replace zxq.co/ripple/hanayo

vendor/github.com/microcosm-cc/bluemonday/cmd/sanitise_html_email/doc.go

@@ -0,0 +1,12 @@
+/*
+Package main demonstrates a HTML email cleaner.
+
+It should be noted that this uses bluemonday to sanitize the HTML but as it
+preserves the styling of the email this should not be considered a safe or XSS
+secure approach.
+
+It does function as a basic demonstration of how to take HTML emails, which are
+notorious for having inconsistent, obselete and poorly formatted HTML, and to
+use bluemonday to normalise the output.
+*/
+package main

vendor/github.com/microcosm-cc/bluemonday/cmd/sanitise_html_email/main.go

@@ -0,0 +1,76 @@
+package main
+
+import (
+	"fmt"
+	"io/ioutil"
+	"log"
+	"os"
+	"regexp"
+
+	"github.com/microcosm-cc/bluemonday"
+)
+
+var (
+	// Color is a valid hex color or name of a web safe color
+	Color = regexp.MustCompile(`(?i)^(#[0-9a-fA-F]{1,6}|black|silver|gray|white|maroon|red|purple|fuchsia|green|lime|olive|yellow|navy|blue|teal|aqua|orange|aliceblue|antiquewhite|aquamarine|azure|beige|bisque|blanchedalmond|blueviolet|brown|burlywood|cadetblue|chartreuse|chocolate|coral|cornflowerblue|cornsilk|crimson|darkblue|darkcyan|darkgoldenrod|darkgray|darkgreen|darkgrey|darkkhaki|darkmagenta|darkolivegreen|darkorange|darkorchid|darkred|darksalmon|darkseagreen|darkslateblue|darkslategray|darkslategrey|darkturquoise|darkviolet|deeppink|deepskyblue|dimgray|dimgrey|dodgerblue|firebrick|floralwhite|forestgreen|gainsboro|ghostwhite|gold|goldenrod|greenyellow|grey|honeydew|hotpink|indianred|indigo|ivory|khaki|lavender|lavenderblush|lawngreen|lemonchiffon|lightblue|lightcoral|lightcyan|lightgoldenrodyellow|lightgray|lightgreen|lightgrey|lightpink|lightsalmon|lightseagreen|lightskyblue|lightslategray|lightslategrey|lightsteelblue|lightyellow|limegreen|linen|mediumaquamarine|mediumblue|mediumorchid|mediumpurple|mediumseagreen|mediumslateblue|mediumspringgreen|mediumturquoise|mediumvioletred|midnightblue|mintcream|mistyrose|moccasin|navajowhite|oldlace|olivedrab|orangered|orchid|palegoldenrod|palegreen|paleturquoise|palevioletred|papayawhip|peachpuff|peru|pink|plum|powderblue|rosybrown|royalblue|saddlebrown|salmon|sandybrown|seagreen|seashell|sienna|skyblue|slateblue|slategray|slategrey|snow|springgreen|steelblue|tan|thistle|tomato|turquoise|violet|wheat|whitesmoke|yellowgreen|rebeccapurple)$`)
+
+	// ButtonType is a button type, or a style type, i.e. "submit"
+	ButtonType = regexp.MustCompile(`(?i)^[a-zA-Z][a-zA-Z-]{1,30}[a-zA-Z]$`)
+
+	// StyleType is the valid type attribute on a style tag in the <head>
+	StyleType = regexp.MustCompile(`(?i)^text\/css$`)
+)
+
+func main() {
+	// Define a policy, we are using the UGC policy as a base.
+	p := bluemonday.UGCPolicy()
+
+	// HTML email is often displayed in iframes and needs to preserve core
+	// structure
+	p.AllowElements("html", "head", "body", "title")
+
+	// There are not safe, and is only being done here to demonstrate how to
+	// process HTML emails where styling has to be preserved. This is at the
+	// expense of security.
+	p.AllowAttrs("type").Matching(StyleType).OnElements("style")
+	p.AllowAttrs("style").Globally()
+
+	// HTML email frequently contains obselete and basic HTML
+	p.AllowElements("font", "main", "nav", "header", "footer", "kbd", "legend")
+
+	// Need to permit the style tag, and buttons are often found in emails (why?)
+	p.AllowAttrs("type").Matching(ButtonType).OnElements("button")
+
+	// HTML email tends to see the use of obselete spacing and styling attributes
+	p.AllowAttrs("bgcolor", "color").Matching(Color).OnElements("basefont", "font", "hr")
+	p.AllowAttrs("border").Matching(bluemonday.Integer).OnElements("img", "table")
+	p.AllowAttrs("cellpadding", "cellspacing").Matching(bluemonday.Integer).OnElements("table")
+
+	// Allow "class" attributes on all elements
+	p.AllowStyling()
+
+	// Allow images to be embedded via data-uri
+	p.AllowDataURIImages()
+
+	// Add "rel=nofollow" to links
+	p.RequireNoFollowOnLinks(true)
+	p.RequireNoFollowOnFullyQualifiedLinks(true)
+
+	// Open external links in a new window/tab
+	p.AddTargetBlankToFullyQualifiedLinks(true)
+
+	// Read input from stdin so that this is a nice unix utility and can receive
+	// piped input
+	dirty, err := ioutil.ReadAll(os.Stdin)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	// Apply the policy and write to stdout
+	fmt.Fprint(
+		os.Stdout,
+		p.Sanitize(
+			string(dirty),
+		),
+	)
+}

vendor/github.com/microcosm-cc/bluemonday/cmd/sanitise_ugc/doc.go

@@ -0,0 +1,13 @@
+/*
+Package main demonstrates a simple user generated content sanitizer.
+
+This is the configuration I use on the sites that I run, it allows a lot of safe
+HTML that in my case comes from the blackfriday markdown package. As markdown
+itself allows HTML the UGCPolicy includes most common HTML.
+
+CSS and JavaScript is excluded (not white-listed), as are form elements and most
+embedded media that isn't just an image or image map.
+
+As I'm paranoid, I also do not allow data-uri images and embeds.
+*/
+package main

vendor/github.com/microcosm-cc/bluemonday/cmd/sanitise_ugc/main.go

@@ -0,0 +1,37 @@
+package main
+
+import (
+	"fmt"
+	"io/ioutil"
+	"log"
+	"os"
+
+	"github.com/microcosm-cc/bluemonday"
+)
+
+func main() {
+	// Define a policy, we are using the UGC policy as a base.
+	p := bluemonday.UGCPolicy()
+
+	// Add "rel=nofollow" to links
+	p.RequireNoFollowOnLinks(true)
+	p.RequireNoFollowOnFullyQualifiedLinks(true)
+
+	// Open external links in a new window/tab
+	p.AddTargetBlankToFullyQualifiedLinks(true)
+
+	// Read input from stdin so that this is a nice unix utility and can receive
+	// piped input
+	dirty, err := ioutil.ReadAll(os.Stdin)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	// Apply the policy and write to stdout
+	fmt.Fprint(
+		os.Stdout,
+		p.Sanitize(
+			string(dirty),
+		),
+	)
+}