aboutsummaryrefslogtreecommitdiff
path: root/vendor/github.com/microcosm-cc/bluemonday/policy.go
diff options
context:
space:
mode:
Diffstat (limited to 'vendor/github.com/microcosm-cc/bluemonday/policy.go')
-rw-r--r--vendor/github.com/microcosm-cc/bluemonday/policy.go952
1 files changed, 952 insertions, 0 deletions
diff --git a/vendor/github.com/microcosm-cc/bluemonday/policy.go b/vendor/github.com/microcosm-cc/bluemonday/policy.go
new file mode 100644
index 0000000..995f46c
--- /dev/null
+++ b/vendor/github.com/microcosm-cc/bluemonday/policy.go
@@ -0,0 +1,952 @@
1// Copyright (c) 2014, David Kitchen <david@buro9.com>
2//
3// All rights reserved.
4//
5// Redistribution and use in source and binary forms, with or without
6// modification, are permitted provided that the following conditions are met:
7//
8// * Redistributions of source code must retain the above copyright notice, this
9// list of conditions and the following disclaimer.
10//
11// * Redistributions in binary form must reproduce the above copyright notice,
12// this list of conditions and the following disclaimer in the documentation
13// and/or other materials provided with the distribution.
14//
15// * Neither the name of the organisation (Microcosm) nor the names of its
16// contributors may be used to endorse or promote products derived from
17// this software without specific prior written permission.
18//
19// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29
30package bluemonday
31
32//TODO sgutzwiller create map of styles to default handlers
33//TODO sgutzwiller create handlers for various attributes
34import (
35 "net/url"
36 "regexp"
37 "strings"
38
39 "github.com/microcosm-cc/bluemonday/css"
40)
41
42// Policy encapsulates the allowlist of HTML elements and attributes that will
43// be applied to the sanitised HTML.
44//
45// You should use bluemonday.NewPolicy() to create a blank policy as the
46// unexported fields contain maps that need to be initialized.
47type Policy struct {
48
49 // Declares whether the maps have been initialized, used as a cheap check to
50 // ensure that those using Policy{} directly won't cause nil pointer
51 // exceptions
52 initialized bool
53
54 // If true then we add spaces when stripping tags, specifically the closing
55 // tag is replaced by a space character.
56 addSpaces bool
57
58 // When true, add rel="nofollow" to HTML a, area, and link tags
59 requireNoFollow bool
60
61 // When true, add rel="nofollow" to HTML a, area, and link tags
62 // Will add for href="http://foo"
63 // Will skip for href="/foo" or href="foo"
64 requireNoFollowFullyQualifiedLinks bool
65
66 // When true, add rel="noreferrer" to HTML a, area, and link tags
67 requireNoReferrer bool
68
69 // When true, add rel="noreferrer" to HTML a, area, and link tags
70 // Will add for href="http://foo"
71 // Will skip for href="/foo" or href="foo"
72 requireNoReferrerFullyQualifiedLinks bool
73
74 // When true, add crossorigin="anonymous" to HTML audio, img, link, script, and video tags
75 requireCrossOriginAnonymous bool
76
77 // When true, add and filter sandbox attribute on iframe tags
78 requireSandboxOnIFrame map[string]bool
79
80 // When true add target="_blank" to fully qualified links
81 // Will add for href="http://foo"
82 // Will skip for href="/foo" or href="foo"
83 addTargetBlankToFullyQualifiedLinks bool
84
85 // When true, URLs must be parseable by "net/url" url.Parse()
86 requireParseableURLs bool
87
88 // When true, u, _ := url.Parse("url"); !u.IsAbs() is permitted
89 allowRelativeURLs bool
90
91 // When true, allow data attributes.
92 allowDataAttributes bool
93
94 // When true, allow comments.
95 allowComments bool
96
97 // map[htmlElementName]map[htmlAttributeName][]attrPolicy
98 elsAndAttrs map[string]map[string][]attrPolicy
99
100 // elsMatchingAndAttrs stores regex based element matches along with attributes
101 elsMatchingAndAttrs map[*regexp.Regexp]map[string][]attrPolicy
102
103 // map[htmlAttributeName][]attrPolicy
104 globalAttrs map[string][]attrPolicy
105
106 // map[htmlElementName]map[cssPropertyName][]stylePolicy
107 elsAndStyles map[string]map[string][]stylePolicy
108
109 // map[regex]map[cssPropertyName][]stylePolicy
110 elsMatchingAndStyles map[*regexp.Regexp]map[string][]stylePolicy
111
112 // map[cssPropertyName][]stylePolicy
113 globalStyles map[string][]stylePolicy
114
115 // If urlPolicy is nil, all URLs with matching schema are allowed.
116 // Otherwise, only the URLs with matching schema and urlPolicy(url)
117 // returning true are allowed.
118 allowURLSchemes map[string][]urlPolicy
119
120 // These regexps are used to match allowed URL schemes, for example
121 // if one would want to allow all URL schemes, they would add `.+`
122 allowURLSchemeRegexps []*regexp.Regexp
123
124 // If an element has had all attributes removed as a result of a policy
125 // being applied, then the element would be removed from the output.
126 //
127 // However some elements are valid and have strong layout meaning without
128 // any attributes, i.e. <table>. To prevent those being removed we maintain
129 // a list of elements that are allowed to have no attributes and that will
130 // be maintained in the output HTML.
131 setOfElementsAllowedWithoutAttrs map[string]struct{}
132
133 // If an element has had all attributes removed as a result of a policy
134 // being applied, then the element would be removed from the output.
135 //
136 // However some elements are valid and have strong layout meaning without
137 // any attributes, i.e. <table>.
138 //
139 // In this case, any element matching a regular expression will be accepted without
140 // attributes added.
141 setOfElementsMatchingAllowedWithoutAttrs []*regexp.Regexp
142
143 setOfElementsToSkipContent map[string]struct{}
144
145 // Permits fundamentally unsafe elements.
146 //
147 // If false (default) then elements such as `style` and `script` will not be
148 // permitted even if declared in a policy. These elements when combined with
149 // untrusted input cannot be safely handled by bluemonday at this point in
150 // time.
151 //
152 // If true then `style` and `script` would be permitted by bluemonday if a
153 // policy declares them. However this is not recommended under any circumstance
154 // and can lead to XSS being rendered thus defeating the purpose of using a
155 // HTML sanitizer.
156 allowUnsafe bool
157}
158
159type attrPolicy struct {
160
161 // optional pattern to match, when not nil the regexp needs to match
162 // otherwise the attribute is removed
163 regexp *regexp.Regexp
164}
165
166type stylePolicy struct {
167 // handler to validate
168 handler func(string) bool
169
170 // optional pattern to match, when not nil the regexp needs to match
171 // otherwise the property is removed
172 regexp *regexp.Regexp
173
174 // optional list of allowed property values, for properties which
175 // have a defined list of allowed values; property will be removed
176 // if the value is not allowed
177 enum []string
178}
179
180type attrPolicyBuilder struct {
181 p *Policy
182
183 attrNames []string
184 regexp *regexp.Regexp
185 allowEmpty bool
186}
187
188type stylePolicyBuilder struct {
189 p *Policy
190
191 propertyNames []string
192 regexp *regexp.Regexp
193 enum []string
194 handler func(string) bool
195}
196
197type urlPolicy func(url *url.URL) (allowUrl bool)
198
199type SandboxValue int64
200
201const (
202 SandboxAllowDownloads SandboxValue = iota
203 SandboxAllowDownloadsWithoutUserActivation
204 SandboxAllowForms
205 SandboxAllowModals
206 SandboxAllowOrientationLock
207 SandboxAllowPointerLock
208 SandboxAllowPopups
209 SandboxAllowPopupsToEscapeSandbox
210 SandboxAllowPresentation
211 SandboxAllowSameOrigin
212 SandboxAllowScripts
213 SandboxAllowStorageAccessByUserActivation
214 SandboxAllowTopNavigation
215 SandboxAllowTopNavigationByUserActivation
216)
217
218// init initializes the maps if this has not been done already
219func (p *Policy) init() {
220 if !p.initialized {
221 p.elsAndAttrs = make(map[string]map[string][]attrPolicy)
222 p.elsMatchingAndAttrs = make(map[*regexp.Regexp]map[string][]attrPolicy)
223 p.globalAttrs = make(map[string][]attrPolicy)
224 p.elsAndStyles = make(map[string]map[string][]stylePolicy)
225 p.elsMatchingAndStyles = make(map[*regexp.Regexp]map[string][]stylePolicy)
226 p.globalStyles = make(map[string][]stylePolicy)
227 p.allowURLSchemes = make(map[string][]urlPolicy)
228 p.allowURLSchemeRegexps = make([]*regexp.Regexp, 0)
229 p.setOfElementsAllowedWithoutAttrs = make(map[string]struct{})
230 p.setOfElementsToSkipContent = make(map[string]struct{})
231 p.initialized = true
232 }
233}
234
235// NewPolicy returns a blank policy with nothing allowed or permitted. This
236// is the recommended way to start building a policy and you should now use
237// AllowAttrs() and/or AllowElements() to construct the allowlist of HTML
238// elements and attributes.
239func NewPolicy() *Policy {
240
241 p := Policy{}
242
243 p.addDefaultElementsWithoutAttrs()
244 p.addDefaultSkipElementContent()
245
246 return &p
247}
248
249// AllowAttrs takes a range of HTML attribute names and returns an
250// attribute policy builder that allows you to specify the pattern and scope of
251// the allowed attribute.
252//
253// The attribute policy is only added to the core policy when either Globally()
254// or OnElements(...) are called.
255func (p *Policy) AllowAttrs(attrNames ...string) *attrPolicyBuilder {
256
257 p.init()
258
259 abp := attrPolicyBuilder{
260 p: p,
261 allowEmpty: false,
262 }
263
264 for _, attrName := range attrNames {
265 abp.attrNames = append(abp.attrNames, strings.ToLower(attrName))
266 }
267
268 return &abp
269}
270
271// AllowDataAttributes permits all data attributes. We can't specify the name
272// of each attribute exactly as they are customized.
273//
274// NOTE: These values are not sanitized and applications that evaluate or process
275// them without checking and verification of the input may be at risk if this option
276// is enabled. This is a 'caveat emptor' option and the person enabling this option
277// needs to fully understand the potential impact with regards to whatever application
278// will be consuming the sanitized HTML afterwards, i.e. if you know you put a link in a
279// data attribute and use that to automatically load some new window then you're giving
280// the author of a HTML fragment the means to open a malicious destination automatically.
281// Use with care!
282func (p *Policy) AllowDataAttributes() {
283 p.allowDataAttributes = true
284}
285
286// AllowComments allows comments.
287//
288// Please note that only one type of comment will be allowed by this, this is the
289// the standard HTML comment <!-- --> which includes the use of that to permit
290// conditionals as per https://docs.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/compatibility/ms537512(v=vs.85)?redirectedfrom=MSDN
291//
292// What is not permitted are CDATA XML comments, as the x/net/html package we depend
293// on does not handle this fully and we are not choosing to take on that work:
294// https://pkg.go.dev/golang.org/x/net/html#Tokenizer.AllowCDATA . If the x/net/html
295// package changes this then these will be considered, otherwise if you AllowComments
296// but provide a CDATA comment, then as per the documentation in x/net/html this will
297// be treated as a plain HTML comment.
298func (p *Policy) AllowComments() {
299 p.allowComments = true
300}
301
302// AllowNoAttrs says that attributes on element are optional.
303//
304// The attribute policy is only added to the core policy when OnElements(...)
305// are called.
306func (p *Policy) AllowNoAttrs() *attrPolicyBuilder {
307
308 p.init()
309
310 abp := attrPolicyBuilder{
311 p: p,
312 allowEmpty: true,
313 }
314 return &abp
315}
316
317// AllowNoAttrs says that attributes on element are optional.
318//
319// The attribute policy is only added to the core policy when OnElements(...)
320// are called.
321func (abp *attrPolicyBuilder) AllowNoAttrs() *attrPolicyBuilder {
322
323 abp.allowEmpty = true
324
325 return abp
326}
327
328// Matching allows a regular expression to be applied to a nascent attribute
329// policy, and returns the attribute policy.
330func (abp *attrPolicyBuilder) Matching(regex *regexp.Regexp) *attrPolicyBuilder {
331
332 abp.regexp = regex
333
334 return abp
335}
336
337// OnElements will bind an attribute policy to a given range of HTML elements
338// and return the updated policy
339func (abp *attrPolicyBuilder) OnElements(elements ...string) *Policy {
340
341 for _, element := range elements {
342 element = strings.ToLower(element)
343
344 for _, attr := range abp.attrNames {
345
346 if _, ok := abp.p.elsAndAttrs[element]; !ok {
347 abp.p.elsAndAttrs[element] = make(map[string][]attrPolicy)
348 }
349
350 ap := attrPolicy{}
351 if abp.regexp != nil {
352 ap.regexp = abp.regexp
353 }
354
355 abp.p.elsAndAttrs[element][attr] = append(abp.p.elsAndAttrs[element][attr], ap)
356 }
357
358 if abp.allowEmpty {
359 abp.p.setOfElementsAllowedWithoutAttrs[element] = struct{}{}
360
361 if _, ok := abp.p.elsAndAttrs[element]; !ok {
362 abp.p.elsAndAttrs[element] = make(map[string][]attrPolicy)
363 }
364 }
365 }
366
367 return abp.p
368}
369
370// OnElementsMatching will bind an attribute policy to all elements matching a given regex
371// and return the updated policy
372func (abp *attrPolicyBuilder) OnElementsMatching(regex *regexp.Regexp) *Policy {
373 for _, attr := range abp.attrNames {
374 if _, ok := abp.p.elsMatchingAndAttrs[regex]; !ok {
375 abp.p.elsMatchingAndAttrs[regex] = make(map[string][]attrPolicy)
376 }
377 ap := attrPolicy{}
378 if abp.regexp != nil {
379 ap.regexp = abp.regexp
380 }
381 abp.p.elsMatchingAndAttrs[regex][attr] = append(abp.p.elsMatchingAndAttrs[regex][attr], ap)
382 }
383
384 if abp.allowEmpty {
385 abp.p.setOfElementsMatchingAllowedWithoutAttrs = append(abp.p.setOfElementsMatchingAllowedWithoutAttrs, regex)
386 if _, ok := abp.p.elsMatchingAndAttrs[regex]; !ok {
387 abp.p.elsMatchingAndAttrs[regex] = make(map[string][]attrPolicy)
388 }
389 }
390
391 return abp.p
392}
393
394// Globally will bind an attribute policy to all HTML elements and return the
395// updated policy
396func (abp *attrPolicyBuilder) Globally() *Policy {
397
398 for _, attr := range abp.attrNames {
399 if _, ok := abp.p.globalAttrs[attr]; !ok {
400 abp.p.globalAttrs[attr] = []attrPolicy{}
401 }
402
403 ap := attrPolicy{}
404 if abp.regexp != nil {
405 ap.regexp = abp.regexp
406 }
407
408 abp.p.globalAttrs[attr] = append(abp.p.globalAttrs[attr], ap)
409 }
410
411 return abp.p
412}
413
414// AllowStyles takes a range of CSS property names and returns a
415// style policy builder that allows you to specify the pattern and scope of
416// the allowed property.
417//
418// The style policy is only added to the core policy when either Globally()
419// or OnElements(...) are called.
420func (p *Policy) AllowStyles(propertyNames ...string) *stylePolicyBuilder {
421
422 p.init()
423
424 abp := stylePolicyBuilder{
425 p: p,
426 }
427
428 for _, propertyName := range propertyNames {
429 abp.propertyNames = append(abp.propertyNames, strings.ToLower(propertyName))
430 }
431
432 return &abp
433}
434
435// Matching allows a regular expression to be applied to a nascent style
436// policy, and returns the style policy.
437func (spb *stylePolicyBuilder) Matching(regex *regexp.Regexp) *stylePolicyBuilder {
438
439 spb.regexp = regex
440
441 return spb
442}
443
444// MatchingEnum allows a list of allowed values to be applied to a nascent style
445// policy, and returns the style policy.
446func (spb *stylePolicyBuilder) MatchingEnum(enum ...string) *stylePolicyBuilder {
447
448 spb.enum = enum
449
450 return spb
451}
452
453// MatchingHandler allows a handler to be applied to a nascent style
454// policy, and returns the style policy.
455func (spb *stylePolicyBuilder) MatchingHandler(handler func(string) bool) *stylePolicyBuilder {
456
457 spb.handler = handler
458
459 return spb
460}
461
462// OnElements will bind a style policy to a given range of HTML elements
463// and return the updated policy
464func (spb *stylePolicyBuilder) OnElements(elements ...string) *Policy {
465
466 for _, element := range elements {
467 element = strings.ToLower(element)
468
469 for _, attr := range spb.propertyNames {
470
471 if _, ok := spb.p.elsAndStyles[element]; !ok {
472 spb.p.elsAndStyles[element] = make(map[string][]stylePolicy)
473 }
474
475 sp := stylePolicy{}
476 if spb.handler != nil {
477 sp.handler = spb.handler
478 } else if len(spb.enum) > 0 {
479 sp.enum = spb.enum
480 } else if spb.regexp != nil {
481 sp.regexp = spb.regexp
482 } else {
483 sp.handler = css.GetDefaultHandler(attr)
484 }
485 spb.p.elsAndStyles[element][attr] = append(spb.p.elsAndStyles[element][attr], sp)
486 }
487 }
488
489 return spb.p
490}
491
492// OnElementsMatching will bind a style policy to any HTML elements matching the pattern
493// and return the updated policy
494func (spb *stylePolicyBuilder) OnElementsMatching(regex *regexp.Regexp) *Policy {
495
496 for _, attr := range spb.propertyNames {
497
498 if _, ok := spb.p.elsMatchingAndStyles[regex]; !ok {
499 spb.p.elsMatchingAndStyles[regex] = make(map[string][]stylePolicy)
500 }
501
502 sp := stylePolicy{}
503 if spb.handler != nil {
504 sp.handler = spb.handler
505 } else if len(spb.enum) > 0 {
506 sp.enum = spb.enum
507 } else if spb.regexp != nil {
508 sp.regexp = spb.regexp
509 } else {
510 sp.handler = css.GetDefaultHandler(attr)
511 }
512 spb.p.elsMatchingAndStyles[regex][attr] = append(spb.p.elsMatchingAndStyles[regex][attr], sp)
513 }
514
515 return spb.p
516}
517
518// Globally will bind a style policy to all HTML elements and return the
519// updated policy
520func (spb *stylePolicyBuilder) Globally() *Policy {
521
522 for _, attr := range spb.propertyNames {
523 if _, ok := spb.p.globalStyles[attr]; !ok {
524 spb.p.globalStyles[attr] = []stylePolicy{}
525 }
526
527 // Use only one strategy for validating styles, fallback to default
528 sp := stylePolicy{}
529 if spb.handler != nil {
530 sp.handler = spb.handler
531 } else if len(spb.enum) > 0 {
532 sp.enum = spb.enum
533 } else if spb.regexp != nil {
534 sp.regexp = spb.regexp
535 } else {
536 sp.handler = css.GetDefaultHandler(attr)
537 }
538 spb.p.globalStyles[attr] = append(spb.p.globalStyles[attr], sp)
539 }
540
541 return spb.p
542}
543
544// AllowElements will append HTML elements to the allowlist without applying an
545// attribute policy to those elements (the elements are permitted
546// sans-attributes)
547func (p *Policy) AllowElements(names ...string) *Policy {
548 p.init()
549
550 for _, element := range names {
551 element = strings.ToLower(element)
552
553 if _, ok := p.elsAndAttrs[element]; !ok {
554 p.elsAndAttrs[element] = make(map[string][]attrPolicy)
555 }
556 }
557
558 return p
559}
560
561// AllowElementsMatching will append HTML elements to the allowlist if they
562// match a regexp.
563func (p *Policy) AllowElementsMatching(regex *regexp.Regexp) *Policy {
564 p.init()
565 if _, ok := p.elsMatchingAndAttrs[regex]; !ok {
566 p.elsMatchingAndAttrs[regex] = make(map[string][]attrPolicy)
567 }
568 return p
569}
570
571// AllowURLSchemesMatching will append URL schemes to the allowlist if they
572// match a regexp.
573func (p *Policy) AllowURLSchemesMatching(r *regexp.Regexp) *Policy {
574 p.allowURLSchemeRegexps = append(p.allowURLSchemeRegexps, r)
575 return p
576}
577
578// RequireNoFollowOnLinks will result in all a, area, link tags having a
579// rel="nofollow"added to them if one does not already exist
580//
581// Note: This requires p.RequireParseableURLs(true) and will enable it.
582func (p *Policy) RequireNoFollowOnLinks(require bool) *Policy {
583
584 p.requireNoFollow = require
585 p.requireParseableURLs = true
586
587 return p
588}
589
590// RequireNoFollowOnFullyQualifiedLinks will result in all a, area, and link
591// tags that point to a non-local destination (i.e. starts with a protocol and
592// has a host) having a rel="nofollow" added to them if one does not already
593// exist
594//
595// Note: This requires p.RequireParseableURLs(true) and will enable it.
596func (p *Policy) RequireNoFollowOnFullyQualifiedLinks(require bool) *Policy {
597
598 p.requireNoFollowFullyQualifiedLinks = require
599 p.requireParseableURLs = true
600
601 return p
602}
603
604// RequireNoReferrerOnLinks will result in all a, area, and link tags having a
605// rel="noreferrrer" added to them if one does not already exist
606//
607// Note: This requires p.RequireParseableURLs(true) and will enable it.
608func (p *Policy) RequireNoReferrerOnLinks(require bool) *Policy {
609
610 p.requireNoReferrer = require
611 p.requireParseableURLs = true
612
613 return p
614}
615
616// RequireNoReferrerOnFullyQualifiedLinks will result in all a, area, and link
617// tags that point to a non-local destination (i.e. starts with a protocol and
618// has a host) having a rel="noreferrer" added to them if one does not already
619// exist
620//
621// Note: This requires p.RequireParseableURLs(true) and will enable it.
622func (p *Policy) RequireNoReferrerOnFullyQualifiedLinks(require bool) *Policy {
623
624 p.requireNoReferrerFullyQualifiedLinks = require
625 p.requireParseableURLs = true
626
627 return p
628}
629
630// RequireCrossOriginAnonymous will result in all audio, img, link, script, and
631// video tags having a crossorigin="anonymous" added to them if one does not
632// already exist
633func (p *Policy) RequireCrossOriginAnonymous(require bool) *Policy {
634
635 p.requireCrossOriginAnonymous = require
636
637 return p
638}
639
640// AddTargetBlankToFullyQualifiedLinks will result in all a, area and link tags
641// that point to a non-local destination (i.e. starts with a protocol and has a
642// host) having a target="_blank" added to them if one does not already exist
643//
644// Note: This requires p.RequireParseableURLs(true) and will enable it.
645func (p *Policy) AddTargetBlankToFullyQualifiedLinks(require bool) *Policy {
646
647 p.addTargetBlankToFullyQualifiedLinks = require
648 p.requireParseableURLs = true
649
650 return p
651}
652
653// RequireParseableURLs will result in all URLs requiring that they be parseable
654// by "net/url" url.Parse()
655// This applies to:
656// - a.href
657// - area.href
658// - blockquote.cite
659// - img.src
660// - link.href
661// - script.src
662func (p *Policy) RequireParseableURLs(require bool) *Policy {
663
664 p.requireParseableURLs = require
665
666 return p
667}
668
669// AllowRelativeURLs enables RequireParseableURLs and then permits URLs that
670// are parseable, have no schema information and url.IsAbs() returns false
671// This permits local URLs
672func (p *Policy) AllowRelativeURLs(require bool) *Policy {
673
674 p.RequireParseableURLs(true)
675 p.allowRelativeURLs = require
676
677 return p
678}
679
680// AllowURLSchemes will append URL schemes to the allowlist
681// Example: p.AllowURLSchemes("mailto", "http", "https")
682func (p *Policy) AllowURLSchemes(schemes ...string) *Policy {
683 p.init()
684
685 p.RequireParseableURLs(true)
686
687 for _, scheme := range schemes {
688 scheme = strings.ToLower(scheme)
689
690 // Allow all URLs with matching scheme.
691 p.allowURLSchemes[scheme] = nil
692 }
693
694 return p
695}
696
697// AllowURLSchemeWithCustomPolicy will append URL schemes with
698// a custom URL policy to the allowlist.
699// Only the URLs with matching schema and urlPolicy(url)
700// returning true will be allowed.
701func (p *Policy) AllowURLSchemeWithCustomPolicy(
702 scheme string,
703 urlPolicy func(url *url.URL) (allowUrl bool),
704) *Policy {
705
706 p.init()
707
708 p.RequireParseableURLs(true)
709
710 scheme = strings.ToLower(scheme)
711
712 p.allowURLSchemes[scheme] = append(p.allowURLSchemes[scheme], urlPolicy)
713
714 return p
715}
716
717// RequireSandboxOnIFrame will result in all iframe tags having a sandbox="" tag
718// Any sandbox values not specified here will be filtered from the generated HTML
719func (p *Policy) RequireSandboxOnIFrame(vals ...SandboxValue) {
720 p.requireSandboxOnIFrame = make(map[string]bool)
721
722 for _, val := range vals {
723 switch SandboxValue(val) {
724 case SandboxAllowDownloads:
725 p.requireSandboxOnIFrame["allow-downloads"] = true
726
727 case SandboxAllowDownloadsWithoutUserActivation:
728 p.requireSandboxOnIFrame["allow-downloads-without-user-activation"] = true
729
730 case SandboxAllowForms:
731 p.requireSandboxOnIFrame["allow-forms"] = true
732
733 case SandboxAllowModals:
734 p.requireSandboxOnIFrame["allow-modals"] = true
735
736 case SandboxAllowOrientationLock:
737 p.requireSandboxOnIFrame["allow-orientation-lock"] = true
738
739 case SandboxAllowPointerLock:
740 p.requireSandboxOnIFrame["allow-pointer-lock"] = true
741
742 case SandboxAllowPopups:
743 p.requireSandboxOnIFrame["allow-popups"] = true
744
745 case SandboxAllowPopupsToEscapeSandbox:
746 p.requireSandboxOnIFrame["allow-popups-to-escape-sandbox"] = true
747
748 case SandboxAllowPresentation:
749 p.requireSandboxOnIFrame["allow-presentation"] = true
750
751 case SandboxAllowSameOrigin:
752 p.requireSandboxOnIFrame["allow-same-origin"] = true
753
754 case SandboxAllowScripts:
755 p.requireSandboxOnIFrame["allow-scripts"] = true
756
757 case SandboxAllowStorageAccessByUserActivation:
758 p.requireSandboxOnIFrame["allow-storage-access-by-user-activation"] = true
759
760 case SandboxAllowTopNavigation:
761 p.requireSandboxOnIFrame["allow-top-navigation"] = true
762
763 case SandboxAllowTopNavigationByUserActivation:
764 p.requireSandboxOnIFrame["allow-top-navigation-by-user-activation"] = true
765 }
766 }
767}
768
769// AddSpaceWhenStrippingTag states whether to add a single space " " when
770// removing tags that are not allowed by the policy.
771//
772// This is useful if you expect to strip tags in dense markup and may lose the
773// value of whitespace.
774//
775// For example: "<p>Hello</p><p>World</p>"" would be sanitized to "HelloWorld"
776// with the default value of false, but you may wish to sanitize this to
777// " Hello World " by setting AddSpaceWhenStrippingTag to true as this would
778// retain the intent of the text.
779func (p *Policy) AddSpaceWhenStrippingTag(allow bool) *Policy {
780
781 p.addSpaces = allow
782
783 return p
784}
785
786// SkipElementsContent adds the HTML elements whose tags is needed to be removed
787// with its content.
788func (p *Policy) SkipElementsContent(names ...string) *Policy {
789
790 p.init()
791
792 for _, element := range names {
793 element = strings.ToLower(element)
794
795 if _, ok := p.setOfElementsToSkipContent[element]; !ok {
796 p.setOfElementsToSkipContent[element] = struct{}{}
797 }
798 }
799
800 return p
801}
802
803// AllowElementsContent marks the HTML elements whose content should be
804// retained after removing the tag.
805func (p *Policy) AllowElementsContent(names ...string) *Policy {
806
807 p.init()
808
809 for _, element := range names {
810 delete(p.setOfElementsToSkipContent, strings.ToLower(element))
811 }
812
813 return p
814}
815
816// AllowUnsafe permits fundamentally unsafe elements.
817//
818// If false (default) then elements such as `style` and `script` will not be
819// permitted even if declared in a policy. These elements when combined with
820// untrusted input cannot be safely handled by bluemonday at this point in
821// time.
822//
823// If true then `style` and `script` would be permitted by bluemonday if a
824// policy declares them. However this is not recommended under any circumstance
825// and can lead to XSS being rendered thus defeating the purpose of using a
826// HTML sanitizer.
827func (p *Policy) AllowUnsafe(allowUnsafe bool) *Policy {
828 p.init()
829 p.allowUnsafe = allowUnsafe
830 return p
831}
832
833// addDefaultElementsWithoutAttrs adds the HTML elements that we know are valid
834// without any attributes to an internal map.
835// i.e. we know that <table> is valid, but <bdo> isn't valid as the "dir" attr
836// is mandatory
837func (p *Policy) addDefaultElementsWithoutAttrs() {
838 p.init()
839
840 p.setOfElementsAllowedWithoutAttrs["abbr"] = struct{}{}
841 p.setOfElementsAllowedWithoutAttrs["acronym"] = struct{}{}
842 p.setOfElementsAllowedWithoutAttrs["address"] = struct{}{}
843 p.setOfElementsAllowedWithoutAttrs["article"] = struct{}{}
844 p.setOfElementsAllowedWithoutAttrs["aside"] = struct{}{}
845 p.setOfElementsAllowedWithoutAttrs["audio"] = struct{}{}
846 p.setOfElementsAllowedWithoutAttrs["b"] = struct{}{}
847 p.setOfElementsAllowedWithoutAttrs["bdi"] = struct{}{}
848 p.setOfElementsAllowedWithoutAttrs["blockquote"] = struct{}{}
849 p.setOfElementsAllowedWithoutAttrs["body"] = struct{}{}
850 p.setOfElementsAllowedWithoutAttrs["br"] = struct{}{}
851 p.setOfElementsAllowedWithoutAttrs["button"] = struct{}{}
852 p.setOfElementsAllowedWithoutAttrs["canvas"] = struct{}{}
853 p.setOfElementsAllowedWithoutAttrs["caption"] = struct{}{}
854 p.setOfElementsAllowedWithoutAttrs["center"] = struct{}{}
855 p.setOfElementsAllowedWithoutAttrs["cite"] = struct{}{}
856 p.setOfElementsAllowedWithoutAttrs["code"] = struct{}{}
857 p.setOfElementsAllowedWithoutAttrs["col"] = struct{}{}
858 p.setOfElementsAllowedWithoutAttrs["colgroup"] = struct{}{}
859 p.setOfElementsAllowedWithoutAttrs["datalist"] = struct{}{}
860 p.setOfElementsAllowedWithoutAttrs["dd"] = struct{}{}
861 p.setOfElementsAllowedWithoutAttrs["del"] = struct{}{}
862 p.setOfElementsAllowedWithoutAttrs["details"] = struct{}{}
863 p.setOfElementsAllowedWithoutAttrs["dfn"] = struct{}{}
864 p.setOfElementsAllowedWithoutAttrs["div"] = struct{}{}
865 p.setOfElementsAllowedWithoutAttrs["dl"] = struct{}{}
866 p.setOfElementsAllowedWithoutAttrs["dt"] = struct{}{}
867 p.setOfElementsAllowedWithoutAttrs["em"] = struct{}{}
868 p.setOfElementsAllowedWithoutAttrs["fieldset"] = struct{}{}
869 p.setOfElementsAllowedWithoutAttrs["figcaption"] = struct{}{}
870 p.setOfElementsAllowedWithoutAttrs["figure"] = struct{}{}
871 p.setOfElementsAllowedWithoutAttrs["footer"] = struct{}{}
872 p.setOfElementsAllowedWithoutAttrs["h1"] = struct{}{}
873 p.setOfElementsAllowedWithoutAttrs["h2"] = struct{}{}
874 p.setOfElementsAllowedWithoutAttrs["h3"] = struct{}{}
875 p.setOfElementsAllowedWithoutAttrs["h4"] = struct{}{}
876 p.setOfElementsAllowedWithoutAttrs["h5"] = struct{}{}
877 p.setOfElementsAllowedWithoutAttrs["h6"] = struct{}{}
878 p.setOfElementsAllowedWithoutAttrs["head"] = struct{}{}
879 p.setOfElementsAllowedWithoutAttrs["header"] = struct{}{}
880 p.setOfElementsAllowedWithoutAttrs["hgroup"] = struct{}{}
881 p.setOfElementsAllowedWithoutAttrs["hr"] = struct{}{}
882 p.setOfElementsAllowedWithoutAttrs["html"] = struct{}{}
883 p.setOfElementsAllowedWithoutAttrs["i"] = struct{}{}
884 p.setOfElementsAllowedWithoutAttrs["ins"] = struct{}{}
885 p.setOfElementsAllowedWithoutAttrs["kbd"] = struct{}{}
886 p.setOfElementsAllowedWithoutAttrs["li"] = struct{}{}
887 p.setOfElementsAllowedWithoutAttrs["mark"] = struct{}{}
888 p.setOfElementsAllowedWithoutAttrs["marquee"] = struct{}{}
889 p.setOfElementsAllowedWithoutAttrs["nav"] = struct{}{}
890 p.setOfElementsAllowedWithoutAttrs["ol"] = struct{}{}
891 p.setOfElementsAllowedWithoutAttrs["optgroup"] = struct{}{}
892 p.setOfElementsAllowedWithoutAttrs["option"] = struct{}{}
893 p.setOfElementsAllowedWithoutAttrs["p"] = struct{}{}
894 p.setOfElementsAllowedWithoutAttrs["picture"] = struct{}{}
895 p.setOfElementsAllowedWithoutAttrs["pre"] = struct{}{}
896 p.setOfElementsAllowedWithoutAttrs["q"] = struct{}{}
897 p.setOfElementsAllowedWithoutAttrs["rp"] = struct{}{}
898 p.setOfElementsAllowedWithoutAttrs["rt"] = struct{}{}
899 p.setOfElementsAllowedWithoutAttrs["ruby"] = struct{}{}
900 p.setOfElementsAllowedWithoutAttrs["s"] = struct{}{}
901 p.setOfElementsAllowedWithoutAttrs["samp"] = struct{}{}
902 p.setOfElementsAllowedWithoutAttrs["script"] = struct{}{}
903 p.setOfElementsAllowedWithoutAttrs["section"] = struct{}{}
904 p.setOfElementsAllowedWithoutAttrs["select"] = struct{}{}
905 p.setOfElementsAllowedWithoutAttrs["small"] = struct{}{}
906 p.setOfElementsAllowedWithoutAttrs["span"] = struct{}{}
907 p.setOfElementsAllowedWithoutAttrs["strike"] = struct{}{}
908 p.setOfElementsAllowedWithoutAttrs["strong"] = struct{}{}
909 p.setOfElementsAllowedWithoutAttrs["style"] = struct{}{}
910 p.setOfElementsAllowedWithoutAttrs["sub"] = struct{}{}
911 p.setOfElementsAllowedWithoutAttrs["summary"] = struct{}{}
912 p.setOfElementsAllowedWithoutAttrs["sup"] = struct{}{}
913 p.setOfElementsAllowedWithoutAttrs["svg"] = struct{}{}
914 p.setOfElementsAllowedWithoutAttrs["table"] = struct{}{}
915 p.setOfElementsAllowedWithoutAttrs["tbody"] = struct{}{}
916 p.setOfElementsAllowedWithoutAttrs["td"] = struct{}{}
917 p.setOfElementsAllowedWithoutAttrs["textarea"] = struct{}{}
918 p.setOfElementsAllowedWithoutAttrs["tfoot"] = struct{}{}
919 p.setOfElementsAllowedWithoutAttrs["th"] = struct{}{}
920 p.setOfElementsAllowedWithoutAttrs["thead"] = struct{}{}
921 p.setOfElementsAllowedWithoutAttrs["title"] = struct{}{}
922 p.setOfElementsAllowedWithoutAttrs["time"] = struct{}{}
923 p.setOfElementsAllowedWithoutAttrs["tr"] = struct{}{}
924 p.setOfElementsAllowedWithoutAttrs["tt"] = struct{}{}
925 p.setOfElementsAllowedWithoutAttrs["u"] = struct{}{}
926 p.setOfElementsAllowedWithoutAttrs["ul"] = struct{}{}
927 p.setOfElementsAllowedWithoutAttrs["var"] = struct{}{}
928 p.setOfElementsAllowedWithoutAttrs["video"] = struct{}{}
929 p.setOfElementsAllowedWithoutAttrs["wbr"] = struct{}{}
930
931}
932
933// addDefaultSkipElementContent adds the HTML elements that we should skip
934// rendering the character content of, if the element itself is not allowed.
935// This is all character data that the end user would not normally see.
936// i.e. if we exclude a <script> tag then we shouldn't render the JavaScript or
937// anything else until we encounter the closing </script> tag.
938func (p *Policy) addDefaultSkipElementContent() {
939 p.init()
940
941 p.setOfElementsToSkipContent["frame"] = struct{}{}
942 p.setOfElementsToSkipContent["frameset"] = struct{}{}
943 p.setOfElementsToSkipContent["iframe"] = struct{}{}
944 p.setOfElementsToSkipContent["noembed"] = struct{}{}
945 p.setOfElementsToSkipContent["noframes"] = struct{}{}
946 p.setOfElementsToSkipContent["noscript"] = struct{}{}
947 p.setOfElementsToSkipContent["nostyle"] = struct{}{}
948 p.setOfElementsToSkipContent["object"] = struct{}{}
949 p.setOfElementsToSkipContent["script"] = struct{}{}
950 p.setOfElementsToSkipContent["style"] = struct{}{}
951 p.setOfElementsToSkipContent["title"] = struct{}{}
952}
generated by cgit v1.2.3 (git 2.46.0) at 2026-04-30 05:19:20 +0000