/googleapis/gax-go/v2 v2.11.0 // indirect
71-
github.com/gorilla/css v1.0.0 // indirect
7269
github.com/hashicorp/errwrap v1.0.0 // indirect
7370
github.com/hashicorp/go-multierror v1.1.0 // indirect
7471
github.com/jackc/chunkreader/v2 v2.0.1 // indirect

go.sum

Lines changed: 0 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -180,8 +180,6 @@ github.com/aws/aws-sdk-go-v2/service/sts v1.6.1/go.mod h1:hLZ/AnkIKHLuPGjEiyghNE
180180
github.com/aws/aws-sdk-go-v2/service/sts v1.7.2/go.mod h1:8EzeIqfWt2wWT4rJVu3f21TfrhJ8AEMzVybRNSb/b4g=
181181
github.com/aws/smithy-go v1.7.0/go.mod h1:SObp3lf9smib00L/v3U2eAKG8FyQ7iLrJnQiAmR5n+E=
182182
github.com/aws/smithy-go v1.8.0/go.mod h1:SObp3lf9smib00L/v3U2eAKG8FyQ7iLrJnQiAmR5n+E=
183-
github.com/aymerick/douceur v0.2.0 h1:Mv+mAeH1Q+n9Fr+oyamOlAkUNPWPlA8PPGR0QAaYuPk=
184-
github.com/aymerick/douceur v0.2.0/go.mod h1:wlT5vV2O3h55X9m7iVYN0TBM0NH/MmbLnd30/FjWUq4=
185183
github.com/beorn7/perks v0.0.0-20160804104726-4c0e84591b9a/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
186184
github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
187185
github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
@@ -600,8 +598,6 @@ github.com/googleapis/gax-go/v2 v2.11.0 h1:9V9PWXEsWnPpQhu/PeQIkS4eGzMlTLGgt80cU
600598
github.com/googleapis/gax-go/v2 v2.11.0/go.mod h1:DxmR61SGKkGLa2xigwuZIQpkCI2S5iydzRfb3peWZJI=
601599
github.com/googleapis/gnostic v0.4.1/go.mod h1:LRhVm6pbyptWbWbuZ38d1eyptfvIytN3ir6b65WBswg=
602600
github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
603-
github.com/gorilla/css v1.0.0 h1:BQqNyPTi50JCFMTw/b67hByjMVXZRwGha6wxVGkeihY=
604-
github.com/gorilla/css v1.0.0/go.mod h1:Dn721qIggHpt4+EFCcTLTU/vk5ySda2ReITrtgBl60c=
605601
github.com/gorilla/handlers v0.0.0-20150720190736-60c7bfde3e33/go.mod h1:Qkdc/uu4tH4g6mTK6auzZ766c4CA0Ng8+o/OAirnOIQ=
606602
github.com/gorilla/handlers v1.4.2/go.mod h1:Qkdc/uu4tH4g6mTK6auzZ766c4CA0Ng8+o/OAirnOIQ=
607603
github.com/gorilla/mux v1.7.2/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs=
@@ -801,8 +797,6 @@ github.com/mattn/go-sqlite3 v1.14.6/go.mod h1:NyWgC/yNuGj7Q9rpYnZvas74GogHl5/Z4A
801797
github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
802798
github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 h1:I0XW9+e1XWDxdcEniV4rQAIOPUGDq67JSCiRCgGCZLI=
803799
github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4=
804-
github.com/microcosm-cc/bluemonday v1.0.25 h1:4NEwSfiJ+Wva0VxN5B8OwMicaJvD8r9tlJWm9rtloEg=
805-
github.com/microcosm-cc/bluemonday v1.0.25/go.mod h1:ZIOjCQp1OrzBBPIJmfX4qDYFuhU02nx4bn030ixfHLE=
806800
github.com/miekg/pkcs11 v1.0.3/go.mod h1:XsNlhZGX73bx86s2hdc/FuaLm2CPZJemRLMA+WTFxgs=
807801
github.com/mistifyio/go-zfs v2.1.2-0.20190413222219-f784269be439+incompatible/go.mod h1:8AuVvqP/mXw1px98n46wfvcGfQ4ci2FwoAjKYxuo3Z4=
808802
github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=

internal/frontend/readme.go

Lines changed: 3 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,6 @@ import (
1111
"github.com/google/safehtml"
1212
"github.com/google/safehtml/template"
1313
"github.com/google/safehtml/uncheckedconversions"
14-
"github.com/microcosm-cc/bluemonday"
1514
"github.com/yuin/goldmark"
1615
emoji "github.com/yuin/goldmark-emoji"
1716
"github.com/yuin/goldmark/extension"
@@ -23,6 +22,7 @@ import (
2322
"golang.org/x/pkgsite/internal"
2423
"golang.org/x/pkgsite/internal/derrors"
2524
"golang.org/x/pkgsite/internal/log"
25+
"golang.org/x/pkgsite/internal/sanitizer"
2626
"golang.org/x/pkgsite/internal/source"
2727
)
2828

@@ -112,7 +112,7 @@ func processReadme(ctx context.Context, readme *internal.Readme, sourceInfo *sou
112112
),
113113
),
114114
// These extensions lets users write HTML code in the README. This is
115-
// fine since we process the contents using bluemonday after.
115+
// fine since we process the contents using the sanitizer after.
116116
goldmark.WithRendererOptions(goldmarkHtml.WithUnsafe(), goldmarkHtml.WithXHTML()),
117117
goldmark.WithExtensions(
118118
extension.GFM, // Support Github Flavored Markdown.
@@ -159,18 +159,6 @@ func processReadme(ctx context.Context, readme *internal.Readme, sourceInfo *sou
159159

160160
// sanitizeHTML sanitizes HTML from a bytes.Buffer so that it is safe.
161161
func sanitizeHTML(b *bytes.Buffer) safehtml.HTML {
162-
p := bluemonday.UGCPolicy()
163-
164-
p.AllowAttrs("width", "align").OnElements("img")
165-
p.AllowAttrs("width", "align").OnElements("div")
166-
p.AllowAttrs("width", "align").OnElements("p")
167-
// Allow accessible headings (i.e <div role="heading" aria-level="7">).
168-
p.AllowAttrs("width", "align", "role", "aria-level").OnElements("div")
169-
for _, h := range []string{"h1", "h2", "h3", "h4", "h5", "h6"} {
170-
// Needed to preserve github styles heading font-sizes
171-
p.AllowAttrs("class").OnElements(h)
172-
}
173-
174-
s := string(p.SanitizeBytes(b.Bytes()))
162+
s := string(sanitizer.SanitizeBytes(b.Bytes()))
175163
return uncheckedconversions.HTMLFromStringKnownToSatisfyTypeContract(s)
176164
}

0 commit comments

Comments
 (0)