diff options
Diffstat (limited to 'vendor/github.com/microcosm-cc/bluemonday/doc.go')
| -rw-r--r-- | vendor/github.com/microcosm-cc/bluemonday/doc.go | 104 |
1 files changed, 0 insertions, 104 deletions
diff --git a/vendor/github.com/microcosm-cc/bluemonday/doc.go b/vendor/github.com/microcosm-cc/bluemonday/doc.go deleted file mode 100644 index 2cb0a365..00000000 --- a/vendor/github.com/microcosm-cc/bluemonday/doc.go +++ /dev/null @@ -1,104 +0,0 @@ -// Copyright (c) 2014, David Kitchen <david@buro9.com> -// -// All rights reserved. -// -// Redistribution and use in source and binary forms, with or without -// modification, are permitted provided that the following conditions are met: -// -// * Redistributions of source code must retain the above copyright notice, this -// list of conditions and the following disclaimer. -// -// * Redistributions in binary form must reproduce the above copyright notice, -// this list of conditions and the following disclaimer in the documentation -// and/or other materials provided with the distribution. -// -// * Neither the name of the organisation (Microcosm) nor the names of its -// contributors may be used to endorse or promote products derived from -// this software without specific prior written permission. -// -// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - -/* -Package bluemonday provides a way of describing a whitelist of HTML elements -and attributes as a policy, and for that policy to be applied to untrusted -strings from users that may contain markup. All elements and attributes not on -the whitelist will be stripped. - -The default bluemonday.UGCPolicy().Sanitize() turns this: - - Hello <STYLE>.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><A CLASS=XSS></A>World - -Into the more harmless: - - Hello World - -And it turns this: - - <a href="javascript:alert('XSS1')" onmouseover="alert('XSS2')">XSS<a> - -Into this: - - XSS - -Whilst still allowing this: - - <a href="http://www.google.com/"> - <img src="https://ssl.gstatic.com/accounts/ui/logo_2x.png"/> - </a> - -To pass through mostly unaltered (it gained a rel="nofollow"): - - <a href="http://www.google.com/" rel="nofollow"> - <img src="https://ssl.gstatic.com/accounts/ui/logo_2x.png"/> - </a> - -The primary purpose of bluemonday is to take potentially unsafe user generated -content (from things like Markdown, HTML WYSIWYG tools, etc) and make it safe -for you to put on your website. - -It protects sites against XSS (http://en.wikipedia.org/wiki/Cross-site_scripting) -and other malicious content that a user interface may deliver. There are many -vectors for an XSS attack (https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet) -and the safest thing to do is to sanitize user input against a known safe list -of HTML elements and attributes. - -Note: You should always run bluemonday after any other processing. - -If you use blackfriday (https://github.com/russross/blackfriday) or -Pandoc (http://johnmacfarlane.net/pandoc/) then bluemonday should be run after -these steps. This ensures that no insecure HTML is introduced later in your -process. - -bluemonday is heavily inspired by both the OWASP Java HTML Sanitizer -(https://code.google.com/p/owasp-java-html-sanitizer/) and the HTML Purifier -(http://htmlpurifier.org/). - -We ship two default policies, one is bluemonday.StrictPolicy() and can be -thought of as equivalent to stripping all HTML elements and their attributes as -it has nothing on it's whitelist. - -The other is bluemonday.UGCPolicy() and allows a broad selection of HTML -elements and attributes that are safe for user generated content. Note that -this policy does not whitelist iframes, object, embed, styles, script, etc. - -The essence of building a policy is to determine which HTML elements and -attributes are considered safe for your scenario. OWASP provide an XSS -prevention cheat sheet ( https://www.google.com/search?q=xss+prevention+cheat+sheet ) -to help explain the risks, but essentially: - - 1. Avoid whitelisting anything other than plain HTML elements - 2. Avoid whitelisting `script`, `style`, `iframe`, `object`, `embed`, `base` - elements - 3. Avoid whitelisting anything other than plain HTML elements with simple - values that you can match to a regexp -*/ -package bluemonday |