Disallow dangerous URL schemes (#25960) (#25964)

Regression: https://github.com/go-gitea/gitea/pull/24805 Closes: #25945 - Disallow `javascript`, `vbscript` and `data` (data uri images still work) url schemes even if all other schemes are allowed - Fixed older `cbthunderlink` tests --------- Co-authored-by: delvh <dev.lh@web.de>
2025-08-09 11:08:19 +00:00 · 2023-07-18 21:48:52 +02:00
parent b7d054e4b5
commit ab54310731
4 changed files with 32 additions and 17 deletions
--- a/go.mod
+++ b/go.mod
@@ -76,7 +76,7 @@ require (
 	github.com/mattn/go-sqlite3 v1.14.16
 	github.com/meilisearch/meilisearch-go v0.24.0
 	github.com/mholt/archiver/v3 v3.5.1
-	github.com/microcosm-cc/bluemonday v1.0.24
+	github.com/microcosm-cc/bluemonday v1.0.25
 	github.com/minio/minio-go/v7 v7.0.52
 	github.com/minio/sha256-simd v1.0.0
 	github.com/msteinert/pam v1.1.0
@@ -107,12 +107,12 @@ require (
 	github.com/yuin/goldmark v1.5.4
 	github.com/yuin/goldmark-highlighting/v2 v2.0.0-20220924101305-151362477c87
 	github.com/yuin/goldmark-meta v1.1.0
-	golang.org/x/crypto v0.9.0
+	golang.org/x/crypto v0.11.0
 	golang.org/x/image v0.7.0
-	golang.org/x/net v0.10.0
+	golang.org/x/net v0.12.0
 	golang.org/x/oauth2 v0.8.0
-	golang.org/x/sys v0.8.0
-	golang.org/x/text v0.9.0
+	golang.org/x/sys v0.10.0
+	golang.org/x/text v0.11.0
 	golang.org/x/tools v0.8.0
 	google.golang.org/grpc v1.53.0
 	google.golang.org/protobuf v1.30.0