+
+MIT License (Expat)
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
diff --git a/vendor/github.com/mattn/go-isatty/README.md b/vendor/github.com/mattn/go-isatty/README.md
new file mode 100644
index 0000000..74845de
--- /dev/null
+++ b/vendor/github.com/mattn/go-isatty/README.md
@@ -0,0 +1,37 @@
+# go-isatty
+
+isatty for golang
+
+## Usage
+
+```go
+package main
+
+import (
+ "fmt"
+ "github.com/mattn/go-isatty"
+ "os"
+)
+
+func main() {
+ if isatty.IsTerminal(os.Stdout.Fd()) {
+ fmt.Println("Is Terminal")
+ } else {
+ fmt.Println("Is Not Terminal")
+ }
+}
+```
+
+## Installation
+
+```
+$ go get github.com/mattn/go-isatty
+```
+
+# License
+
+MIT
+
+# Author
+
+Yasuhiro Matsumoto (a.k.a mattn)
diff --git a/vendor/github.com/mattn/go-isatty/doc.go b/vendor/github.com/mattn/go-isatty/doc.go
new file mode 100644
index 0000000..17d4f90
--- /dev/null
+++ b/vendor/github.com/mattn/go-isatty/doc.go
@@ -0,0 +1,2 @@
+// Package isatty implements interface to isatty
+package isatty
diff --git a/vendor/github.com/mattn/go-isatty/isatty_appengine.go b/vendor/github.com/mattn/go-isatty/isatty_appengine.go
new file mode 100644
index 0000000..83c5887
--- /dev/null
+++ b/vendor/github.com/mattn/go-isatty/isatty_appengine.go
@@ -0,0 +1,9 @@
+// +build appengine
+
+package isatty
+
+// IsTerminal returns true if the file descriptor is terminal which
+// is always false on on appengine classic which is a sandboxed PaaS.
+func IsTerminal(fd uintptr) bool {
+ return false
+}
diff --git a/vendor/github.com/mattn/go-isatty/isatty_bsd.go b/vendor/github.com/mattn/go-isatty/isatty_bsd.go
new file mode 100644
index 0000000..42f2514
--- /dev/null
+++ b/vendor/github.com/mattn/go-isatty/isatty_bsd.go
@@ -0,0 +1,18 @@
+// +build darwin freebsd openbsd netbsd dragonfly
+// +build !appengine
+
+package isatty
+
+import (
+ "syscall"
+ "unsafe"
+)
+
+const ioctlReadTermios = syscall.TIOCGETA
+
+// IsTerminal return true if the file descriptor is terminal.
+func IsTerminal(fd uintptr) bool {
+ var termios syscall.Termios
+ _, _, err := syscall.Syscall6(syscall.SYS_IOCTL, fd, ioctlReadTermios, uintptr(unsafe.Pointer(&termios)), 0, 0, 0)
+ return err == 0
+}
diff --git a/vendor/github.com/mattn/go-isatty/isatty_linux.go b/vendor/github.com/mattn/go-isatty/isatty_linux.go
new file mode 100644
index 0000000..9d24bac
--- /dev/null
+++ b/vendor/github.com/mattn/go-isatty/isatty_linux.go
@@ -0,0 +1,18 @@
+// +build linux
+// +build !appengine
+
+package isatty
+
+import (
+ "syscall"
+ "unsafe"
+)
+
+const ioctlReadTermios = syscall.TCGETS
+
+// IsTerminal return true if the file descriptor is terminal.
+func IsTerminal(fd uintptr) bool {
+ var termios syscall.Termios
+ _, _, err := syscall.Syscall6(syscall.SYS_IOCTL, fd, ioctlReadTermios, uintptr(unsafe.Pointer(&termios)), 0, 0, 0)
+ return err == 0
+}
diff --git a/vendor/github.com/mattn/go-isatty/isatty_solaris.go b/vendor/github.com/mattn/go-isatty/isatty_solaris.go
new file mode 100644
index 0000000..1f0c6bf
--- /dev/null
+++ b/vendor/github.com/mattn/go-isatty/isatty_solaris.go
@@ -0,0 +1,16 @@
+// +build solaris
+// +build !appengine
+
+package isatty
+
+import (
+ "golang.org/x/sys/unix"
+)
+
+// IsTerminal returns true if the given file descriptor is a terminal.
+// see: http://src.illumos.org/source/xref/illumos-gate/usr/src/lib/libbc/libc/gen/common/isatty.c
+func IsTerminal(fd uintptr) bool {
+ var termio unix.Termio
+ err := unix.IoctlSetTermio(int(fd), unix.TCGETA, &termio)
+ return err == nil
+}
diff --git a/vendor/github.com/mattn/go-isatty/isatty_windows.go b/vendor/github.com/mattn/go-isatty/isatty_windows.go
new file mode 100644
index 0000000..83c398b
--- /dev/null
+++ b/vendor/github.com/mattn/go-isatty/isatty_windows.go
@@ -0,0 +1,19 @@
+// +build windows
+// +build !appengine
+
+package isatty
+
+import (
+ "syscall"
+ "unsafe"
+)
+
+var kernel32 = syscall.NewLazyDLL("kernel32.dll")
+var procGetConsoleMode = kernel32.NewProc("GetConsoleMode")
+
+// IsTerminal return true if the file descriptor is terminal.
+func IsTerminal(fd uintptr) bool {
+ var st uint32
+ r, _, e := syscall.Syscall(procGetConsoleMode.Addr(), 2, fd, uintptr(unsafe.Pointer(&st)), 0)
+ return r != 0 && e == 0
+}
diff --git a/vendor/github.com/microcosm-cc/bluemonday/.coveralls.yml b/vendor/github.com/microcosm-cc/bluemonday/.coveralls.yml
new file mode 100644
index 0000000..e0c8760
--- /dev/null
+++ b/vendor/github.com/microcosm-cc/bluemonday/.coveralls.yml
@@ -0,0 +1 @@
+repo_token: x2wlA1x0X8CK45ybWpZRCVRB4g7vtkhaw
diff --git a/vendor/github.com/microcosm-cc/bluemonday/.gitignore b/vendor/github.com/microcosm-cc/bluemonday/.gitignore
new file mode 100644
index 0000000..0026861
--- /dev/null
+++ b/vendor/github.com/microcosm-cc/bluemonday/.gitignore
@@ -0,0 +1,22 @@
+# Compiled Object files, Static and Dynamic libs (Shared Objects)
+*.o
+*.a
+*.so
+
+# Folders
+_obj
+_test
+
+# Architecture specific extensions/prefixes
+*.[568vq]
+[568vq].out
+
+*.cgo1.go
+*.cgo2.c
+_cgo_defun.c
+_cgo_gotypes.go
+_cgo_export.*
+
+_testmain.go
+
+*.exe
diff --git a/vendor/github.com/microcosm-cc/bluemonday/.travis.yml b/vendor/github.com/microcosm-cc/bluemonday/.travis.yml
new file mode 100644
index 0000000..5694dac
--- /dev/null
+++ b/vendor/github.com/microcosm-cc/bluemonday/.travis.yml
@@ -0,0 +1,18 @@
+language: go
+go:
+ - 1.1
+ - 1.2
+ - 1.3
+ - 1.4
+ - 1.5
+ - 1.6
+ - 1.7
+ - tip
+matrix:
+ allow_failures:
+ - go: tip
+ fast_finish: true
+install:
+ - go get golang.org/x/net/html
+script:
+ - go test -v ./...
diff --git a/vendor/github.com/microcosm-cc/bluemonday/CONTRIBUTING.md b/vendor/github.com/microcosm-cc/bluemonday/CONTRIBUTING.md
new file mode 100644
index 0000000..e0e0c81
--- /dev/null
+++ b/vendor/github.com/microcosm-cc/bluemonday/CONTRIBUTING.md
@@ -0,0 +1,47 @@
+# Contributing to bluemonday
+
+Third-party patches are essential for keeping bluemonday secure and offering the features developers want. However there are a few guidelines that we need contributors to follow so that we can maintain the quality of work that developers who use bluemonday expect.
+
+## Getting Started
+
+* Make sure you have a [Github account](https://github.com/signup/free)
+
+## Submitting an Issue
+
+* Submit a ticket for your issue, assuming one does not already exist
+* Clearly describe the issue including the steps to reproduce (with sample input and output) if it is a bug
+
+If you are reporting a security flaw, you may expect that we will provide the code to fix it for you. Otherwise you may want to submit a pull request to ensure the resolution is applied sooner rather than later:
+
+* Fork the repository on Github
+* Issue a pull request containing code to resolve the issue
+
+## Submitting a Pull Request
+
+* Submit a ticket for your issue, assuming one does not already exist
+* Describe the reason for the pull request and if applicable show some example inputs and outputs to demonstrate what the patch does
+* Fork the repository on Github
+* Before submitting the pull request you should
+ 1. Include tests for your patch, 1 test should encapsulate the entire patch and should refer to the Github issue
+ 1. If you have added new exposed/public functionality, you should ensure it is documented appropriately
+ 1. If you have added new exposed/public functionality, you should consider demonstrating how to use it within one of the helpers or shipped policies if appropriate or within a test if modifying a helper or policy is not appropriate
+ 1. Run all of the tests `go test -v ./...` or `make test` and ensure all tests pass
+ 1. Run gofmt `gofmt -w ./$*` or `make fmt`
+ 1. Run vet `go tool vet *.go` or `make vet` and resolve any issues
+ 1. Install golint using `go get -u github.com/golang/lint/golint` and run vet `golint *.go` or `make lint` and resolve every warning
+* When submitting the pull request you should
+ 1. Note the issue(s) it resolves, i.e. `Closes #6` in the pull request comment to close issue #6 when the pull request is accepted
+
+Once you have submitted a pull request, we *may* merge it without changes. If we have any comments or feedback, or need you to make changes to your pull request we will update the Github pull request or the associated issue. We expect responses from you within two weeks, and we may close the pull request is there is no activity.
+
+### Contributor Licence Agreement
+
+We haven't gone for the formal "Sign a Contributor Licence Agreement" thing that projects like [puppet](https://cla.puppetlabs.com/), [Mojito](https://developer.yahoo.com/cocktails/mojito/cla/) and companies like [Google](http://code.google.com/legal/individual-cla-v1.0.html) are using.
+
+But we do need to know that we can accept and merge your contributions, so for now the act of contributing a pull request should be considered equivalent to agreeing to a contributor licence agreement, specifically:
+
+You accept that the act of submitting code to the bluemonday project is to grant a copyright licence to the project that is perpetual, worldwide, non-exclusive, no-charge, royalty free and irrevocable.
+
+You accept that all who comply with the licence of the project (BSD 3-clause) are permitted to use your contributions to the project.
+
+You accept, and by submitting code do declare, that you have the legal right to grant such a licence to the project and that each of the contributions is your own original creation.
diff --git a/vendor/github.com/microcosm-cc/bluemonday/CREDITS.md b/vendor/github.com/microcosm-cc/bluemonday/CREDITS.md
new file mode 100644
index 0000000..4422905
--- /dev/null
+++ b/vendor/github.com/microcosm-cc/bluemonday/CREDITS.md
@@ -0,0 +1,6 @@
+
+1. John Graham-Cumming http://jgc.org/
+1. Mike Samuel mikesamuel@gmail.com
+1. Dmitri Shuralyov shurcooL@gmail.com
+1. https://github.com/opennota
+1. https://github.com/Gufran
\ No newline at end of file
diff --git a/vendor/github.com/microcosm-cc/bluemonday/LICENCE.md b/vendor/github.com/microcosm-cc/bluemonday/LICENCE.md
new file mode 100644
index 0000000..f822458
--- /dev/null
+++ b/vendor/github.com/microcosm-cc/bluemonday/LICENCE.md
@@ -0,0 +1,28 @@
+Copyright (c) 2014, David Kitchen
+
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+* Redistributions of source code must retain the above copyright notice, this
+ list of conditions and the following disclaimer.
+
+* Redistributions in binary form must reproduce the above copyright notice,
+ this list of conditions and the following disclaimer in the documentation
+ and/or other materials provided with the distribution.
+
+* Neither the name of the organisation (Microcosm) nor the names of its
+ contributors may be used to endorse or promote products derived from
+ this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/vendor/github.com/microcosm-cc/bluemonday/Makefile b/vendor/github.com/microcosm-cc/bluemonday/Makefile
new file mode 100644
index 0000000..b15dc74
--- /dev/null
+++ b/vendor/github.com/microcosm-cc/bluemonday/Makefile
@@ -0,0 +1,42 @@
+# Targets:
+#
+# all: Builds the code locally after testing
+#
+# fmt: Formats the source files
+# build: Builds the code locally
+# vet: Vets the code
+# lint: Runs lint over the code (you do not need to fix everything)
+# test: Runs the tests
+# cover: Gives you the URL to a nice test coverage report
+#
+# install: Builds, tests and installs the code locally
+
+.PHONY: all fmt build vet lint test cover install
+
+# The first target is always the default action if `make` is called without
+# args we build and install into $GOPATH so that it can just be run
+
+all: fmt vet test install
+
+fmt:
+ @gofmt -s -w ./$*
+
+build:
+ @go build
+
+vet:
+ @go vet *.go
+
+lint:
+ @golint *.go
+
+test:
+ @go test -v ./...
+
+cover: COVERAGE_FILE := coverage.out
+cover:
+ @go test -coverprofile=$(COVERAGE_FILE) && \
+ cover -html=$(COVERAGE_FILE) && rm $(COVERAGE_FILE)
+
+install:
+ @go install ./...
diff --git a/vendor/github.com/microcosm-cc/bluemonday/README.md b/vendor/github.com/microcosm-cc/bluemonday/README.md
new file mode 100644
index 0000000..b8508ff
--- /dev/null
+++ b/vendor/github.com/microcosm-cc/bluemonday/README.md
@@ -0,0 +1,346 @@
+# bluemonday [](https://travis-ci.org/microcosm-cc/bluemonday) [](https://godoc.org/github.com/microcosm-cc/bluemonday)
+
+bluemonday is a HTML sanitizer implemented in Go. It is fast and highly configurable.
+
+bluemonday takes untrusted user generated content as an input, and will return HTML that has been sanitised against a whitelist of approved HTML elements and attributes so that you can safely include the content in your web page.
+
+If you accept user generated content, and your server uses Go, you **need** bluemonday.
+
+The default policy for user generated content (`bluemonday.UGCPolicy().Sanitize()`) turns this:
+```html
+Hello World
+```
+
+Into a harmless:
+```html
+Hello World
+```
+
+And it turns this:
+```html
+XSS
+```
+
+Into this:
+```html
+XSS
+```
+
+Whilst still allowing this:
+```html
+
+ 
+
+```
+
+To pass through mostly unaltered (it gained a rel="nofollow" which is a good thing for user generated content):
+```html
+
+
+
+```
+
+It protects sites from [XSS](http://en.wikipedia.org/wiki/Cross-site_scripting) attacks. There are many [vectors for an XSS attack](https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet) and the best way to mitigate the risk is to sanitize user input against a known safe list of HTML elements and attributes.
+
+You should **always** run bluemonday **after** any other processing.
+
+If you use [blackfriday](https://github.com/russross/blackfriday) or [Pandoc](http://johnmacfarlane.net/pandoc/) then bluemonday should be run after these steps. This ensures that no insecure HTML is introduced later in your process.
+
+bluemonday is heavily inspired by both the [OWASP Java HTML Sanitizer](https://code.google.com/p/owasp-java-html-sanitizer/) and the [HTML Purifier](http://htmlpurifier.org/).
+
+## Technical Summary
+
+Whitelist based, you need to either build a policy describing the HTML elements and attributes to permit (and the `regexp` patterns of attributes), or use one of the supplied policies representing good defaults.
+
+The policy containing the whitelist is applied using a fast non-validating, forward only, token-based parser implemented in the [Go net/html library](https://godoc.org/golang.org/x/net/html) by the core Go team.
+
+We expect to be supplied with well-formatted HTML (closing elements for every applicable open element, nested correctly) and so we do not focus on repairing badly nested or incomplete HTML. We focus on simply ensuring that whatever elements do exist are described in the policy whitelist and that attributes and links are safe for use on your web page. [GIGO](http://en.wikipedia.org/wiki/Garbage_in,_garbage_out) does apply and if you feed it bad HTML bluemonday is not tasked with figuring out how to make it good again.
+
+### Supported Go Versions
+
+bluemonday is regularly tested against Go 1.1, 1.2, 1.3, 1.4, 1.5, 1.6, 1.7 and tip.
+
+We do not support Go 1.0 as we depend on `golang.org/x/net/html` which includes a reference to `io.ErrNoProgress` which did not exist in Go 1.0.
+
+## Is it production ready?
+
+*Yes*
+
+We are using bluemonday in production having migrated from the widely used and heavily field tested OWASP Java HTML Sanitizer.
+
+We are passing our extensive test suite (including AntiSamy tests as well as tests for any issues raised). Check for any [unresolved issues](https://github.com/microcosm-cc/bluemonday/issues?page=1&state=open) to see whether anything may be a blocker for you.
+
+We invite pull requests and issues to help us ensure we are offering comprehensive protection against various attacks via user generated content.
+
+## Usage
+
+Install in your `${GOPATH}` using `go get -u github.com/microcosm-cc/bluemonday`
+
+Then call it:
+```go
+package main
+
+import (
+ "fmt"
+
+ "github.com/microcosm-cc/bluemonday"
+)
+
+func main() {
+ p := bluemonday.UGCPolicy()
+ html := p.Sanitize(
+ `Google`,
+ )
+
+ // Output:
+ // Google
+ fmt.Println(html)
+}
+```
+
+We offer three ways to call Sanitize:
+```go
+p.Sanitize(string) string
+p.SanitizeBytes([]byte) []byte
+p.SanitizeReader(io.Reader) bytes.Buffer
+```
+
+If you are obsessed about performance, `p.SanitizeReader(r).Bytes()` will return a `[]byte` without performing any unnecessary casting of the inputs or outputs. Though the difference is so negligible you should never need to care.
+
+You can build your own policies:
+```go
+package main
+
+import (
+ "fmt"
+
+ "github.com/microcosm-cc/bluemonday"
+)
+
+func main() {
+ p := bluemonday.NewPolicy()
+
+ // Require URLs to be parseable by net/url.Parse and either:
+ // mailto: http:// or https://
+ p.AllowStandardURLs()
+
+ // We only allow and
+ p.AllowAttrs("href").OnElements("a")
+ p.AllowElements("p")
+
+ html := p.Sanitize(
+ `Google`,
+ )
+
+ // Output:
+ // Google
+ fmt.Println(html)
+}
+```
+
+We ship two default policies:
+
+1. `bluemonday.StrictPolicy()` which can be thought of as equivalent to stripping all HTML elements and their attributes as it has nothing on it's whitelist. An example usage scenario would be blog post titles where HTML tags are not expected at all and if they are then the elements *and* the content of the elements should be stripped. This is a *very* strict policy.
+2. `bluemonday.UGCPolicy()` which allows a broad selection of HTML elements and attributes that are safe for user generated content. Note that this policy does *not* whitelist iframes, object, embed, styles, script, etc. An example usage scenario would be blog post bodies where a variety of formatting is expected along with the potential for TABLEs and IMGs.
+
+## Policy Building
+
+The essence of building a policy is to determine which HTML elements and attributes are considered safe for your scenario. OWASP provide an [XSS prevention cheat sheet](https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet) to help explain the risks, but essentially:
+
+1. Avoid anything other than the standard HTML elements
+1. Avoid `script`, `style`, `iframe`, `object`, `embed`, `base` elements that allow code to be executed by the client or third party content to be included that can execute code
+1. Avoid anything other than plain HTML attributes with values matched to a regexp
+
+Basically, you should be able to describe what HTML is fine for your scenario. If you do not have confidence that you can describe your policy please consider using one of the shipped policies such as `bluemonday.UGCPolicy()`.
+
+To create a new policy:
+```go
+p := bluemonday.NewPolicy()
+```
+
+To add elements to a policy either add just the elements:
+```go
+p.AllowElements("b", "strong")
+```
+
+Or add elements as a virtue of adding an attribute:
+```go
+// Not the recommended pattern, see the recommendation on using .Matching() below
+p.AllowAttrs("nowrap").OnElements("td", "th")
+```
+
+Attributes can either be added to all elements:
+```go
+p.AllowAttrs("dir").Matching(regexp.MustCompile("(?i)rtl|ltr")).Globally()
+```
+
+Or attributes can be added to specific elements:
+```go
+// Not the recommended pattern, see the recommendation on using .Matching() below
+p.AllowAttrs("value").OnElements("li")
+```
+
+It is **always** recommended that an attribute be made to match a pattern. XSS in HTML attributes is very easy otherwise:
+```go
+// \p{L} matches unicode letters, \p{N} matches unicode numbers
+p.AllowAttrs("title").Matching(regexp.MustCompile(`[\p{L}\p{N}\s\-_',:\[\]!\./\\\(\)&]*`)).Globally()
+```
+
+You can stop at any time and call .Sanitize():
+```go
+// string htmlIn passed in from a HTTP POST
+htmlOut := p.Sanitize(htmlIn)
+```
+
+And you can take any existing policy and extend it:
+```go
+p := bluemonday.UGCPolicy()
+p.AllowElements("fieldset", "select", "option")
+```
+
+### Links
+
+Links are difficult beasts to sanitise safely and also one of the biggest attack vectors for malicious content.
+
+It is possible to do this:
+```go
+p.AllowAttrs("href").Matching(regexp.MustCompile(`(?i)mailto|https?`)).OnElements("a")
+```
+
+But that will not protect you as the regular expression is insufficient in this case to have prevented a malformed value doing something unexpected.
+
+We provide some additional global options for safely working with links.
+
+`RequireParseableURLs` will ensure that URLs are parseable by Go's `net/url` package:
+```go
+p.RequireParseableURLs(true)
+```
+
+If you have enabled parseable URLs then the following option will `AllowRelativeURLs`. By default this is disabled (bluemonday is a whitelist tool... you need to explicitly tell us to permit things) and when disabled it will prevent all local and scheme relative URLs (i.e. `href="localpage.html"`, `href="../home.html"` and even `href="//www.google.com"` are relative):
+```go
+p.AllowRelativeURLs(true)
+```
+
+If you have enabled parseable URLs then you can whitelist the schemes (commonly called protocol when thinking of `http` and `https`) that are permitted. Bear in mind that allowing relative URLs in the above option will allow for a blank scheme:
+```go
+p.AllowURLSchemes("mailto", "http", "https")
+```
+
+Regardless of whether you have enabled parseable URLs, you can force all URLs to have a rel="nofollow" attribute. This will be added if it does not exist, but only when the `href` is valid:
+```go
+// This applies to "a" "area" "link" elements that have a "href" attribute
+p.RequireNoFollowOnLinks(true)
+```
+
+We provide a convenience method that applies all of the above, but you will still need to whitelist the linkable elements for the URL rules to be applied to:
+```go
+p.AllowStandardURLs()
+p.AllowAttrs("cite").OnElements("blockquote", "q")
+p.AllowAttrs("href").OnElements("a", "area")
+p.AllowAttrs("src").OnElements("img")
+```
+
+An additional complexity regarding links is the data URI as defined in [RFC2397](http://tools.ietf.org/html/rfc2397). The data URI allows for images to be served inline using this format:
+
+```html
+
+```
+
+We have provided a helper to verify the mimetype followed by base64 content of data URIs links:
+
+```go
+p.AllowDataURIImages()
+```
+
+That helper will enable GIF, JPEG, PNG and WEBP images.
+
+It should be noted that there is a potential [security](http://palizine.plynt.com/issues/2010Oct/bypass-xss-filters/) [risk](https://capec.mitre.org/data/definitions/244.html) with the use of data URI links. You should only enable data URI links if you already trust the content.
+
+We also have some features to help deal with user generated content:
+```go
+p.AddTargetBlankToFullyQualifiedLinks(true)
+```
+
+This will ensure that anchor `` links that are fully qualified (the href destination includes a host name) will get `target="_blank"` added to them.
+
+Additionally any link that has `target="_blank"` after the policy has been applied will also have the `rel` attribute adjusted to add `noopener`. This means a link may start like `` and will end up as ``. It is important to note that the addition of `noopener` is a security feature and not an issue. There is an unfortunate feature to browsers that a browser window opened as a result of `target="_blank"` can still control the opener (your web page) and this protects against that. The background to this can be found here: [https://dev.to/ben/the-targetblank-vulnerability-by-example](https://dev.to/ben/the-targetblank-vulnerability-by-example)
+
+### Policy Building Helpers
+
+We also bundle some helpers to simplify policy building:
+```go
+
+// Permits the "dir", "id", "lang", "title" attributes globally
+p.AllowStandardAttributes()
+
+// Permits the "img" element and it's standard attributes
+p.AllowImages()
+
+// Permits ordered and unordered lists, and also definition lists
+p.AllowLists()
+
+// Permits HTML tables and all applicable elements and non-styling attributes
+p.AllowTables()
+```
+
+### Invalid Instructions
+
+The following are invalid:
+```go
+// This does not say where the attributes are allowed, you need to add
+// .Globally() or .OnElements(...)
+// This will be ignored without error.
+p.AllowAttrs("value")
+
+// This does not say where the attributes are allowed, you need to add
+// .Globally() or .OnElements(...)
+// This will be ignored without error.
+p.AllowAttrs(
+ "type",
+).Matching(
+ regexp.MustCompile("(?i)^(circle|disc|square|a|A|i|I|1)$"),
+)
+```
+
+Both examples exhibit the same issue, they declare attributes but do not then specify whether they are whitelisted globally or only on specific elements (and which elements). Attributes belong to one or more elements, and the policy needs to declare this.
+
+## Limitations
+
+We are not yet including any tools to help whitelist and sanitize CSS. Which means that unless you wish to do the heavy lifting in a single regular expression (inadvisable), **you should not allow the "style" attribute anywhere**.
+
+It is not the job of bluemonday to fix your bad HTML, it is merely the job of bluemonday to prevent malicious HTML getting through. If you have mismatched HTML elements, or non-conforming nesting of elements, those will remain. But if you have well-structured HTML bluemonday will not break it.
+
+## TODO
+
+* Add support for CSS sanitisation to allow some CSS properties based on a whitelist, possibly using the [Gorilla CSS3 scanner](http://www.gorillatoolkit.org/pkg/css/scanner)
+* Investigate whether devs want to blacklist elements and attributes. This would allow devs to take an existing policy (such as the `bluemonday.UGCPolicy()` ) that encapsulates 90% of what they're looking for but does more than they need, and to remove the extra things they do not want to make it 100% what they want
+* Investigate whether devs want a validating HTML mode, in which the HTML elements are not just transformed into a balanced tree (every start tag has a closing tag at the correct depth) but also that elements and character data appear only in their allowed context (i.e. that a `table` element isn't a descendent of a `caption`, that `colgroup`, `thead`, `tbody`, `tfoot` and `tr` are permitted, and that character data is not permitted)
+
+## Development
+
+If you have cloned this repo you will probably need the dependency:
+
+`go get golang.org/x/net/html`
+
+Gophers can use their familiar tools:
+
+`go build`
+
+`go test`
+
+I personally use a Makefile as it spares typing the same args over and over whilst providing consistency for those of us who jump from language to language and enjoy just typing `make` in a project directory and watch magic happen.
+
+`make` will build, vet, test and install the library.
+
+`make clean` will remove the library from a *single* `${GOPATH}/pkg` directory tree
+
+`make test` will run the tests
+
+`make cover` will run the tests and *open a browser window* with the coverage report
+
+`make lint` will run golint (install via `go get github.com/golang/lint/golint`)
+
+## Long term goals
+
+1. Open the code to adversarial peer review similar to the [Attack Review Ground Rules](https://code.google.com/p/owasp-java-html-sanitizer/wiki/AttackReviewGroundRules)
+1. Raise funds and pay for an external security review
diff --git a/vendor/github.com/microcosm-cc/bluemonday/doc.go b/vendor/github.com/microcosm-cc/bluemonday/doc.go
new file mode 100644
index 0000000..2cb0a36
--- /dev/null
+++ b/vendor/github.com/microcosm-cc/bluemonday/doc.go
@@ -0,0 +1,104 @@
+// Copyright (c) 2014, David Kitchen
+//
+// All rights reserved.
+//
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are met:
+//
+// * Redistributions of source code must retain the above copyright notice, this
+// list of conditions and the following disclaimer.
+//
+// * Redistributions in binary form must reproduce the above copyright notice,
+// this list of conditions and the following disclaimer in the documentation
+// and/or other materials provided with the distribution.
+//
+// * Neither the name of the organisation (Microcosm) nor the names of its
+// contributors may be used to endorse or promote products derived from
+// this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+/*
+Package bluemonday provides a way of describing a whitelist of HTML elements
+and attributes as a policy, and for that policy to be applied to untrusted
+strings from users that may contain markup. All elements and attributes not on
+the whitelist will be stripped.
+
+The default bluemonday.UGCPolicy().Sanitize() turns this:
+
+ Hello World
+
+Into the more harmless:
+
+ Hello World
+
+And it turns this:
+
+ XSS
+
+Into this:
+
+ XSS
+
+Whilst still allowing this:
+
+
+
+
+
+To pass through mostly unaltered (it gained a rel="nofollow"):
+
+
+
+
+
+The primary purpose of bluemonday is to take potentially unsafe user generated
+content (from things like Markdown, HTML WYSIWYG tools, etc) and make it safe
+for you to put on your website.
+
+It protects sites against XSS (http://en.wikipedia.org/wiki/Cross-site_scripting)
+and other malicious content that a user interface may deliver. There are many
+vectors for an XSS attack (https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet)
+and the safest thing to do is to sanitize user input against a known safe list
+of HTML elements and attributes.
+
+Note: You should always run bluemonday after any other processing.
+
+If you use blackfriday (https://github.com/russross/blackfriday) or
+Pandoc (http://johnmacfarlane.net/pandoc/) then bluemonday should be run after
+these steps. This ensures that no insecure HTML is introduced later in your
+process.
+
+bluemonday is heavily inspired by both the OWASP Java HTML Sanitizer
+(https://code.google.com/p/owasp-java-html-sanitizer/) and the HTML Purifier
+(http://htmlpurifier.org/).
+
+We ship two default policies, one is bluemonday.StrictPolicy() and can be
+thought of as equivalent to stripping all HTML elements and their attributes as
+it has nothing on it's whitelist.
+
+The other is bluemonday.UGCPolicy() and allows a broad selection of HTML
+elements and attributes that are safe for user generated content. Note that
+this policy does not whitelist iframes, object, embed, styles, script, etc.
+
+The essence of building a policy is to determine which HTML elements and
+attributes are considered safe for your scenario. OWASP provide an XSS
+prevention cheat sheet ( https://www.google.com/search?q=xss+prevention+cheat+sheet )
+to help explain the risks, but essentially:
+
+ 1. Avoid whitelisting anything other than plain HTML elements
+ 2. Avoid whitelisting `script`, `style`, `iframe`, `object`, `embed`, `base`
+ elements
+ 3. Avoid whitelisting anything other than plain HTML elements with simple
+ values that you can match to a regexp
+*/
+package bluemonday
diff --git a/vendor/github.com/microcosm-cc/bluemonday/helpers.go b/vendor/github.com/microcosm-cc/bluemonday/helpers.go
new file mode 100644
index 0000000..dfa5868
--- /dev/null
+++ b/vendor/github.com/microcosm-cc/bluemonday/helpers.go
@@ -0,0 +1,297 @@
+// Copyright (c) 2014, David Kitchen
+//
+// All rights reserved.
+//
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are met:
+//
+// * Redistributions of source code must retain the above copyright notice, this
+// list of conditions and the following disclaimer.
+//
+// * Redistributions in binary form must reproduce the above copyright notice,
+// this list of conditions and the following disclaimer in the documentation
+// and/or other materials provided with the distribution.
+//
+// * Neither the name of the organisation (Microcosm) nor the names of its
+// contributors may be used to endorse or promote products derived from
+// this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+package bluemonday
+
+import (
+ "encoding/base64"
+ "net/url"
+ "regexp"
+)
+
+// A selection of regular expressions that can be used as .Matching() rules on
+// HTML attributes.
+var (
+ // CellAlign handles the `align` attribute
+ // https://developer.mozilla.org/en-US/docs/Web/HTML/Element/td#attr-align
+ CellAlign = regexp.MustCompile(`(?i)^(center|justify|left|right|char)$`)
+
+ // CellVerticalAlign handles the `valign` attribute
+ // https://developer.mozilla.org/en-US/docs/Web/HTML/Element/td#attr-valign
+ CellVerticalAlign = regexp.MustCompile(`(?i)^(baseline|bottom|middle|top)$`)
+
+ // Direction handles the `dir` attribute
+ // https://developer.mozilla.org/en-US/docs/Web/HTML/Element/bdo#attr-dir
+ Direction = regexp.MustCompile(`(?i)^(rtl|ltr)$`)
+
+ // ImageAlign handles the `align` attribute on the `image` tag
+ // http://www.w3.org/MarkUp/Test/Img/imgtest.html
+ ImageAlign = regexp.MustCompile(
+ `(?i)^(left|right|top|texttop|middle|absmiddle|baseline|bottom|absbottom)$`,
+ )
+
+ // Integer describes whole positive integers (including 0) used in places
+ // like td.colspan
+ // https://developer.mozilla.org/en-US/docs/Web/HTML/Element/td#attr-colspan
+ Integer = regexp.MustCompile(`^[0-9]+$`)
+
+ // ISO8601 according to the W3 group is only a subset of the ISO8601
+ // standard: http://www.w3.org/TR/NOTE-datetime
+ //
+ // Used in places like time.datetime
+ // https://developer.mozilla.org/en-US/docs/Web/HTML/Element/time#attr-datetime
+ //
+ // Matches patterns:
+ // Year:
+ // YYYY (eg 1997)
+ // Year and month:
+ // YYYY-MM (eg 1997-07)
+ // Complete date:
+ // YYYY-MM-DD (eg 1997-07-16)
+ // Complete date plus hours and minutes:
+ // YYYY-MM-DDThh:mmTZD (eg 1997-07-16T19:20+01:00)
+ // Complete date plus hours, minutes and seconds:
+ // YYYY-MM-DDThh:mm:ssTZD (eg 1997-07-16T19:20:30+01:00)
+ // Complete date plus hours, minutes, seconds and a decimal fraction of a
+ // second
+ // YYYY-MM-DDThh:mm:ss.sTZD (eg 1997-07-16T19:20:30.45+01:00)
+ ISO8601 = regexp.MustCompile(
+ `^[0-9]{4}(-[0-9]{2}(-[0-9]{2}([ T][0-9]{2}(:[0-9]{2}){1,2}(.[0-9]{1,6})` +
+ `?Z?([\+-][0-9]{2}:[0-9]{2})?)?)?)?$`,
+ )
+
+ // ListType encapsulates the common value as well as the latest spec
+ // values for lists
+ // https://developer.mozilla.org/en-US/docs/Web/HTML/Element/ol#attr-type
+ ListType = regexp.MustCompile(`(?i)^(circle|disc|square|a|A|i|I|1)$`)
+
+ // SpaceSeparatedTokens is used in places like `a.rel` and the common attribute
+ // `class` which both contain space delimited lists of data tokens
+ // http://www.w3.org/TR/html-markup/datatypes.html#common.data.tokens-def
+ // Regexp: \p{L} matches unicode letters, \p{N} matches unicode numbers
+ SpaceSeparatedTokens = regexp.MustCompile(`^([\s\p{L}\p{N}_-]+)$`)
+
+ // Number is a double value used on HTML5 meter and progress elements
+ // http://www.whatwg.org/specs/web-apps/current-work/multipage/the-button-element.html#the-meter-element
+ Number = regexp.MustCompile(`^[-+]?[0-9]*\.?[0-9]+([eE][-+]?[0-9]+)?$`)
+
+ // NumberOrPercent is used predominantly as units of measurement in width
+ // and height attributes
+ // https://developer.mozilla.org/en-US/docs/Web/HTML/Element/img#attr-height
+ NumberOrPercent = regexp.MustCompile(`^[0-9]+[%]?$`)
+
+ // Paragraph of text in an attribute such as *.'title', img.alt, etc
+ // https://developer.mozilla.org/en-US/docs/Web/HTML/Global_attributes#attr-title
+ // Note that we are not allowing chars that could close tags like '>'
+ Paragraph = regexp.MustCompile(`^[\p{L}\p{N}\s\-_',\[\]!\./\\\(\)]*$`)
+
+ // dataURIImagePrefix is used by AllowDataURIImages to define the acceptable
+ // prefix of data URIs that contain common web image formats.
+ //
+ // This is not exported as it's not useful by itself, and only has value
+ // within the AllowDataURIImages func
+ dataURIImagePrefix = regexp.MustCompile(
+ `^image/(gif|jpeg|png|webp);base64,`,
+ )
+)
+
+// AllowStandardURLs is a convenience function that will enable rel="nofollow"
+// on "a", "area" and "link" (if you have allowed those elements) and will
+// ensure that the URL values are parseable and either relative or belong to the
+// "mailto", "http", or "https" schemes
+func (p *Policy) AllowStandardURLs() {
+ // URLs must be parseable by net/url.Parse()
+ p.RequireParseableURLs(true)
+
+ // !url.IsAbs() is permitted
+ p.AllowRelativeURLs(true)
+
+ // Most common URL schemes only
+ p.AllowURLSchemes("mailto", "http", "https")
+
+ // For all anchors we will add rel="nofollow" if it does not already exist
+ // This applies to "a" "area" "link"
+ p.RequireNoFollowOnLinks(true)
+}
+
+// AllowStandardAttributes will enable "id", "title" and the language specific
+// attributes "dir" and "lang" on all elements that are whitelisted
+func (p *Policy) AllowStandardAttributes() {
+ // "dir" "lang" are permitted as both language attributes affect charsets
+ // and direction of text.
+ p.AllowAttrs("dir").Matching(Direction).Globally()
+ p.AllowAttrs(
+ "lang",
+ ).Matching(regexp.MustCompile(`[a-zA-Z]{2,20}`)).Globally()
+
+ // "id" is permitted. This is pretty much as some HTML elements require this
+ // to work well ("dfn" is an example of a "id" being value)
+ // This does create a risk that JavaScript and CSS within your web page
+ // might identify the wrong elements. Ensure that you select things
+ // accurately
+ p.AllowAttrs("id").Matching(
+ regexp.MustCompile(`[a-zA-Z0-9\:\-_\.]+`),
+ ).Globally()
+
+ // "title" is permitted as it improves accessibility.
+ p.AllowAttrs("title").Matching(Paragraph).Globally()
+}
+
+// AllowStyling presently enables the class attribute globally.
+//
+// Note: When bluemonday ships a CSS parser and we can safely sanitise that,
+// this will also allow sanitized styling of elements via the style attribute.
+func (p *Policy) AllowStyling() {
+
+ // "class" is permitted globally
+ p.AllowAttrs("class").Matching(SpaceSeparatedTokens).Globally()
+}
+
+// AllowImages enables the img element and some popular attributes. It will also
+// ensure that URL values are parseable. This helper does not enable data URI
+// images, for that you should also use the AllowDataURIImages() helper.
+func (p *Policy) AllowImages() {
+
+ // "img" is permitted
+ p.AllowAttrs("align").Matching(ImageAlign).OnElements("img")
+ p.AllowAttrs("alt").Matching(Paragraph).OnElements("img")
+ p.AllowAttrs("height", "width").Matching(NumberOrPercent).OnElements("img")
+
+ // Standard URLs enabled
+ p.AllowStandardURLs()
+ p.AllowAttrs("src").OnElements("img")
+}
+
+// AllowDataURIImages permits the use of inline images defined in RFC2397
+// http://tools.ietf.org/html/rfc2397
+// http://en.wikipedia.org/wiki/Data_URI_scheme
+//
+// Images must have a mimetype matching:
+// image/gif
+// image/jpeg
+// image/png
+// image/webp
+//
+// NOTE: There is a potential security risk to allowing data URIs and you should
+// only permit them on content you already trust.
+// http://palizine.plynt.com/issues/2010Oct/bypass-xss-filters/
+// https://capec.mitre.org/data/definitions/244.html
+func (p *Policy) AllowDataURIImages() {
+
+ // URLs must be parseable by net/url.Parse()
+ p.RequireParseableURLs(true)
+
+ // Supply a function to validate images contained within data URI
+ p.AllowURLSchemeWithCustomPolicy(
+ "data",
+ func(url *url.URL) (allowUrl bool) {
+ if url.RawQuery != "" || url.Fragment != "" {
+ return false
+ }
+
+ matched := dataURIImagePrefix.FindString(url.Opaque)
+ if matched == "" {
+ return false
+ }
+
+ _, err := base64.StdEncoding.DecodeString(url.Opaque[len(matched):])
+ if err != nil {
+ return false
+ }
+
+ return true
+ },
+ )
+}
+
+// AllowLists will enabled ordered and unordered lists, as well as definition
+// lists
+func (p *Policy) AllowLists() {
+ // "ol" "ul" are permitted
+ p.AllowAttrs("type").Matching(ListType).OnElements("ol", "ul")
+
+ // "li" is permitted
+ p.AllowAttrs("type").Matching(ListType).OnElements("li")
+ p.AllowAttrs("value").Matching(Integer).OnElements("li")
+
+ // "dl" "dt" "dd" are permitted
+ p.AllowElements("dl", "dt", "dd")
+}
+
+// AllowTables will enable a rich set of elements and attributes to describe
+// HTML tables
+func (p *Policy) AllowTables() {
+
+ // "table" is permitted
+ p.AllowAttrs("height", "width").Matching(NumberOrPercent).OnElements("table")
+ p.AllowAttrs("summary").Matching(Paragraph).OnElements("table")
+
+ // "caption" is permitted
+ p.AllowElements("caption")
+
+ // "col" "colgroup" are permitted
+ p.AllowAttrs("align").Matching(CellAlign).OnElements("col", "colgroup")
+ p.AllowAttrs("height", "width").Matching(
+ NumberOrPercent,
+ ).OnElements("col", "colgroup")
+ p.AllowAttrs("span").Matching(Integer).OnElements("colgroup", "col")
+ p.AllowAttrs("valign").Matching(
+ CellVerticalAlign,
+ ).OnElements("col", "colgroup")
+
+ // "thead" "tr" are permitted
+ p.AllowAttrs("align").Matching(CellAlign).OnElements("thead", "tr")
+ p.AllowAttrs("valign").Matching(CellVerticalAlign).OnElements("thead", "tr")
+
+ // "td" "th" are permitted
+ p.AllowAttrs("abbr").Matching(Paragraph).OnElements("td", "th")
+ p.AllowAttrs("align").Matching(CellAlign).OnElements("td", "th")
+ p.AllowAttrs("colspan", "rowspan").Matching(Integer).OnElements("td", "th")
+ p.AllowAttrs("headers").Matching(
+ SpaceSeparatedTokens,
+ ).OnElements("td", "th")
+ p.AllowAttrs("height", "width").Matching(
+ NumberOrPercent,
+ ).OnElements("td", "th")
+ p.AllowAttrs(
+ "scope",
+ ).Matching(
+ regexp.MustCompile(`(?i)(?:row|col)(?:group)?`),
+ ).OnElements("td", "th")
+ p.AllowAttrs("valign").Matching(CellVerticalAlign).OnElements("td", "th")
+ p.AllowAttrs("nowrap").Matching(
+ regexp.MustCompile(`(?i)|nowrap`),
+ ).OnElements("td", "th")
+
+ // "tbody" "tfoot"
+ p.AllowAttrs("align").Matching(CellAlign).OnElements("tbody", "tfoot")
+ p.AllowAttrs("valign").Matching(
+ CellVerticalAlign,
+ ).OnElements("tbody", "tfoot")
+}
diff --git a/vendor/github.com/microcosm-cc/bluemonday/policies.go b/vendor/github.com/microcosm-cc/bluemonday/policies.go
new file mode 100644
index 0000000..570bba8
--- /dev/null
+++ b/vendor/github.com/microcosm-cc/bluemonday/policies.go
@@ -0,0 +1,253 @@
+// Copyright (c) 2014, David Kitchen
+//
+// All rights reserved.
+//
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are met:
+//
+// * Redistributions of source code must retain the above copyright notice, this
+// list of conditions and the following disclaimer.
+//
+// * Redistributions in binary form must reproduce the above copyright notice,
+// this list of conditions and the following disclaimer in the documentation
+// and/or other materials provided with the distribution.
+//
+// * Neither the name of the organisation (Microcosm) nor the names of its
+// contributors may be used to endorse or promote products derived from
+// this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+package bluemonday
+
+import (
+ "regexp"
+)
+
+// StrictPolicy returns an empty policy, which will effectively strip all HTML
+// elements and their attributes from a document.
+func StrictPolicy() *Policy {
+ return NewPolicy()
+}
+
+// StripTagsPolicy is DEPRECATED. Use StrictPolicy instead.
+func StripTagsPolicy() *Policy {
+ return StrictPolicy()
+}
+
+// UGCPolicy returns a policy aimed at user generated content that is a result
+// of HTML WYSIWYG tools and Markdown conversions.
+//
+// This is expected to be a fairly rich document where as much markup as
+// possible should be retained. Markdown permits raw HTML so we are basically
+// providing a policy to sanitise HTML5 documents safely but with the
+// least intrusion on the formatting expectations of the user.
+func UGCPolicy() *Policy {
+
+ p := NewPolicy()
+
+ ///////////////////////
+ // Global attributes //
+ ///////////////////////
+
+ // "class" is not permitted as we are not allowing users to style their own
+ // content
+
+ p.AllowStandardAttributes()
+
+ //////////////////////////////
+ // Global URL format policy //
+ //////////////////////////////
+
+ p.AllowStandardURLs()
+
+ ////////////////////////////////
+ // Declarations and structure //
+ ////////////////////////////////
+
+ // "xml" "xslt" "DOCTYPE" "html" "head" are not permitted as we are
+ // expecting user generated content to be a fragment of HTML and not a full
+ // document.
+
+ //////////////////////////
+ // Sectioning root tags //
+ //////////////////////////
+
+ // "article" and "aside" are permitted and takes no attributes
+ p.AllowElements("article", "aside")
+
+ // "body" is not permitted as we are expecting user generated content to be a fragment
+ // of HTML and not a full document.
+
+ // "details" is permitted, including the "open" attribute which can either
+ // be blank or the value "open".
+ p.AllowAttrs(
+ "open",
+ ).Matching(regexp.MustCompile(`(?i)^(|open)$`)).OnElements("details")
+
+ // "fieldset" is not permitted as we are not allowing forms to be created.
+
+ // "figure" is permitted and takes no attributes
+ p.AllowElements("figure")
+
+ // "nav" is not permitted as it is assumed that the site (and not the user)
+ // has defined navigation elements
+
+ // "section" is permitted and takes no attributes
+ p.AllowElements("section")
+
+ // "summary" is permitted and takes no attributes
+ p.AllowElements("summary")
+
+ //////////////////////////
+ // Headings and footers //
+ //////////////////////////
+
+ // "footer" is not permitted as we expect user content to be a fragment and
+ // not structural to this extent
+
+ // "h1" through "h6" are permitted and take no attributes
+ p.AllowElements("h1", "h2", "h3", "h4", "h5", "h6")
+
+ // "header" is not permitted as we expect user content to be a fragment and
+ // not structural to this extent
+
+ // "hgroup" is permitted and takes no attributes
+ p.AllowElements("hgroup")
+
+ /////////////////////////////////////
+ // Content grouping and separating //
+ /////////////////////////////////////
+
+ // "blockquote" is permitted, including the "cite" attribute which must be
+ // a standard URL.
+ p.AllowAttrs("cite").OnElements("blockquote")
+
+ // "br" "div" "hr" "p" "span" "wbr" are permitted and take no attributes
+ p.AllowElements("br", "div", "hr", "p", "span", "wbr")
+
+ ///////////
+ // Links //
+ ///////////
+
+ // "a" is permitted
+ p.AllowAttrs("href").OnElements("a")
+
+ // "area" is permitted along with the attributes that map image maps work
+ p.AllowAttrs("name").Matching(
+ regexp.MustCompile(`^([\p{L}\p{N}_-]+)$`),
+ ).OnElements("map")
+ p.AllowAttrs("alt").Matching(Paragraph).OnElements("area")
+ p.AllowAttrs("coords").Matching(
+ regexp.MustCompile(`^([0-9]+,)+[0-9]+$`),
+ ).OnElements("area")
+ p.AllowAttrs("href").OnElements("area")
+ p.AllowAttrs("rel").Matching(SpaceSeparatedTokens).OnElements("area")
+ p.AllowAttrs("shape").Matching(
+ regexp.MustCompile(`(?i)^(default|circle|rect|poly)$`),
+ ).OnElements("area")
+ p.AllowAttrs("usemap").Matching(
+ regexp.MustCompile(`(?i)^#[\p{L}\p{N}_-]+$`),
+ ).OnElements("img")
+
+ // "link" is not permitted
+
+ /////////////////////
+ // Phrase elements //
+ /////////////////////
+
+ // The following are all inline phrasing elements
+ p.AllowElements("abbr", "acronym", "cite", "code", "dfn", "em",
+ "figcaption", "mark", "s", "samp", "strong", "sub", "sup", "var")
+
+ // "q" is permitted and "cite" is a URL and handled by URL policies
+ p.AllowAttrs("cite").OnElements("q")
+
+ // "time" is permitted
+ p.AllowAttrs("datetime").Matching(ISO8601).OnElements("time")
+
+ ////////////////////
+ // Style elements //
+ ////////////////////
+
+ // block and inline elements that impart no semantic meaning but style the
+ // document
+ p.AllowElements("b", "i", "pre", "small", "strike", "tt", "u")
+
+ // "style" is not permitted as we are not yet sanitising CSS and it is an
+ // XSS attack vector
+
+ //////////////////////
+ // HTML5 Formatting //
+ //////////////////////
+
+ // "bdi" "bdo" are permitted
+ p.AllowAttrs("dir").Matching(Direction).OnElements("bdi", "bdo")
+
+ // "rp" "rt" "ruby" are permitted
+ p.AllowElements("rp", "rt", "ruby")
+
+ ///////////////////////////
+ // HTML5 Change tracking //
+ ///////////////////////////
+
+ // "del" "ins" are permitted
+ p.AllowAttrs("cite").Matching(Paragraph).OnElements("del", "ins")
+ p.AllowAttrs("datetime").Matching(ISO8601).OnElements("del", "ins")
+
+ ///////////
+ // Lists //
+ ///////////
+
+ p.AllowLists()
+
+ ////////////
+ // Tables //
+ ////////////
+
+ p.AllowTables()
+
+ ///////////
+ // Forms //
+ ///////////
+
+ // By and large, forms are not permitted. However there are some form
+ // elements that can be used to present data, and we do permit those
+ //
+ // "button" "fieldset" "input" "keygen" "label" "output" "select" "datalist"
+ // "textarea" "optgroup" "option" are all not permitted
+
+ // "meter" is permitted
+ p.AllowAttrs(
+ "value",
+ "min",
+ "max",
+ "low",
+ "high",
+ "optimum",
+ ).Matching(Number).OnElements("meter")
+
+ // "progress" is permitted
+ p.AllowAttrs("value", "max").Matching(Number).OnElements("progress")
+
+ //////////////////////
+ // Embedded content //
+ //////////////////////
+
+ // Vast majority not permitted
+ // "audio" "canvas" "embed" "iframe" "object" "param" "source" "svg" "track"
+ // "video" are all not permitted
+
+ p.AllowImages()
+
+ return p
+}
diff --git a/vendor/github.com/microcosm-cc/bluemonday/policy.go b/vendor/github.com/microcosm-cc/bluemonday/policy.go
new file mode 100644
index 0000000..5d28bec
--- /dev/null
+++ b/vendor/github.com/microcosm-cc/bluemonday/policy.go
@@ -0,0 +1,548 @@
+// Copyright (c) 2014, David Kitchen
+//
+// All rights reserved.
+//
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are met:
+//
+// * Redistributions of source code must retain the above copyright notice, this
+// list of conditions and the following disclaimer.
+//
+// * Redistributions in binary form must reproduce the above copyright notice,
+// this list of conditions and the following disclaimer in the documentation
+// and/or other materials provided with the distribution.
+//
+// * Neither the name of the organisation (Microcosm) nor the names of its
+// contributors may be used to endorse or promote products derived from
+// this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+package bluemonday
+
+import (
+ "net/url"
+ "regexp"
+ "strings"
+)
+
+// Policy encapsulates the whitelist of HTML elements and attributes that will
+// be applied to the sanitised HTML.
+//
+// You should use bluemonday.NewPolicy() to create a blank policy as the
+// unexported fields contain maps that need to be initialized.
+type Policy struct {
+
+ // Declares whether the maps have been initialized, used as a cheap check to
+ // ensure that those using Policy{} directly won't cause nil pointer
+ // exceptions
+ initialized bool
+
+ // Allows the tag to exist in the sanitized document
+ allowDocType bool
+
+ // If true then we add spaces when stripping tags, specifically the closing
+ // tag is replaced by a space character.
+ addSpaces bool
+
+ // When true, add rel="nofollow" to HTML anchors
+ requireNoFollow bool
+
+ // When true, add rel="nofollow" to HTML anchors
+ // Will add for href="http://foo"
+ // Will skip for href="/foo" or href="foo"
+ requireNoFollowFullyQualifiedLinks bool
+
+ // When true add target="_blank" to fully qualified links
+ // Will add for href="http://foo"
+ // Will skip for href="/foo" or href="foo"
+ addTargetBlankToFullyQualifiedLinks bool
+
+ // When true, URLs must be parseable by "net/url" url.Parse()
+ requireParseableURLs bool
+
+ // When true, u, _ := url.Parse("url"); !u.IsAbs() is permitted
+ allowRelativeURLs bool
+
+ // map[htmlElementName]map[htmlAttributeName]attrPolicy
+ elsAndAttrs map[string]map[string]attrPolicy
+
+ // map[htmlAttributeName]attrPolicy
+ globalAttrs map[string]attrPolicy
+
+ // If urlPolicy is nil, all URLs with matching schema are allowed.
+ // Otherwise, only the URLs with matching schema and urlPolicy(url)
+ // returning true are allowed.
+ allowURLSchemes map[string]urlPolicy
+
+ // If an element has had all attributes removed as a result of a policy
+ // being applied, then the element would be removed from the output.
+ //
+ // However some elements are valid and have strong layout meaning without
+ // any attributes, i.e. . To prevent those being removed we maintain
+ // a list of elements that are allowed to have no attributes and that will
+ // be maintained in the output HTML.
+ setOfElementsAllowedWithoutAttrs map[string]struct{}
+
+ setOfElementsToSkipContent map[string]struct{}
+}
+
+type attrPolicy struct {
+
+ // optional pattern to match, when not nil the regexp needs to match
+ // otherwise the attribute is removed
+ regexp *regexp.Regexp
+}
+
+type attrPolicyBuilder struct {
+ p *Policy
+
+ attrNames []string
+ regexp *regexp.Regexp
+ allowEmpty bool
+}
+
+type urlPolicy func(url *url.URL) (allowUrl bool)
+
+// init initializes the maps if this has not been done already
+func (p *Policy) init() {
+ if !p.initialized {
+ p.elsAndAttrs = make(map[string]map[string]attrPolicy)
+ p.globalAttrs = make(map[string]attrPolicy)
+ p.allowURLSchemes = make(map[string]urlPolicy)
+ p.setOfElementsAllowedWithoutAttrs = make(map[string]struct{})
+ p.setOfElementsToSkipContent = make(map[string]struct{})
+ p.initialized = true
+ }
+}
+
+// NewPolicy returns a blank policy with nothing whitelisted or permitted. This
+// is the recommended way to start building a policy and you should now use
+// AllowAttrs() and/or AllowElements() to construct the whitelist of HTML
+// elements and attributes.
+func NewPolicy() *Policy {
+
+ p := Policy{}
+
+ p.addDefaultElementsWithoutAttrs()
+ p.addDefaultSkipElementContent()
+
+ return &p
+}
+
+// AllowAttrs takes a range of HTML attribute names and returns an
+// attribute policy builder that allows you to specify the pattern and scope of
+// the whitelisted attribute.
+//
+// The attribute policy is only added to the core policy when either Globally()
+// or OnElements(...) are called.
+func (p *Policy) AllowAttrs(attrNames ...string) *attrPolicyBuilder {
+
+ p.init()
+
+ abp := attrPolicyBuilder{
+ p: p,
+ allowEmpty: false,
+ }
+
+ for _, attrName := range attrNames {
+ abp.attrNames = append(abp.attrNames, strings.ToLower(attrName))
+ }
+
+ return &abp
+}
+
+// AllowNoAttrs says that attributes on element are optional.
+//
+// The attribute policy is only added to the core policy when OnElements(...)
+// are called.
+func (p *Policy) AllowNoAttrs() *attrPolicyBuilder {
+
+ p.init()
+
+ abp := attrPolicyBuilder{
+ p: p,
+ allowEmpty: true,
+ }
+ return &abp
+}
+
+// AllowNoAttrs says that attributes on element are optional.
+//
+// The attribute policy is only added to the core policy when OnElements(...)
+// are called.
+func (abp *attrPolicyBuilder) AllowNoAttrs() *attrPolicyBuilder {
+
+ abp.allowEmpty = true
+
+ return abp
+}
+
+// Matching allows a regular expression to be applied to a nascent attribute
+// policy, and returns the attribute policy. Calling this more than once will
+// replace the existing regexp.
+func (abp *attrPolicyBuilder) Matching(regex *regexp.Regexp) *attrPolicyBuilder {
+
+ abp.regexp = regex
+
+ return abp
+}
+
+// OnElements will bind an attribute policy to a given range of HTML elements
+// and return the updated policy
+func (abp *attrPolicyBuilder) OnElements(elements ...string) *Policy {
+
+ for _, element := range elements {
+ element = strings.ToLower(element)
+
+ for _, attr := range abp.attrNames {
+
+ if _, ok := abp.p.elsAndAttrs[element]; !ok {
+ abp.p.elsAndAttrs[element] = make(map[string]attrPolicy)
+ }
+
+ ap := attrPolicy{}
+ if abp.regexp != nil {
+ ap.regexp = abp.regexp
+ }
+
+ abp.p.elsAndAttrs[element][attr] = ap
+ }
+
+ if abp.allowEmpty {
+ abp.p.setOfElementsAllowedWithoutAttrs[element] = struct{}{}
+
+ if _, ok := abp.p.elsAndAttrs[element]; !ok {
+ abp.p.elsAndAttrs[element] = make(map[string]attrPolicy)
+ }
+ }
+ }
+
+ return abp.p
+}
+
+// Globally will bind an attribute policy to all HTML elements and return the
+// updated policy
+func (abp *attrPolicyBuilder) Globally() *Policy {
+
+ for _, attr := range abp.attrNames {
+ if _, ok := abp.p.globalAttrs[attr]; !ok {
+ abp.p.globalAttrs[attr] = attrPolicy{}
+ }
+
+ ap := attrPolicy{}
+ if abp.regexp != nil {
+ ap.regexp = abp.regexp
+ }
+
+ abp.p.globalAttrs[attr] = ap
+ }
+
+ return abp.p
+}
+
+// AllowElements will append HTML elements to the whitelist without applying an
+// attribute policy to those elements (the elements are permitted
+// sans-attributes)
+func (p *Policy) AllowElements(names ...string) *Policy {
+ p.init()
+
+ for _, element := range names {
+ element = strings.ToLower(element)
+
+ if _, ok := p.elsAndAttrs[element]; !ok {
+ p.elsAndAttrs[element] = make(map[string]attrPolicy)
+ }
+ }
+
+ return p
+}
+
+// RequireNoFollowOnLinks will result in all tags having a rel="nofollow"
+// added to them if one does not already exist
+//
+// Note: This requires p.RequireParseableURLs(true) and will enable it.
+func (p *Policy) RequireNoFollowOnLinks(require bool) *Policy {
+
+ p.requireNoFollow = require
+ p.requireParseableURLs = true
+
+ return p
+}
+
+// RequireNoFollowOnFullyQualifiedLinks will result in all tags that point
+// to a non-local destination (i.e. starts with a protocol and has a host)
+// having a rel="nofollow" added to them if one does not already exist
+//
+// Note: This requires p.RequireParseableURLs(true) and will enable it.
+func (p *Policy) RequireNoFollowOnFullyQualifiedLinks(require bool) *Policy {
+
+ p.requireNoFollowFullyQualifiedLinks = require
+ p.requireParseableURLs = true
+
+ return p
+}
+
+// AddTargetBlankToFullyQualifiedLinks will result in all tags that point
+// to a non-local destination (i.e. starts with a protocol and has a host)
+// having a target="_blank" added to them if one does not already exist
+//
+// Note: This requires p.RequireParseableURLs(true) and will enable it.
+func (p *Policy) AddTargetBlankToFullyQualifiedLinks(require bool) *Policy {
+
+ p.addTargetBlankToFullyQualifiedLinks = require
+ p.requireParseableURLs = true
+
+ return p
+}
+
+// RequireParseableURLs will result in all URLs requiring that they be parseable
+// by "net/url" url.Parse()
+// This applies to:
+// - a.href
+// - area.href
+// - blockquote.cite
+// - img.src
+// - link.href
+// - script.src
+func (p *Policy) RequireParseableURLs(require bool) *Policy {
+
+ p.requireParseableURLs = require
+
+ return p
+}
+
+// AllowRelativeURLs enables RequireParseableURLs and then permits URLs that
+// are parseable, have no schema information and url.IsAbs() returns false
+// This permits local URLs
+func (p *Policy) AllowRelativeURLs(require bool) *Policy {
+
+ p.RequireParseableURLs(true)
+ p.allowRelativeURLs = require
+
+ return p
+}
+
+// AllowURLSchemes will append URL schemes to the whitelist
+// Example: p.AllowURLSchemes("mailto", "http", "https")
+func (p *Policy) AllowURLSchemes(schemes ...string) *Policy {
+ p.init()
+
+ p.RequireParseableURLs(true)
+
+ for _, scheme := range schemes {
+ scheme = strings.ToLower(scheme)
+
+ // Allow all URLs with matching scheme.
+ p.allowURLSchemes[scheme] = nil
+ }
+
+ return p
+}
+
+// AllowURLSchemeWithCustomPolicy will append URL schemes with
+// a custom URL policy to the whitelist.
+// Only the URLs with matching schema and urlPolicy(url)
+// returning true will be allowed.
+func (p *Policy) AllowURLSchemeWithCustomPolicy(
+ scheme string,
+ urlPolicy func(url *url.URL) (allowUrl bool),
+) *Policy {
+
+ p.init()
+
+ p.RequireParseableURLs(true)
+
+ scheme = strings.ToLower(scheme)
+
+ p.allowURLSchemes[scheme] = urlPolicy
+
+ return p
+}
+
+// AllowDocType states whether the HTML sanitised by the sanitizer is allowed to
+// contain the HTML DocType tag: or one of it's variants.
+//
+// The HTML spec only permits one doctype per document, and as you know how you
+// are using the output of this, you know best as to whether we should ignore it
+// (default) or not.
+//
+// If you are sanitizing a HTML fragment the default (false) is fine.
+func (p *Policy) AllowDocType(allow bool) *Policy {
+
+ p.allowDocType = allow
+
+ return p
+}
+
+// AddSpaceWhenStrippingTag states whether to add a single space " " when
+// removing tags that are not whitelisted by the policy.
+//
+// This is useful if you expect to strip tags in dense markup and may lose the
+// value of whitespace.
+//
+// For example: "Hello
World
"" would be sanitized to "HelloWorld"
+// with the default value of false, but you may wish to sanitize this to
+// " Hello World " by setting AddSpaceWhenStrippingTag to true as this would
+// retain the intent of the text.
+func (p *Policy) AddSpaceWhenStrippingTag(allow bool) *Policy {
+
+ p.addSpaces = allow
+
+ return p
+}
+
+// SkipElementsContent adds the HTML elements whose tags is needed to be removed
+// with it's content.
+func (p *Policy) SkipElementsContent(names ...string) *Policy {
+
+ p.init()
+
+ for _, element := range names {
+ element = strings.ToLower(element)
+
+ if _, ok := p.setOfElementsToSkipContent[element]; !ok {
+ p.setOfElementsToSkipContent[element] = struct{}{}
+ }
+ }
+
+ return p
+}
+
+// AllowElementsContent marks the HTML elements whose content should be
+// retained after removing the tag.
+func (p *Policy) AllowElementsContent(names ...string) *Policy {
+
+ p.init()
+
+ for _, element := range names {
+ delete(p.setOfElementsToSkipContent, strings.ToLower(element))
+ }
+
+ return p
+}
+
+// addDefaultElementsWithoutAttrs adds the HTML elements that we know are valid
+// without any attributes to an internal map.
+// i.e. we know that is valid, but isn't valid as the "dir" attr
+// is mandatory
+func (p *Policy) addDefaultElementsWithoutAttrs() {
+ p.init()
+
+ p.setOfElementsAllowedWithoutAttrs["abbr"] = struct{}{}
+ p.setOfElementsAllowedWithoutAttrs["acronym"] = struct{}{}
+ p.setOfElementsAllowedWithoutAttrs["article"] = struct{}{}
+ p.setOfElementsAllowedWithoutAttrs["aside"] = struct{}{}
+ p.setOfElementsAllowedWithoutAttrs["audio"] = struct{}{}
+ p.setOfElementsAllowedWithoutAttrs["b"] = struct{}{}
+ p.setOfElementsAllowedWithoutAttrs["bdi"] = struct{}{}
+ p.setOfElementsAllowedWithoutAttrs["blockquote"] = struct{}{}
+ p.setOfElementsAllowedWithoutAttrs["body"] = struct{}{}
+ p.setOfElementsAllowedWithoutAttrs["br"] = struct{}{}
+ p.setOfElementsAllowedWithoutAttrs["button"] = struct{}{}
+ p.setOfElementsAllowedWithoutAttrs["canvas"] = struct{}{}
+ p.setOfElementsAllowedWithoutAttrs["caption"] = struct{}{}
+ p.setOfElementsAllowedWithoutAttrs["cite"] = struct{}{}
+ p.setOfElementsAllowedWithoutAttrs["code"] = struct{}{}
+ p.setOfElementsAllowedWithoutAttrs["col"] = struct{}{}
+ p.setOfElementsAllowedWithoutAttrs["colgroup"] = struct{}{}
+ p.setOfElementsAllowedWithoutAttrs["datalist"] = struct{}{}
+ p.setOfElementsAllowedWithoutAttrs["dd"] = struct{}{}
+ p.setOfElementsAllowedWithoutAttrs["del"] = struct{}{}
+ p.setOfElementsAllowedWithoutAttrs["details"] = struct{}{}
+ p.setOfElementsAllowedWithoutAttrs["dfn"] = struct{}{}
+ p.setOfElementsAllowedWithoutAttrs["div"] = struct{}{}
+ p.setOfElementsAllowedWithoutAttrs["dl"] = struct{}{}
+ p.setOfElementsAllowedWithoutAttrs["dt"] = struct{}{}
+ p.setOfElementsAllowedWithoutAttrs["em"] = struct{}{}
+ p.setOfElementsAllowedWithoutAttrs["fieldset"] = struct{}{}
+ p.setOfElementsAllowedWithoutAttrs["figcaption"] = struct{}{}
+ p.setOfElementsAllowedWithoutAttrs["figure"] = struct{}{}
+ p.setOfElementsAllowedWithoutAttrs["footer"] = struct{}{}
+ p.setOfElementsAllowedWithoutAttrs["h1"] = struct{}{}
+ p.setOfElementsAllowedWithoutAttrs["h2"] = struct{}{}
+ p.setOfElementsAllowedWithoutAttrs["h3"] = struct{}{}
+ p.setOfElementsAllowedWithoutAttrs["h4"] = struct{}{}
+ p.setOfElementsAllowedWithoutAttrs["h5"] = struct{}{}
+ p.setOfElementsAllowedWithoutAttrs["h6"] = struct{}{}
+ p.setOfElementsAllowedWithoutAttrs["head"] = struct{}{}
+ p.setOfElementsAllowedWithoutAttrs["header"] = struct{}{}
+ p.setOfElementsAllowedWithoutAttrs["hgroup"] = struct{}{}
+ p.setOfElementsAllowedWithoutAttrs["hr"] = struct{}{}
+ p.setOfElementsAllowedWithoutAttrs["html"] = struct{}{}
+ p.setOfElementsAllowedWithoutAttrs["i"] = struct{}{}
+ p.setOfElementsAllowedWithoutAttrs["ins"] = struct{}{}
+ p.setOfElementsAllowedWithoutAttrs["kbd"] = struct{}{}
+ p.setOfElementsAllowedWithoutAttrs["li"] = struct{}{}
+ p.setOfElementsAllowedWithoutAttrs["mark"] = struct{}{}
+ p.setOfElementsAllowedWithoutAttrs["nav"] = struct{}{}
+ p.setOfElementsAllowedWithoutAttrs["ol"] = struct{}{}
+ p.setOfElementsAllowedWithoutAttrs["optgroup"] = struct{}{}
+ p.setOfElementsAllowedWithoutAttrs["option"] = struct{}{}
+ p.setOfElementsAllowedWithoutAttrs["p"] = struct{}{}
+ p.setOfElementsAllowedWithoutAttrs["pre"] = struct{}{}
+ p.setOfElementsAllowedWithoutAttrs["q"] = struct{}{}
+ p.setOfElementsAllowedWithoutAttrs["rp"] = struct{}{}
+ p.setOfElementsAllowedWithoutAttrs["rt"] = struct{}{}
+ p.setOfElementsAllowedWithoutAttrs["ruby"] = struct{}{}
+ p.setOfElementsAllowedWithoutAttrs["s"] = struct{}{}
+ p.setOfElementsAllowedWithoutAttrs["samp"] = struct{}{}
+ p.setOfElementsAllowedWithoutAttrs["section"] = struct{}{}
+ p.setOfElementsAllowedWithoutAttrs["select"] = struct{}{}
+ p.setOfElementsAllowedWithoutAttrs["small"] = struct{}{}
+ p.setOfElementsAllowedWithoutAttrs["span"] = struct{}{}
+ p.setOfElementsAllowedWithoutAttrs["strike"] = struct{}{}
+ p.setOfElementsAllowedWithoutAttrs["strong"] = struct{}{}
+ p.setOfElementsAllowedWithoutAttrs["style"] = struct{}{}
+ p.setOfElementsAllowedWithoutAttrs["sub"] = struct{}{}
+ p.setOfElementsAllowedWithoutAttrs["summary"] = struct{}{}
+ p.setOfElementsAllowedWithoutAttrs["sup"] = struct{}{}
+ p.setOfElementsAllowedWithoutAttrs["svg"] = struct{}{}
+ p.setOfElementsAllowedWithoutAttrs["table"] = struct{}{}
+ p.setOfElementsAllowedWithoutAttrs["tbody"] = struct{}{}
+ p.setOfElementsAllowedWithoutAttrs["td"] = struct{}{}
+ p.setOfElementsAllowedWithoutAttrs["textarea"] = struct{}{}
+ p.setOfElementsAllowedWithoutAttrs["tfoot"] = struct{}{}
+ p.setOfElementsAllowedWithoutAttrs["th"] = struct{}{}
+ p.setOfElementsAllowedWithoutAttrs["thead"] = struct{}{}
+ p.setOfElementsAllowedWithoutAttrs["title"] = struct{}{}
+ p.setOfElementsAllowedWithoutAttrs["time"] = struct{}{}
+ p.setOfElementsAllowedWithoutAttrs["tr"] = struct{}{}
+ p.setOfElementsAllowedWithoutAttrs["tt"] = struct{}{}
+ p.setOfElementsAllowedWithoutAttrs["u"] = struct{}{}
+ p.setOfElementsAllowedWithoutAttrs["ul"] = struct{}{}
+ p.setOfElementsAllowedWithoutAttrs["var"] = struct{}{}
+ p.setOfElementsAllowedWithoutAttrs["video"] = struct{}{}
+ p.setOfElementsAllowedWithoutAttrs["wbr"] = struct{}{}
+
+}
+
+// addDefaultSkipElementContent adds the HTML elements that we should skip
+// rendering the character content of, if the element itself is not allowed.
+// This is all character data that the end user would not normally see.
+// i.e. if we exclude a tag.
+func (p *Policy) addDefaultSkipElementContent() {
+ p.init()
+
+ p.setOfElementsToSkipContent["frame"] = struct{}{}
+ p.setOfElementsToSkipContent["frameset"] = struct{}{}
+ p.setOfElementsToSkipContent["iframe"] = struct{}{}
+ p.setOfElementsToSkipContent["noembed"] = struct{}{}
+ p.setOfElementsToSkipContent["noframes"] = struct{}{}
+ p.setOfElementsToSkipContent["noscript"] = struct{}{}
+ p.setOfElementsToSkipContent["nostyle"] = struct{}{}
+ p.setOfElementsToSkipContent["object"] = struct{}{}
+ p.setOfElementsToSkipContent["script"] = struct{}{}
+ p.setOfElementsToSkipContent["style"] = struct{}{}
+ p.setOfElementsToSkipContent["title"] = struct{}{}
+}
diff --git a/vendor/github.com/microcosm-cc/bluemonday/sanitize.go b/vendor/github.com/microcosm-cc/bluemonday/sanitize.go
new file mode 100644
index 0000000..1d98a4e
--- /dev/null
+++ b/vendor/github.com/microcosm-cc/bluemonday/sanitize.go
@@ -0,0 +1,539 @@
+// Copyright (c) 2014, David Kitchen
+//
+// All rights reserved.
+//
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are met:
+//
+// * Redistributions of source code must retain the above copyright notice, this
+// list of conditions and the following disclaimer.
+//
+// * Redistributions in binary form must reproduce the above copyright notice,
+// this list of conditions and the following disclaimer in the documentation
+// and/or other materials provided with the distribution.
+//
+// * Neither the name of the organisation (Microcosm) nor the names of its
+// contributors may be used to endorse or promote products derived from
+// this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+package bluemonday
+
+import (
+ "bytes"
+ "io"
+ "net/url"
+ "strings"
+
+ "golang.org/x/net/html"
+)
+
+// Sanitize takes a string that contains a HTML fragment or document and applies
+// the given policy whitelist.
+//
+// It returns a HTML string that has been sanitized by the policy or an empty
+// string if an error has occurred (most likely as a consequence of extremely
+// malformed input)
+func (p *Policy) Sanitize(s string) string {
+ if strings.TrimSpace(s) == "" {
+ return s
+ }
+
+ return p.sanitize(strings.NewReader(s)).String()
+}
+
+// SanitizeBytes takes a []byte that contains a HTML fragment or document and applies
+// the given policy whitelist.
+//
+// It returns a []byte containing the HTML that has been sanitized by the policy
+// or an empty []byte if an error has occurred (most likely as a consequence of
+// extremely malformed input)
+func (p *Policy) SanitizeBytes(b []byte) []byte {
+ if len(bytes.TrimSpace(b)) == 0 {
+ return b
+ }
+
+ return p.sanitize(bytes.NewReader(b)).Bytes()
+}
+
+// SanitizeReader takes an io.Reader that contains a HTML fragment or document
+// and applies the given policy whitelist.
+//
+// It returns a bytes.Buffer containing the HTML that has been sanitized by the
+// policy. Errors during sanitization will merely return an empty result.
+func (p *Policy) SanitizeReader(r io.Reader) *bytes.Buffer {
+ return p.sanitize(r)
+}
+
+// Performs the actual sanitization process.
+func (p *Policy) sanitize(r io.Reader) *bytes.Buffer {
+
+ // It is possible that the developer has created the policy via:
+ // p := bluemonday.Policy{}
+ // rather than:
+ // p := bluemonday.NewPolicy()
+ // If this is the case, and if they haven't yet triggered an action that
+ // would initiliaze the maps, then we need to do that.
+ p.init()
+
+ var (
+ buff bytes.Buffer
+ skipElementContent bool
+ skippingElementsCount int64
+ skipClosingTag bool
+ closingTagToSkipStack []string
+ mostRecentlyStartedToken string
+ )
+
+ tokenizer := html.NewTokenizer(r)
+ for {
+ if tokenizer.Next() == html.ErrorToken {
+ err := tokenizer.Err()
+ if err == io.EOF {
+ // End of input means end of processing
+ return &buff
+ }
+
+ // Raw tokenizer error
+ return &bytes.Buffer{}
+ }
+
+ token := tokenizer.Token()
+ switch token.Type {
+ case html.DoctypeToken:
+
+ if p.allowDocType {
+ buff.WriteString(token.String())
+ }
+
+ case html.CommentToken:
+
+ // Comments are ignored by default
+
+ case html.StartTagToken:
+
+ mostRecentlyStartedToken = token.Data
+
+ aps, ok := p.elsAndAttrs[token.Data]
+ if !ok {
+ if _, ok := p.setOfElementsToSkipContent[token.Data]; ok {
+ skipElementContent = true
+ skippingElementsCount++
+ }
+ if p.addSpaces {
+ buff.WriteString(" ")
+ }
+ break
+ }
+
+ if len(token.Attr) != 0 {
+ token.Attr = p.sanitizeAttrs(token.Data, token.Attr, aps)
+ }
+
+ if len(token.Attr) == 0 {
+ if !p.allowNoAttrs(token.Data) {
+ skipClosingTag = true
+ closingTagToSkipStack = append(closingTagToSkipStack, token.Data)
+ if p.addSpaces {
+ buff.WriteString(" ")
+ }
+ break
+ }
+ }
+
+ if !skipElementContent {
+ buff.WriteString(token.String())
+ }
+
+ case html.EndTagToken:
+
+ if mostRecentlyStartedToken == token.Data {
+ mostRecentlyStartedToken = ""
+ }
+
+ if skipClosingTag && closingTagToSkipStack[len(closingTagToSkipStack)-1] == token.Data {
+ closingTagToSkipStack = closingTagToSkipStack[:len(closingTagToSkipStack)-1]
+ if len(closingTagToSkipStack) == 0 {
+ skipClosingTag = false
+ }
+ if p.addSpaces {
+ buff.WriteString(" ")
+ }
+ break
+ }
+
+ if _, ok := p.elsAndAttrs[token.Data]; !ok {
+ if _, ok := p.setOfElementsToSkipContent[token.Data]; ok {
+ skippingElementsCount--
+ if skippingElementsCount == 0 {
+ skipElementContent = false
+ }
+ }
+ if p.addSpaces {
+ buff.WriteString(" ")
+ }
+ break
+ }
+
+ if !skipElementContent {
+ buff.WriteString(token.String())
+ }
+
+ case html.SelfClosingTagToken:
+
+ aps, ok := p.elsAndAttrs[token.Data]
+ if !ok {
+ if p.addSpaces {
+ buff.WriteString(" ")
+ }
+ break
+ }
+
+ if len(token.Attr) != 0 {
+ token.Attr = p.sanitizeAttrs(token.Data, token.Attr, aps)
+ }
+
+ if len(token.Attr) == 0 && !p.allowNoAttrs(token.Data) {
+ if p.addSpaces {
+ buff.WriteString(" ")
+ }
+ break
+ }
+
+ if !skipElementContent {
+ buff.WriteString(token.String())
+ }
+
+ case html.TextToken:
+
+ if !skipElementContent {
+ switch strings.ToLower(mostRecentlyStartedToken) {
+ case "script":
+ // not encouraged, but if a policy allows JavaScript we
+ // should not HTML escape it as that would break the output
+ buff.WriteString(token.Data)
+ case "style":
+ // not encouraged, but if a policy allows CSS styles we
+ // should not HTML escape it as that would break the output
+ buff.WriteString(token.Data)
+ default:
+ // HTML escape the text
+ buff.WriteString(token.String())
+ }
+ }
+
+ default:
+ // A token that didn't exist in the html package when we wrote this
+ return &bytes.Buffer{}
+ }
+ }
+}
+
+// sanitizeAttrs takes a set of element attribute policies and the global
+// attribute policies and applies them to the []html.Attribute returning a set
+// of html.Attributes that match the policies
+func (p *Policy) sanitizeAttrs(
+ elementName string,
+ attrs []html.Attribute,
+ aps map[string]attrPolicy,
+) []html.Attribute {
+
+ if len(attrs) == 0 {
+ return attrs
+ }
+
+ // Builds a new attribute slice based on the whether the attribute has been
+ // whitelisted explicitly or globally.
+ cleanAttrs := []html.Attribute{}
+ for _, htmlAttr := range attrs {
+ // Is there an element specific attribute policy that applies?
+ if ap, ok := aps[htmlAttr.Key]; ok {
+ if ap.regexp != nil {
+ if ap.regexp.MatchString(htmlAttr.Val) {
+ cleanAttrs = append(cleanAttrs, htmlAttr)
+ continue
+ }
+ } else {
+ cleanAttrs = append(cleanAttrs, htmlAttr)
+ continue
+ }
+ }
+
+ // Is there a global attribute policy that applies?
+ if ap, ok := p.globalAttrs[htmlAttr.Key]; ok {
+ if ap.regexp != nil {
+ if ap.regexp.MatchString(htmlAttr.Val) {
+ cleanAttrs = append(cleanAttrs, htmlAttr)
+ }
+ } else {
+ cleanAttrs = append(cleanAttrs, htmlAttr)
+ }
+ }
+ }
+
+ if len(cleanAttrs) == 0 {
+ // If nothing was allowed, let's get out of here
+ return cleanAttrs
+ }
+ // cleanAttrs now contains the attributes that are permitted
+
+ if linkable(elementName) {
+ if p.requireParseableURLs {
+ // Ensure URLs are parseable:
+ // - a.href
+ // - area.href
+ // - link.href
+ // - blockquote.cite
+ // - q.cite
+ // - img.src
+ // - script.src
+ tmpAttrs := []html.Attribute{}
+ for _, htmlAttr := range cleanAttrs {
+ switch elementName {
+ case "a", "area", "link":
+ if htmlAttr.Key == "href" {
+ if u, ok := p.validURL(htmlAttr.Val); ok {
+ htmlAttr.Val = u
+ tmpAttrs = append(tmpAttrs, htmlAttr)
+ }
+ break
+ }
+ tmpAttrs = append(tmpAttrs, htmlAttr)
+ case "blockquote", "q":
+ if htmlAttr.Key == "cite" {
+ if u, ok := p.validURL(htmlAttr.Val); ok {
+ htmlAttr.Val = u
+ tmpAttrs = append(tmpAttrs, htmlAttr)
+ }
+ break
+ }
+ tmpAttrs = append(tmpAttrs, htmlAttr)
+ case "img", "script":
+ if htmlAttr.Key == "src" {
+ if u, ok := p.validURL(htmlAttr.Val); ok {
+ htmlAttr.Val = u
+ tmpAttrs = append(tmpAttrs, htmlAttr)
+ }
+ break
+ }
+ tmpAttrs = append(tmpAttrs, htmlAttr)
+ default:
+ tmpAttrs = append(tmpAttrs, htmlAttr)
+ }
+ }
+ cleanAttrs = tmpAttrs
+ }
+
+ if (p.requireNoFollow ||
+ p.requireNoFollowFullyQualifiedLinks ||
+ p.addTargetBlankToFullyQualifiedLinks) &&
+ len(cleanAttrs) > 0 {
+
+ // Add rel="nofollow" if a "href" exists
+ switch elementName {
+ case "a", "area", "link":
+ var hrefFound bool
+ var externalLink bool
+ for _, htmlAttr := range cleanAttrs {
+ if htmlAttr.Key == "href" {
+ hrefFound = true
+
+ u, err := url.Parse(htmlAttr.Val)
+ if err != nil {
+ continue
+ }
+ if u.Host != "" {
+ externalLink = true
+ }
+
+ continue
+ }
+ }
+
+ if hrefFound {
+ var (
+ noFollowFound bool
+ targetBlankFound bool
+ )
+
+ addNoFollow := (p.requireNoFollow ||
+ externalLink && p.requireNoFollowFullyQualifiedLinks)
+
+ addTargetBlank := (externalLink &&
+ p.addTargetBlankToFullyQualifiedLinks)
+
+ tmpAttrs := []html.Attribute{}
+ for _, htmlAttr := range cleanAttrs {
+
+ var appended bool
+ if htmlAttr.Key == "rel" && addNoFollow {
+
+ if strings.Contains(htmlAttr.Val, "nofollow") {
+ noFollowFound = true
+ tmpAttrs = append(tmpAttrs, htmlAttr)
+ appended = true
+ } else {
+ htmlAttr.Val += " nofollow"
+ noFollowFound = true
+ tmpAttrs = append(tmpAttrs, htmlAttr)
+ appended = true
+ }
+ }
+
+ if elementName == "a" && htmlAttr.Key == "target" {
+ if htmlAttr.Val == "_blank" {
+ targetBlankFound = true
+ }
+ if addTargetBlank && !targetBlankFound {
+ htmlAttr.Val = "_blank"
+ targetBlankFound = true
+ tmpAttrs = append(tmpAttrs, htmlAttr)
+ appended = true
+ }
+ }
+
+ if !appended {
+ tmpAttrs = append(tmpAttrs, htmlAttr)
+ }
+ }
+ if noFollowFound || targetBlankFound {
+ cleanAttrs = tmpAttrs
+ }
+
+ if addNoFollow && !noFollowFound {
+ rel := html.Attribute{}
+ rel.Key = "rel"
+ rel.Val = "nofollow"
+ cleanAttrs = append(cleanAttrs, rel)
+ }
+
+ if elementName == "a" && addTargetBlank && !targetBlankFound {
+ rel := html.Attribute{}
+ rel.Key = "target"
+ rel.Val = "_blank"
+ targetBlankFound = true
+ cleanAttrs = append(cleanAttrs, rel)
+ }
+
+ if targetBlankFound {
+ // target="_blank" has a security risk that allows the
+ // opened window/tab to issue JavaScript calls against
+ // window.opener, which in effect allow the destination
+ // of the link to control the source:
+ // https://dev.to/ben/the-targetblank-vulnerability-by-example
+ //
+ // To mitigate this risk, we need to add a specific rel
+ // attribute if it is not already present.
+ // rel="noopener"
+ //
+ // Unfortunately this is processing the rel twice (we
+ // already looked at it earlier ^^) as we cannot be sure
+ // of the ordering of the href and rel, and whether we
+ // have fully satisfied that we need to do this. This
+ // double processing only happens *if* target="_blank"
+ // is true.
+ var noOpenerAdded bool
+ tmpAttrs := []html.Attribute{}
+ for _, htmlAttr := range cleanAttrs {
+ var appended bool
+ if htmlAttr.Key == "rel" {
+ if strings.Contains(htmlAttr.Val, "noopener") {
+ noOpenerAdded = true
+ tmpAttrs = append(tmpAttrs, htmlAttr)
+ } else {
+ htmlAttr.Val += " noopener"
+ noOpenerAdded = true
+ tmpAttrs = append(tmpAttrs, htmlAttr)
+ }
+
+ appended = true
+ }
+ if !appended {
+ tmpAttrs = append(tmpAttrs, htmlAttr)
+ }
+ }
+ if noOpenerAdded {
+ cleanAttrs = tmpAttrs
+ } else {
+ // rel attr was not found, or else noopener would
+ // have been added already
+ rel := html.Attribute{}
+ rel.Key = "rel"
+ rel.Val = "noopener"
+ cleanAttrs = append(cleanAttrs, rel)
+ }
+
+ }
+ }
+ default:
+ }
+ }
+ }
+
+ return cleanAttrs
+}
+
+func (p *Policy) allowNoAttrs(elementName string) bool {
+ _, ok := p.setOfElementsAllowedWithoutAttrs[elementName]
+ return ok
+}
+
+func (p *Policy) validURL(rawurl string) (string, bool) {
+ if p.requireParseableURLs {
+ // URLs do not contain whitespace
+ if strings.Contains(rawurl, " ") ||
+ strings.Contains(rawurl, "\t") ||
+ strings.Contains(rawurl, "\n") {
+ return "", false
+ }
+
+ u, err := url.Parse(rawurl)
+ if err != nil {
+ return "", false
+ }
+
+ if u.Scheme != "" {
+
+ urlPolicy, ok := p.allowURLSchemes[u.Scheme]
+ if !ok {
+ return "", false
+
+ }
+
+ if urlPolicy == nil || urlPolicy(u) == true {
+ return u.String(), true
+ }
+
+ return "", false
+ }
+
+ if p.allowRelativeURLs {
+ if u.String() != "" {
+ return u.String(), true
+ }
+ }
+
+ return "", false
+ }
+
+ return rawurl, true
+}
+
+func linkable(elementName string) bool {
+ switch elementName {
+ case "a", "area", "blockquote", "img", "link", "script":
+ return true
+ default:
+ return false
+ }
+}
diff --git a/vendor/github.com/russross/blackfriday/.gitignore b/vendor/github.com/russross/blackfriday/.gitignore
new file mode 100644
index 0000000..75623dc
--- /dev/null
+++ b/vendor/github.com/russross/blackfriday/.gitignore
@@ -0,0 +1,8 @@
+*.out
+*.swp
+*.8
+*.6
+_obj
+_test*
+markdown
+tags
diff --git a/vendor/github.com/russross/blackfriday/.travis.yml b/vendor/github.com/russross/blackfriday/.travis.yml
new file mode 100644
index 0000000..a1687f1
--- /dev/null
+++ b/vendor/github.com/russross/blackfriday/.travis.yml
@@ -0,0 +1,30 @@
+sudo: false
+language: go
+go:
+ - 1.5.4
+ - 1.6.2
+ - tip
+matrix:
+ include:
+ - go: 1.2.2
+ script:
+ - go get -t -v ./...
+ - go test -v -race ./...
+ - go: 1.3.3
+ script:
+ - go get -t -v ./...
+ - go test -v -race ./...
+ - go: 1.4.3
+ script:
+ - go get -t -v ./...
+ - go test -v -race ./...
+ allow_failures:
+ - go: tip
+ fast_finish: true
+install:
+ - # Do nothing. This is needed to prevent default install action "go get -t -v ./..." from happening here (we want it to happen inside script step).
+script:
+ - go get -t -v ./...
+ - diff -u <(echo -n) <(gofmt -d -s .)
+ - go tool vet .
+ - go test -v -race ./...
diff --git a/vendor/github.com/russross/blackfriday/LICENSE.txt b/vendor/github.com/russross/blackfriday/LICENSE.txt
new file mode 100644
index 0000000..2885af3
--- /dev/null
+++ b/vendor/github.com/russross/blackfriday/LICENSE.txt
@@ -0,0 +1,29 @@
+Blackfriday is distributed under the Simplified BSD License:
+
+> Copyright © 2011 Russ Ross
+> All rights reserved.
+>
+> Redistribution and use in source and binary forms, with or without
+> modification, are permitted provided that the following conditions
+> are met:
+>
+> 1. Redistributions of source code must retain the above copyright
+> notice, this list of conditions and the following disclaimer.
+>
+> 2. Redistributions in binary form must reproduce the above
+> copyright notice, this list of conditions and the following
+> disclaimer in the documentation and/or other materials provided with
+> the distribution.
+>
+> THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+> "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+> LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+> FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+> COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+> INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+> BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+> LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+> CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+> LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+> ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+> POSSIBILITY OF SUCH DAMAGE.
diff --git a/vendor/github.com/russross/blackfriday/README.md b/vendor/github.com/russross/blackfriday/README.md
new file mode 100644
index 0000000..3c113cb
--- /dev/null
+++ b/vendor/github.com/russross/blackfriday/README.md
@@ -0,0 +1,276 @@
+Blackfriday [](https://travis-ci.org/russross/blackfriday) [](https://godoc.org/github.com/russross/blackfriday)
+===========
+
+Blackfriday is a [Markdown][1] processor implemented in [Go][2]. It
+is paranoid about its input (so you can safely feed it user-supplied
+data), it is fast, it supports common extensions (tables, smart
+punctuation substitutions, etc.), and it is safe for all utf-8
+(unicode) input.
+
+HTML output is currently supported, along with Smartypants
+extensions. An experimental LaTeX output engine is also included.
+
+It started as a translation from C of [Sundown][3].
+
+
+Installation
+------------
+
+Blackfriday is compatible with Go 1. If you are using an older
+release of Go, consider using v1.1 of blackfriday, which was based
+on the last stable release of Go prior to Go 1. You can find it as a
+tagged commit on github.
+
+With Go 1 and git installed:
+
+ go get github.com/russross/blackfriday
+
+will download, compile, and install the package into your `$GOPATH`
+directory hierarchy. Alternatively, you can achieve the same if you
+import it into a project:
+
+ import "github.com/russross/blackfriday"
+
+and `go get` without parameters.
+
+Usage
+-----
+
+For basic usage, it is as simple as getting your input into a byte
+slice and calling:
+
+ output := blackfriday.MarkdownBasic(input)
+
+This renders it with no extensions enabled. To get a more useful
+feature set, use this instead:
+
+ output := blackfriday.MarkdownCommon(input)
+
+### Sanitize untrusted content
+
+Blackfriday itself does nothing to protect against malicious content. If you are
+dealing with user-supplied markdown, we recommend running blackfriday's output
+through HTML sanitizer such as
+[Bluemonday](https://github.com/microcosm-cc/bluemonday).
+
+Here's an example of simple usage of blackfriday together with bluemonday:
+
+``` go
+import (
+ "github.com/microcosm-cc/bluemonday"
+ "github.com/russross/blackfriday"
+)
+
+// ...
+unsafe := blackfriday.MarkdownCommon(input)
+html := bluemonday.UGCPolicy().SanitizeBytes(unsafe)
+```
+
+### Custom options
+
+If you want to customize the set of options, first get a renderer
+(currently either the HTML or LaTeX output engines), then use it to
+call the more general `Markdown` function. For examples, see the
+implementations of `MarkdownBasic` and `MarkdownCommon` in
+`markdown.go`.
+
+You can also check out `blackfriday-tool` for a more complete example
+of how to use it. Download and install it using:
+
+ go get github.com/russross/blackfriday-tool
+
+This is a simple command-line tool that allows you to process a
+markdown file using a standalone program. You can also browse the
+source directly on github if you are just looking for some example
+code:
+
+*
+
+Note that if you have not already done so, installing
+`blackfriday-tool` will be sufficient to download and install
+blackfriday in addition to the tool itself. The tool binary will be
+installed in `$GOPATH/bin`. This is a statically-linked binary that
+can be copied to wherever you need it without worrying about
+dependencies and library versions.
+
+
+Features
+--------
+
+All features of Sundown are supported, including:
+
+* **Compatibility**. The Markdown v1.0.3 test suite passes with
+ the `--tidy` option. Without `--tidy`, the differences are
+ mostly in whitespace and entity escaping, where blackfriday is
+ more consistent and cleaner.
+
+* **Common extensions**, including table support, fenced code
+ blocks, autolinks, strikethroughs, non-strict emphasis, etc.
+
+* **Safety**. Blackfriday is paranoid when parsing, making it safe
+ to feed untrusted user input without fear of bad things
+ happening. The test suite stress tests this and there are no
+ known inputs that make it crash. If you find one, please let me
+ know and send me the input that does it.
+
+ NOTE: "safety" in this context means *runtime safety only*. In order to
+ protect yourself against JavaScript injection in untrusted content, see
+ [this example](https://github.com/russross/blackfriday#sanitize-untrusted-content).
+
+* **Fast processing**. It is fast enough to render on-demand in
+ most web applications without having to cache the output.
+
+* **Thread safety**. You can run multiple parsers in different
+ goroutines without ill effect. There is no dependence on global
+ shared state.
+
+* **Minimal dependencies**. Blackfriday only depends on standard
+ library packages in Go. The source code is pretty
+ self-contained, so it is easy to add to any project, including
+ Google App Engine projects.
+
+* **Standards compliant**. Output successfully validates using the
+ W3C validation tool for HTML 4.01 and XHTML 1.0 Transitional.
+
+
+Extensions
+----------
+
+In addition to the standard markdown syntax, this package
+implements the following extensions:
+
+* **Intra-word emphasis supression**. The `_` character is
+ commonly used inside words when discussing code, so having
+ markdown interpret it as an emphasis command is usually the
+ wrong thing. Blackfriday lets you treat all emphasis markers as
+ normal characters when they occur inside a word.
+
+* **Tables**. Tables can be created by drawing them in the input
+ using a simple syntax:
+
+ ```
+ Name | Age
+ --------|------
+ Bob | 27
+ Alice | 23
+ ```
+
+* **Fenced code blocks**. In addition to the normal 4-space
+ indentation to mark code blocks, you can explicitly mark them
+ and supply a language (to make syntax highlighting simple). Just
+ mark it like this:
+
+ ``` go
+ func getTrue() bool {
+ return true
+ }
+ ```
+
+ You can use 3 or more backticks to mark the beginning of the
+ block, and the same number to mark the end of the block.
+
+ To preserve classes of fenced code blocks while using the bluemonday
+ HTML sanitizer, use the following policy:
+
+ ``` go
+ p := bluemonday.UGCPolicy()
+ p.AllowAttrs("class").Matching(regexp.MustCompile("^language-[a-zA-Z0-9]+$")).OnElements("code")
+ html := p.SanitizeBytes(unsafe)
+ ```
+
+* **Definition lists**. A simple definition list is made of a single-line
+ term followed by a colon and the definition for that term.
+
+ Cat
+ : Fluffy animal everyone likes
+
+ Internet
+ : Vector of transmission for pictures of cats
+
+ Terms must be separated from the previous definition by a blank line.
+
+* **Footnotes**. A marker in the text that will become a superscript number;
+ a footnote definition that will be placed in a list of footnotes at the
+ end of the document. A footnote looks like this:
+
+ This is a footnote.[^1]
+
+ [^1]: the footnote text.
+
+* **Autolinking**. Blackfriday can find URLs that have not been
+ explicitly marked as links and turn them into links.
+
+* **Strikethrough**. Use two tildes (`~~`) to mark text that
+ should be crossed out.
+
+* **Hard line breaks**. With this extension enabled (it is off by
+ default in the `MarkdownBasic` and `MarkdownCommon` convenience
+ functions), newlines in the input translate into line breaks in
+ the output.
+
+* **Smart quotes**. Smartypants-style punctuation substitution is
+ supported, turning normal double- and single-quote marks into
+ curly quotes, etc.
+
+* **LaTeX-style dash parsing** is an additional option, where `--`
+ is translated into `–`, and `---` is translated into
+ `—`. This differs from most smartypants processors, which
+ turn a single hyphen into an ndash and a double hyphen into an
+ mdash.
+
+* **Smart fractions**, where anything that looks like a fraction
+ is translated into suitable HTML (instead of just a few special
+ cases like most smartypant processors). For example, `4/5`
+ becomes `4⁄5`, which renders as
+ 4⁄5.
+
+
+Other renderers
+---------------
+
+Blackfriday is structured to allow alternative rendering engines. Here
+are a few of note:
+
+* [github_flavored_markdown](https://godoc.org/github.com/shurcooL/github_flavored_markdown):
+ provides a GitHub Flavored Markdown renderer with fenced code block
+ highlighting, clickable header anchor links.
+
+ It's not customizable, and its goal is to produce HTML output
+ equivalent to the [GitHub Markdown API endpoint](https://developer.github.com/v3/markdown/#render-a-markdown-document-in-raw-mode),
+ except the rendering is performed locally.
+
+* [markdownfmt](https://github.com/shurcooL/markdownfmt): like gofmt,
+ but for markdown.
+
+* LaTeX output: renders output as LaTeX. This is currently part of the
+ main Blackfriday repository, but may be split into its own project
+ in the future. If you are interested in owning and maintaining the
+ LaTeX output component, please be in touch.
+
+ It renders some basic documents, but is only experimental at this
+ point. In particular, it does not do any inline escaping, so input
+ that happens to look like LaTeX code will be passed through without
+ modification.
+
+* [Md2Vim](https://github.com/FooSoft/md2vim): transforms markdown files into vimdoc format.
+
+
+Todo
+----
+
+* More unit testing
+* Improve unicode support. It does not understand all unicode
+ rules (about what constitutes a letter, a punctuation symbol,
+ etc.), so it may fail to detect word boundaries correctly in
+ some instances. It is safe on all utf-8 input.
+
+
+License
+-------
+
+[Blackfriday is distributed under the Simplified BSD License](LICENSE.txt)
+
+
+ [1]: http://daringfireball.net/projects/markdown/ "Markdown"
+ [2]: http://golang.org/ "Go Language"
+ [3]: https://github.com/vmg/sundown "Sundown"
diff --git a/vendor/github.com/russross/blackfriday/block.go b/vendor/github.com/russross/blackfriday/block.go
new file mode 100644
index 0000000..9cf451f
--- /dev/null
+++ b/vendor/github.com/russross/blackfriday/block.go
@@ -0,0 +1,1430 @@
+//
+// Blackfriday Markdown Processor
+// Available at http://github.com/russross/blackfriday
+//
+// Copyright © 2011 Russ Ross .
+// Distributed under the Simplified BSD License.
+// See README.md for details.
+//
+
+//
+// Functions to parse block-level elements.
+//
+
+package blackfriday
+
+import (
+ "bytes"
+
+ "github.com/shurcooL/sanitized_anchor_name"
+)
+
+// Parse block-level data.
+// Note: this function and many that it calls assume that
+// the input buffer ends with a newline.
+func (p *parser) block(out *bytes.Buffer, data []byte) {
+ if len(data) == 0 || data[len(data)-1] != '\n' {
+ panic("block input is missing terminating newline")
+ }
+
+ // this is called recursively: enforce a maximum depth
+ if p.nesting >= p.maxNesting {
+ return
+ }
+ p.nesting++
+
+ // parse out one block-level construct at a time
+ for len(data) > 0 {
+ // prefixed header:
+ //
+ // # Header 1
+ // ## Header 2
+ // ...
+ // ###### Header 6
+ if p.isPrefixHeader(data) {
+ data = data[p.prefixHeader(out, data):]
+ continue
+ }
+
+ // block of preformatted HTML:
+ //
+ //
+ // ...
+ //
+ if data[0] == '<' {
+ if i := p.html(out, data, true); i > 0 {
+ data = data[i:]
+ continue
+ }
+ }
+
+ // title block
+ //
+ // % stuff
+ // % more stuff
+ // % even more stuff
+ if p.flags&EXTENSION_TITLEBLOCK != 0 {
+ if data[0] == '%' {
+ if i := p.titleBlock(out, data, true); i > 0 {
+ data = data[i:]
+ continue
+ }
+ }
+ }
+
+ // blank lines. note: returns the # of bytes to skip
+ if i := p.isEmpty(data); i > 0 {
+ data = data[i:]
+ continue
+ }
+
+ // indented code block:
+ //
+ // func max(a, b int) int {
+ // if a > b {
+ // return a
+ // }
+ // return b
+ // }
+ if p.codePrefix(data) > 0 {
+ data = data[p.code(out, data):]
+ continue
+ }
+
+ // fenced code block:
+ //
+ // ``` go
+ // func fact(n int) int {
+ // if n <= 1 {
+ // return n
+ // }
+ // return n * fact(n-1)
+ // }
+ // ```
+ if p.flags&EXTENSION_FENCED_CODE != 0 {
+ if i := p.fencedCodeBlock(out, data, true); i > 0 {
+ data = data[i:]
+ continue
+ }
+ }
+
+ // horizontal rule:
+ //
+ // ------
+ // or
+ // ******
+ // or
+ // ______
+ if p.isHRule(data) {
+ p.r.HRule(out)
+ var i int
+ for i = 0; data[i] != '\n'; i++ {
+ }
+ data = data[i:]
+ continue
+ }
+
+ // block quote:
+ //
+ // > A big quote I found somewhere
+ // > on the web
+ if p.quotePrefix(data) > 0 {
+ data = data[p.quote(out, data):]
+ continue
+ }
+
+ // table:
+ //
+ // Name | Age | Phone
+ // ------|-----|---------
+ // Bob | 31 | 555-1234
+ // Alice | 27 | 555-4321
+ if p.flags&EXTENSION_TABLES != 0 {
+ if i := p.table(out, data); i > 0 {
+ data = data[i:]
+ continue
+ }
+ }
+
+ // an itemized/unordered list:
+ //
+ // * Item 1
+ // * Item 2
+ //
+ // also works with + or -
+ if p.uliPrefix(data) > 0 {
+ data = data[p.list(out, data, 0):]
+ continue
+ }
+
+ // a numbered/ordered list:
+ //
+ // 1. Item 1
+ // 2. Item 2
+ if p.oliPrefix(data) > 0 {
+ data = data[p.list(out, data, LIST_TYPE_ORDERED):]
+ continue
+ }
+
+ // definition lists:
+ //
+ // Term 1
+ // : Definition a
+ // : Definition b
+ //
+ // Term 2
+ // : Definition c
+ if p.flags&EXTENSION_DEFINITION_LISTS != 0 {
+ if p.dliPrefix(data) > 0 {
+ data = data[p.list(out, data, LIST_TYPE_DEFINITION):]
+ continue
+ }
+ }
+
+ // anything else must look like a normal paragraph
+ // note: this finds underlined headers, too
+ data = data[p.paragraph(out, data):]
+ }
+
+ p.nesting--
+}
+
+func (p *parser) isPrefixHeader(data []byte) bool {
+ if data[0] != '#' {
+ return false
+ }
+
+ if p.flags&EXTENSION_SPACE_HEADERS != 0 {
+ level := 0
+ for level < 6 && data[level] == '#' {
+ level++
+ }
+ if data[level] != ' ' {
+ return false
+ }
+ }
+ return true
+}
+
+func (p *parser) prefixHeader(out *bytes.Buffer, data []byte) int {
+ level := 0
+ for level < 6 && data[level] == '#' {
+ level++
+ }
+ i := skipChar(data, level, ' ')
+ end := skipUntilChar(data, i, '\n')
+ skip := end
+ id := ""
+ if p.flags&EXTENSION_HEADER_IDS != 0 {
+ j, k := 0, 0
+ // find start/end of header id
+ for j = i; j < end-1 && (data[j] != '{' || data[j+1] != '#'); j++ {
+ }
+ for k = j + 1; k < end && data[k] != '}'; k++ {
+ }
+ // extract header id iff found
+ if j < end && k < end {
+ id = string(data[j+2 : k])
+ end = j
+ skip = k + 1
+ for end > 0 && data[end-1] == ' ' {
+ end--
+ }
+ }
+ }
+ for end > 0 && data[end-1] == '#' {
+ if isBackslashEscaped(data, end-1) {
+ break
+ }
+ end--
+ }
+ for end > 0 && data[end-1] == ' ' {
+ end--
+ }
+ if end > i {
+ if id == "" && p.flags&EXTENSION_AUTO_HEADER_IDS != 0 {
+ id = sanitized_anchor_name.Create(string(data[i:end]))
+ }
+ work := func() bool {
+ p.inline(out, data[i:end])
+ return true
+ }
+ p.r.Header(out, work, level, id)
+ }
+ return skip
+}
+
+func (p *parser) isUnderlinedHeader(data []byte) int {
+ // test of level 1 header
+ if data[0] == '=' {
+ i := skipChar(data, 1, '=')
+ i = skipChar(data, i, ' ')
+ if data[i] == '\n' {
+ return 1
+ } else {
+ return 0
+ }
+ }
+
+ // test of level 2 header
+ if data[0] == '-' {
+ i := skipChar(data, 1, '-')
+ i = skipChar(data, i, ' ')
+ if data[i] == '\n' {
+ return 2
+ } else {
+ return 0
+ }
+ }
+
+ return 0
+}
+
+func (p *parser) titleBlock(out *bytes.Buffer, data []byte, doRender bool) int {
+ if data[0] != '%' {
+ return 0
+ }
+ splitData := bytes.Split(data, []byte("\n"))
+ var i int
+ for idx, b := range splitData {
+ if !bytes.HasPrefix(b, []byte("%")) {
+ i = idx // - 1
+ break
+ }
+ }
+
+ data = bytes.Join(splitData[0:i], []byte("\n"))
+ p.r.TitleBlock(out, data)
+
+ return len(data)
+}
+
+func (p *parser) html(out *bytes.Buffer, data []byte, doRender bool) int {
+ var i, j int
+
+ // identify the opening tag
+ if data[0] != '<' {
+ return 0
+ }
+ curtag, tagfound := p.htmlFindTag(data[1:])
+
+ // handle special cases
+ if !tagfound {
+ // check for an HTML comment
+ if size := p.htmlComment(out, data, doRender); size > 0 {
+ return size
+ }
+
+ // check for an
tag
+ if size := p.htmlHr(out, data, doRender); size > 0 {
+ return size
+ }
+
+ // check for HTML CDATA
+ if size := p.htmlCDATA(out, data, doRender); size > 0 {
+ return size
+ }
+
+ // no special case recognized
+ return 0
+ }
+
+ // look for an unindented matching closing tag
+ // followed by a blank line
+ found := false
+ /*
+ closetag := []byte("\n")
+ j = len(curtag) + 1
+ for !found {
+ // scan for a closing tag at the beginning of a line
+ if skip := bytes.Index(data[j:], closetag); skip >= 0 {
+ j += skip + len(closetag)
+ } else {
+ break
+ }
+
+ // see if it is the only thing on the line
+ if skip := p.isEmpty(data[j:]); skip > 0 {
+ // see if it is followed by a blank line/eof
+ j += skip
+ if j >= len(data) {
+ found = true
+ i = j
+ } else {
+ if skip := p.isEmpty(data[j:]); skip > 0 {
+ j += skip
+ found = true
+ i = j
+ }
+ }
+ }
+ }
+ */
+
+ // if not found, try a second pass looking for indented match
+ // but not if tag is "ins" or "del" (following original Markdown.pl)
+ if !found && curtag != "ins" && curtag != "del" {
+ i = 1
+ for i < len(data) {
+ i++
+ for i < len(data) && !(data[i-1] == '<' && data[i] == '/') {
+ i++
+ }
+
+ if i+2+len(curtag) >= len(data) {
+ break
+ }
+
+ j = p.htmlFindEnd(curtag, data[i-1:])
+
+ if j > 0 {
+ i += j - 1
+ found = true
+ break
+ }
+ }
+ }
+
+ if !found {
+ return 0
+ }
+
+ // the end of the block has been found
+ if doRender {
+ // trim newlines
+ end := i
+ for end > 0 && data[end-1] == '\n' {
+ end--
+ }
+ p.r.BlockHtml(out, data[:end])
+ }
+
+ return i
+}
+
+func (p *parser) renderHTMLBlock(out *bytes.Buffer, data []byte, start int, doRender bool) int {
+ // html block needs to end with a blank line
+ if i := p.isEmpty(data[start:]); i > 0 {
+ size := start + i
+ if doRender {
+ // trim trailing newlines
+ end := size
+ for end > 0 && data[end-1] == '\n' {
+ end--
+ }
+ p.r.BlockHtml(out, data[:end])
+ }
+ return size
+ }
+ return 0
+}
+
+// HTML comment, lax form
+func (p *parser) htmlComment(out *bytes.Buffer, data []byte, doRender bool) int {
+ i := p.inlineHTMLComment(out, data)
+ return p.renderHTMLBlock(out, data, i, doRender)
+}
+
+// HTML CDATA section
+func (p *parser) htmlCDATA(out *bytes.Buffer, data []byte, doRender bool) int {
+ const cdataTag = "') {
+ i++
+ }
+ i++
+ // no end-of-comment marker
+ if i >= len(data) {
+ return 0
+ }
+ return p.renderHTMLBlock(out, data, i, doRender)
+}
+
+// HR, which is the only self-closing block tag considered
+func (p *parser) htmlHr(out *bytes.Buffer, data []byte, doRender bool) int {
+ if data[0] != '<' || (data[1] != 'h' && data[1] != 'H') || (data[2] != 'r' && data[2] != 'R') {
+ return 0
+ }
+ if data[3] != ' ' && data[3] != '/' && data[3] != '>' {
+ // not an
tag after all; at least not a valid one
+ return 0
+ }
+
+ i := 3
+ for data[i] != '>' && data[i] != '\n' {
+ i++
+ }
+
+ if data[i] == '>' {
+ return p.renderHTMLBlock(out, data, i+1, doRender)
+ }
+
+ return 0
+}
+
+func (p *parser) htmlFindTag(data []byte) (string, bool) {
+ i := 0
+ for isalnum(data[i]) {
+ i++
+ }
+ key := string(data[:i])
+ if _, ok := blockTags[key]; ok {
+ return key, true
+ }
+ return "", false
+}
+
+func (p *parser) htmlFindEnd(tag string, data []byte) int {
+ // assume data[0] == '<' && data[1] == '/' already tested
+
+ // check if tag is a match
+ closetag := []byte("")
+ if !bytes.HasPrefix(data, closetag) {
+ return 0
+ }
+ i := len(closetag)
+
+ // check that the rest of the line is blank
+ skip := 0
+ if skip = p.isEmpty(data[i:]); skip == 0 {
+ return 0
+ }
+ i += skip
+ skip = 0
+
+ if i >= len(data) {
+ return i
+ }
+
+ if p.flags&EXTENSION_LAX_HTML_BLOCKS != 0 {
+ return i
+ }
+ if skip = p.isEmpty(data[i:]); skip == 0 {
+ // following line must be blank
+ return 0
+ }
+
+ return i + skip
+}
+
+func (*parser) isEmpty(data []byte) int {
+ // it is okay to call isEmpty on an empty buffer
+ if len(data) == 0 {
+ return 0
+ }
+
+ var i int
+ for i = 0; i < len(data) && data[i] != '\n'; i++ {
+ if data[i] != ' ' && data[i] != '\t' {
+ return 0
+ }
+ }
+ return i + 1
+}
+
+func (*parser) isHRule(data []byte) bool {
+ i := 0
+
+ // skip up to three spaces
+ for i < 3 && data[i] == ' ' {
+ i++
+ }
+
+ // look at the hrule char
+ if data[i] != '*' && data[i] != '-' && data[i] != '_' {
+ return false
+ }
+ c := data[i]
+
+ // the whole line must be the char or whitespace
+ n := 0
+ for data[i] != '\n' {
+ switch {
+ case data[i] == c:
+ n++
+ case data[i] != ' ':
+ return false
+ }
+ i++
+ }
+
+ return n >= 3
+}
+
+// isFenceLine checks if there's a fence line (e.g., ``` or ``` go) at the beginning of data,
+// and returns the end index if so, or 0 otherwise. It also returns the marker found.
+// If syntax is not nil, it gets set to the syntax specified in the fence line.
+// A final newline is mandatory to recognize the fence line, unless newlineOptional is true.
+func isFenceLine(data []byte, syntax *string, oldmarker string, newlineOptional bool) (end int, marker string) {
+ i, size := 0, 0
+
+ // skip up to three spaces
+ for i < len(data) && i < 3 && data[i] == ' ' {
+ i++
+ }
+
+ // check for the marker characters: ~ or `
+ if i >= len(data) {
+ return 0, ""
+ }
+ if data[i] != '~' && data[i] != '`' {
+ return 0, ""
+ }
+
+ c := data[i]
+
+ // the whole line must be the same char or whitespace
+ for i < len(data) && data[i] == c {
+ size++
+ i++
+ }
+
+ // the marker char must occur at least 3 times
+ if size < 3 {
+ return 0, ""
+ }
+ marker = string(data[i-size : i])
+
+ // if this is the end marker, it must match the beginning marker
+ if oldmarker != "" && marker != oldmarker {
+ return 0, ""
+ }
+
+ // TODO(shurcooL): It's probably a good idea to simplify the 2 code paths here
+ // into one, always get the syntax, and discard it if the caller doesn't care.
+ if syntax != nil {
+ syn := 0
+ i = skipChar(data, i, ' ')
+
+ if i >= len(data) {
+ if newlineOptional && i == len(data) {
+ return i, marker
+ }
+ return 0, ""
+ }
+
+ syntaxStart := i
+
+ if data[i] == '{' {
+ i++
+ syntaxStart++
+
+ for i < len(data) && data[i] != '}' && data[i] != '\n' {
+ syn++
+ i++
+ }
+
+ if i >= len(data) || data[i] != '}' {
+ return 0, ""
+ }
+
+ // strip all whitespace at the beginning and the end
+ // of the {} block
+ for syn > 0 && isspace(data[syntaxStart]) {
+ syntaxStart++
+ syn--
+ }
+
+ for syn > 0 && isspace(data[syntaxStart+syn-1]) {
+ syn--
+ }
+
+ i++
+ } else {
+ for i < len(data) && !isspace(data[i]) {
+ syn++
+ i++
+ }
+ }
+
+ *syntax = string(data[syntaxStart : syntaxStart+syn])
+ }
+
+ i = skipChar(data, i, ' ')
+ if i >= len(data) || data[i] != '\n' {
+ if newlineOptional && i == len(data) {
+ return i, marker
+ }
+ return 0, ""
+ }
+
+ return i + 1, marker // Take newline into account.
+}
+
+// fencedCodeBlock returns the end index if data contains a fenced code block at the beginning,
+// or 0 otherwise. It writes to out if doRender is true, otherwise it has no side effects.
+// If doRender is true, a final newline is mandatory to recognize the fenced code block.
+func (p *parser) fencedCodeBlock(out *bytes.Buffer, data []byte, doRender bool) int {
+ var syntax string
+ beg, marker := isFenceLine(data, &syntax, "", false)
+ if beg == 0 || beg >= len(data) {
+ return 0
+ }
+
+ var work bytes.Buffer
+
+ for {
+ // safe to assume beg < len(data)
+
+ // check for the end of the code block
+ newlineOptional := !doRender
+ fenceEnd, _ := isFenceLine(data[beg:], nil, marker, newlineOptional)
+ if fenceEnd != 0 {
+ beg += fenceEnd
+ break
+ }
+
+ // copy the current line
+ end := skipUntilChar(data, beg, '\n') + 1
+
+ // did we reach the end of the buffer without a closing marker?
+ if end >= len(data) {
+ return 0
+ }
+
+ // verbatim copy to the working buffer
+ if doRender {
+ work.Write(data[beg:end])
+ }
+ beg = end
+ }
+
+ if doRender {
+ p.r.BlockCode(out, work.Bytes(), syntax)
+ }
+
+ return beg
+}
+
+func (p *parser) table(out *bytes.Buffer, data []byte) int {
+ var header bytes.Buffer
+ i, columns := p.tableHeader(&header, data)
+ if i == 0 {
+ return 0
+ }
+
+ var body bytes.Buffer
+
+ for i < len(data) {
+ pipes, rowStart := 0, i
+ for ; data[i] != '\n'; i++ {
+ if data[i] == '|' {
+ pipes++
+ }
+ }
+
+ if pipes == 0 {
+ i = rowStart
+ break
+ }
+
+ // include the newline in data sent to tableRow
+ i++
+ p.tableRow(&body, data[rowStart:i], columns, false)
+ }
+
+ p.r.Table(out, header.Bytes(), body.Bytes(), columns)
+
+ return i
+}
+
+// check if the specified position is preceded by an odd number of backslashes
+func isBackslashEscaped(data []byte, i int) bool {
+ backslashes := 0
+ for i-backslashes-1 >= 0 && data[i-backslashes-1] == '\\' {
+ backslashes++
+ }
+ return backslashes&1 == 1
+}
+
+func (p *parser) tableHeader(out *bytes.Buffer, data []byte) (size int, columns []int) {
+ i := 0
+ colCount := 1
+ for i = 0; data[i] != '\n'; i++ {
+ if data[i] == '|' && !isBackslashEscaped(data, i) {
+ colCount++
+ }
+ }
+
+ // doesn't look like a table header
+ if colCount == 1 {
+ return
+ }
+
+ // include the newline in the data sent to tableRow
+ header := data[:i+1]
+
+ // column count ignores pipes at beginning or end of line
+ if data[0] == '|' {
+ colCount--
+ }
+ if i > 2 && data[i-1] == '|' && !isBackslashEscaped(data, i-1) {
+ colCount--
+ }
+
+ columns = make([]int, colCount)
+
+ // move on to the header underline
+ i++
+ if i >= len(data) {
+ return
+ }
+
+ if data[i] == '|' && !isBackslashEscaped(data, i) {
+ i++
+ }
+ i = skipChar(data, i, ' ')
+
+ // each column header is of form: / *:?-+:? *|/ with # dashes + # colons >= 3
+ // and trailing | optional on last column
+ col := 0
+ for data[i] != '\n' {
+ dashes := 0
+
+ if data[i] == ':' {
+ i++
+ columns[col] |= TABLE_ALIGNMENT_LEFT
+ dashes++
+ }
+ for data[i] == '-' {
+ i++
+ dashes++
+ }
+ if data[i] == ':' {
+ i++
+ columns[col] |= TABLE_ALIGNMENT_RIGHT
+ dashes++
+ }
+ for data[i] == ' ' {
+ i++
+ }
+
+ // end of column test is messy
+ switch {
+ case dashes < 3:
+ // not a valid column
+ return
+
+ case data[i] == '|' && !isBackslashEscaped(data, i):
+ // marker found, now skip past trailing whitespace
+ col++
+ i++
+ for data[i] == ' ' {
+ i++
+ }
+
+ // trailing junk found after last column
+ if col >= colCount && data[i] != '\n' {
+ return
+ }
+
+ case (data[i] != '|' || isBackslashEscaped(data, i)) && col+1 < colCount:
+ // something else found where marker was required
+ return
+
+ case data[i] == '\n':
+ // marker is optional for the last column
+ col++
+
+ default:
+ // trailing junk found after last column
+ return
+ }
+ }
+ if col != colCount {
+ return
+ }
+
+ p.tableRow(out, header, columns, true)
+ size = i + 1
+ return
+}
+
+func (p *parser) tableRow(out *bytes.Buffer, data []byte, columns []int, header bool) {
+ i, col := 0, 0
+ var rowWork bytes.Buffer
+
+ if data[i] == '|' && !isBackslashEscaped(data, i) {
+ i++
+ }
+
+ for col = 0; col < len(columns) && i < len(data); col++ {
+ for data[i] == ' ' {
+ i++
+ }
+
+ cellStart := i
+
+ for (data[i] != '|' || isBackslashEscaped(data, i)) && data[i] != '\n' {
+ i++
+ }
+
+ cellEnd := i
+
+ // skip the end-of-cell marker, possibly taking us past end of buffer
+ i++
+
+ for cellEnd > cellStart && data[cellEnd-1] == ' ' {
+ cellEnd--
+ }
+
+ var cellWork bytes.Buffer
+ p.inline(&cellWork, data[cellStart:cellEnd])
+
+ if header {
+ p.r.TableHeaderCell(&rowWork, cellWork.Bytes(), columns[col])
+ } else {
+ p.r.TableCell(&rowWork, cellWork.Bytes(), columns[col])
+ }
+ }
+
+ // pad it out with empty columns to get the right number
+ for ; col < len(columns); col++ {
+ if header {
+ p.r.TableHeaderCell(&rowWork, nil, columns[col])
+ } else {
+ p.r.TableCell(&rowWork, nil, columns[col])
+ }
+ }
+
+ // silently ignore rows with too many cells
+
+ p.r.TableRow(out, rowWork.Bytes())
+}
+
+// returns blockquote prefix length
+func (p *parser) quotePrefix(data []byte) int {
+ i := 0
+ for i < 3 && data[i] == ' ' {
+ i++
+ }
+ if data[i] == '>' {
+ if data[i+1] == ' ' {
+ return i + 2
+ }
+ return i + 1
+ }
+ return 0
+}
+
+// blockquote ends with at least one blank line
+// followed by something without a blockquote prefix
+func (p *parser) terminateBlockquote(data []byte, beg, end int) bool {
+ if p.isEmpty(data[beg:]) <= 0 {
+ return false
+ }
+ if end >= len(data) {
+ return true
+ }
+ return p.quotePrefix(data[end:]) == 0 && p.isEmpty(data[end:]) == 0
+}
+
+// parse a blockquote fragment
+func (p *parser) quote(out *bytes.Buffer, data []byte) int {
+ var raw bytes.Buffer
+ beg, end := 0, 0
+ for beg < len(data) {
+ end = beg
+ // Step over whole lines, collecting them. While doing that, check for
+ // fenced code and if one's found, incorporate it altogether,
+ // irregardless of any contents inside it
+ for data[end] != '\n' {
+ if p.flags&EXTENSION_FENCED_CODE != 0 {
+ if i := p.fencedCodeBlock(out, data[end:], false); i > 0 {
+ // -1 to compensate for the extra end++ after the loop:
+ end += i - 1
+ break
+ }
+ }
+ end++
+ }
+ end++
+
+ if pre := p.quotePrefix(data[beg:]); pre > 0 {
+ // skip the prefix
+ beg += pre
+ } else if p.terminateBlockquote(data, beg, end) {
+ break
+ }
+
+ // this line is part of the blockquote
+ raw.Write(data[beg:end])
+ beg = end
+ }
+
+ var cooked bytes.Buffer
+ p.block(&cooked, raw.Bytes())
+ p.r.BlockQuote(out, cooked.Bytes())
+ return end
+}
+
+// returns prefix length for block code
+func (p *parser) codePrefix(data []byte) int {
+ if data[0] == ' ' && data[1] == ' ' && data[2] == ' ' && data[3] == ' ' {
+ return 4
+ }
+ return 0
+}
+
+func (p *parser) code(out *bytes.Buffer, data []byte) int {
+ var work bytes.Buffer
+
+ i := 0
+ for i < len(data) {
+ beg := i
+ for data[i] != '\n' {
+ i++
+ }
+ i++
+
+ blankline := p.isEmpty(data[beg:i]) > 0
+ if pre := p.codePrefix(data[beg:i]); pre > 0 {
+ beg += pre
+ } else if !blankline {
+ // non-empty, non-prefixed line breaks the pre
+ i = beg
+ break
+ }
+
+ // verbatim copy to the working buffeu
+ if blankline {
+ work.WriteByte('\n')
+ } else {
+ work.Write(data[beg:i])
+ }
+ }
+
+ // trim all the \n off the end of work
+ workbytes := work.Bytes()
+ eol := len(workbytes)
+ for eol > 0 && workbytes[eol-1] == '\n' {
+ eol--
+ }
+ if eol != len(workbytes) {
+ work.Truncate(eol)
+ }
+
+ work.WriteByte('\n')
+
+ p.r.BlockCode(out, work.Bytes(), "")
+
+ return i
+}
+
+// returns unordered list item prefix
+func (p *parser) uliPrefix(data []byte) int {
+ i := 0
+
+ // start with up to 3 spaces
+ for i < 3 && data[i] == ' ' {
+ i++
+ }
+
+ // need a *, +, or - followed by a space
+ if (data[i] != '*' && data[i] != '+' && data[i] != '-') ||
+ data[i+1] != ' ' {
+ return 0
+ }
+ return i + 2
+}
+
+// returns ordered list item prefix
+func (p *parser) oliPrefix(data []byte) int {
+ i := 0
+
+ // start with up to 3 spaces
+ for i < 3 && data[i] == ' ' {
+ i++
+ }
+
+ // count the digits
+ start := i
+ for data[i] >= '0' && data[i] <= '9' {
+ i++
+ }
+
+ // we need >= 1 digits followed by a dot and a space
+ if start == i || data[i] != '.' || data[i+1] != ' ' {
+ return 0
+ }
+ return i + 2
+}
+
+// returns definition list item prefix
+func (p *parser) dliPrefix(data []byte) int {
+ i := 0
+
+ // need a : followed by a spaces
+ if data[i] != ':' || data[i+1] != ' ' {
+ return 0
+ }
+ for data[i] == ' ' {
+ i++
+ }
+ return i + 2
+}
+
+// parse ordered or unordered list block
+func (p *parser) list(out *bytes.Buffer, data []byte, flags int) int {
+ i := 0
+ flags |= LIST_ITEM_BEGINNING_OF_LIST
+ work := func() bool {
+ for i < len(data) {
+ skip := p.listItem(out, data[i:], &flags)
+ i += skip
+
+ if skip == 0 || flags&LIST_ITEM_END_OF_LIST != 0 {
+ break
+ }
+ flags &= ^LIST_ITEM_BEGINNING_OF_LIST
+ }
+ return true
+ }
+
+ p.r.List(out, work, flags)
+ return i
+}
+
+// Parse a single list item.
+// Assumes initial prefix is already removed if this is a sublist.
+func (p *parser) listItem(out *bytes.Buffer, data []byte, flags *int) int {
+ // keep track of the indentation of the first line
+ itemIndent := 0
+ for itemIndent < 3 && data[itemIndent] == ' ' {
+ itemIndent++
+ }
+
+ i := p.uliPrefix(data)
+ if i == 0 {
+ i = p.oliPrefix(data)
+ }
+ if i == 0 {
+ i = p.dliPrefix(data)
+ // reset definition term flag
+ if i > 0 {
+ *flags &= ^LIST_TYPE_TERM
+ }
+ }
+ if i == 0 {
+ // if in defnition list, set term flag and continue
+ if *flags&LIST_TYPE_DEFINITION != 0 {
+ *flags |= LIST_TYPE_TERM
+ } else {
+ return 0
+ }
+ }
+
+ // skip leading whitespace on first line
+ for data[i] == ' ' {
+ i++
+ }
+
+ // find the end of the line
+ line := i
+ for i > 0 && data[i-1] != '\n' {
+ i++
+ }
+
+ // get working buffer
+ var raw bytes.Buffer
+
+ // put the first line into the working buffer
+ raw.Write(data[line:i])
+ line = i
+
+ // process the following lines
+ containsBlankLine := false
+ sublist := 0
+
+gatherlines:
+ for line < len(data) {
+ i++
+
+ // find the end of this line
+ for data[i-1] != '\n' {
+ i++
+ }
+
+ // if it is an empty line, guess that it is part of this item
+ // and move on to the next line
+ if p.isEmpty(data[line:i]) > 0 {
+ containsBlankLine = true
+ raw.Write(data[line:i])
+ line = i
+ continue
+ }
+
+ // calculate the indentation
+ indent := 0
+ for indent < 4 && line+indent < i && data[line+indent] == ' ' {
+ indent++
+ }
+
+ chunk := data[line+indent : i]
+
+ // evaluate how this line fits in
+ switch {
+ // is this a nested list item?
+ case (p.uliPrefix(chunk) > 0 && !p.isHRule(chunk)) ||
+ p.oliPrefix(chunk) > 0 ||
+ p.dliPrefix(chunk) > 0:
+
+ if containsBlankLine {
+ // end the list if the type changed after a blank line
+ if indent <= itemIndent &&
+ ((*flags&LIST_TYPE_ORDERED != 0 && p.uliPrefix(chunk) > 0) ||
+ (*flags&LIST_TYPE_ORDERED == 0 && p.oliPrefix(chunk) > 0)) {
+
+ *flags |= LIST_ITEM_END_OF_LIST
+ break gatherlines
+ }
+ *flags |= LIST_ITEM_CONTAINS_BLOCK
+ }
+
+ // to be a nested list, it must be indented more
+ // if not, it is the next item in the same list
+ if indent <= itemIndent {
+ break gatherlines
+ }
+
+ // is this the first item in the nested list?
+ if sublist == 0 {
+ sublist = raw.Len()
+ }
+
+ // is this a nested prefix header?
+ case p.isPrefixHeader(chunk):
+ // if the header is not indented, it is not nested in the list
+ // and thus ends the list
+ if containsBlankLine && indent < 4 {
+ *flags |= LIST_ITEM_END_OF_LIST
+ break gatherlines
+ }
+ *flags |= LIST_ITEM_CONTAINS_BLOCK
+
+ // anything following an empty line is only part
+ // of this item if it is indented 4 spaces
+ // (regardless of the indentation of the beginning of the item)
+ case containsBlankLine && indent < 4:
+ if *flags&LIST_TYPE_DEFINITION != 0 && i < len(data)-1 {
+ // is the next item still a part of this list?
+ next := i
+ for data[next] != '\n' {
+ next++
+ }
+ for next < len(data)-1 && data[next] == '\n' {
+ next++
+ }
+ if i < len(data)-1 && data[i] != ':' && data[next] != ':' {
+ *flags |= LIST_ITEM_END_OF_LIST
+ }
+ } else {
+ *flags |= LIST_ITEM_END_OF_LIST
+ }
+ break gatherlines
+
+ // a blank line means this should be parsed as a block
+ case containsBlankLine:
+ *flags |= LIST_ITEM_CONTAINS_BLOCK
+ }
+
+ containsBlankLine = false
+
+ // add the line into the working buffer without prefix
+ raw.Write(data[line+indent : i])
+
+ line = i
+ }
+
+ // If reached end of data, the Renderer.ListItem call we're going to make below
+ // is definitely the last in the list.
+ if line >= len(data) {
+ *flags |= LIST_ITEM_END_OF_LIST
+ }
+
+ rawBytes := raw.Bytes()
+
+ // render the contents of the list item
+ var cooked bytes.Buffer
+ if *flags&LIST_ITEM_CONTAINS_BLOCK != 0 && *flags&LIST_TYPE_TERM == 0 {
+ // intermediate render of block item, except for definition term
+ if sublist > 0 {
+ p.block(&cooked, rawBytes[:sublist])
+ p.block(&cooked, rawBytes[sublist:])
+ } else {
+ p.block(&cooked, rawBytes)
+ }
+ } else {
+ // intermediate render of inline item
+ if sublist > 0 {
+ p.inline(&cooked, rawBytes[:sublist])
+ p.block(&cooked, rawBytes[sublist:])
+ } else {
+ p.inline(&cooked, rawBytes)
+ }
+ }
+
+ // render the actual list item
+ cookedBytes := cooked.Bytes()
+ parsedEnd := len(cookedBytes)
+
+ // strip trailing newlines
+ for parsedEnd > 0 && cookedBytes[parsedEnd-1] == '\n' {
+ parsedEnd--
+ }
+ p.r.ListItem(out, cookedBytes[:parsedEnd], *flags)
+
+ return line
+}
+
+// render a single paragraph that has already been parsed out
+func (p *parser) renderParagraph(out *bytes.Buffer, data []byte) {
+ if len(data) == 0 {
+ return
+ }
+
+ // trim leading spaces
+ beg := 0
+ for data[beg] == ' ' {
+ beg++
+ }
+
+ // trim trailing newline
+ end := len(data) - 1
+
+ // trim trailing spaces
+ for end > beg && data[end-1] == ' ' {
+ end--
+ }
+
+ work := func() bool {
+ p.inline(out, data[beg:end])
+ return true
+ }
+ p.r.Paragraph(out, work)
+}
+
+func (p *parser) paragraph(out *bytes.Buffer, data []byte) int {
+ // prev: index of 1st char of previous line
+ // line: index of 1st char of current line
+ // i: index of cursor/end of current line
+ var prev, line, i int
+
+ // keep going until we find something to mark the end of the paragraph
+ for i < len(data) {
+ // mark the beginning of the current line
+ prev = line
+ current := data[i:]
+ line = i
+
+ // did we find a blank line marking the end of the paragraph?
+ if n := p.isEmpty(current); n > 0 {
+ // did this blank line followed by a definition list item?
+ if p.flags&EXTENSION_DEFINITION_LISTS != 0 {
+ if i < len(data)-1 && data[i+1] == ':' {
+ return p.list(out, data[prev:], LIST_TYPE_DEFINITION)
+ }
+ }
+
+ p.renderParagraph(out, data[:i])
+ return i + n
+ }
+
+ // an underline under some text marks a header, so our paragraph ended on prev line
+ if i > 0 {
+ if level := p.isUnderlinedHeader(current); level > 0 {
+ // render the paragraph
+ p.renderParagraph(out, data[:prev])
+
+ // ignore leading and trailing whitespace
+ eol := i - 1
+ for prev < eol && data[prev] == ' ' {
+ prev++
+ }
+ for eol > prev && data[eol-1] == ' ' {
+ eol--
+ }
+
+ // render the header
+ // this ugly double closure avoids forcing variables onto the heap
+ work := func(o *bytes.Buffer, pp *parser, d []byte) func() bool {
+ return func() bool {
+ pp.inline(o, d)
+ return true
+ }
+ }(out, p, data[prev:eol])
+
+ id := ""
+ if p.flags&EXTENSION_AUTO_HEADER_IDS != 0 {
+ id = sanitized_anchor_name.Create(string(data[prev:eol]))
+ }
+
+ p.r.Header(out, work, level, id)
+
+ // find the end of the underline
+ for data[i] != '\n' {
+ i++
+ }
+ return i
+ }
+ }
+
+ // if the next line starts a block of HTML, then the paragraph ends here
+ if p.flags&EXTENSION_LAX_HTML_BLOCKS != 0 {
+ if data[i] == '<' && p.html(out, current, false) > 0 {
+ // rewind to before the HTML block
+ p.renderParagraph(out, data[:i])
+ return i
+ }
+ }
+
+ // if there's a prefixed header or a horizontal rule after this, paragraph is over
+ if p.isPrefixHeader(current) || p.isHRule(current) {
+ p.renderParagraph(out, data[:i])
+ return i
+ }
+
+ // if there's a fenced code block, paragraph is over
+ if p.flags&EXTENSION_FENCED_CODE != 0 {
+ if p.fencedCodeBlock(out, current, false) > 0 {
+ p.renderParagraph(out, data[:i])
+ return i
+ }
+ }
+
+ // if there's a definition list item, prev line is a definition term
+ if p.flags&EXTENSION_DEFINITION_LISTS != 0 {
+ if p.dliPrefix(current) != 0 {
+ return p.list(out, data[prev:], LIST_TYPE_DEFINITION)
+ }
+ }
+
+ // if there's a list after this, paragraph is over
+ if p.flags&EXTENSION_NO_EMPTY_LINE_BEFORE_BLOCK != 0 {
+ if p.uliPrefix(current) != 0 ||
+ p.oliPrefix(current) != 0 ||
+ p.quotePrefix(current) != 0 ||
+ p.codePrefix(current) != 0 {
+ p.renderParagraph(out, data[:i])
+ return i
+ }
+ }
+
+ // otherwise, scan to the beginning of the next line
+ for data[i] != '\n' {
+ i++
+ }
+ i++
+ }
+
+ p.renderParagraph(out, data[:i])
+ return i
+}
diff --git a/vendor/github.com/russross/blackfriday/html.go b/vendor/github.com/russross/blackfriday/html.go
new file mode 100644
index 0000000..74e67ee
--- /dev/null
+++ b/vendor/github.com/russross/blackfriday/html.go
@@ -0,0 +1,949 @@
+//
+// Blackfriday Markdown Processor
+// Available at http://github.com/russross/blackfriday
+//
+// Copyright © 2011 Russ Ross .
+// Distributed under the Simplified BSD License.
+// See README.md for details.
+//
+
+//
+//
+// HTML rendering backend
+//
+//
+
+package blackfriday
+
+import (
+ "bytes"
+ "fmt"
+ "regexp"
+ "strconv"
+ "strings"
+)
+
+// Html renderer configuration options.
+const (
+ HTML_SKIP_HTML = 1 << iota // skip preformatted HTML blocks
+ HTML_SKIP_STYLE // skip embedded
+[](https://travis-ci.org/gin-gonic/gin)
+[](https://codecov.io/gh/gin-gonic/gin)
+[](https://goreportcard.com/report/github.com/gin-gonic/gin)
+[](https://godoc.org/github.com/gin-gonic/gin)
+[](https://gitter.im/gin-gonic/gin?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)
+
+Gin is a web framework written in Go (Golang). It features a martini-like API with much better performance, up to 40 times faster thanks to [httprouter](https://github.com/julienschmidt/httprouter). If you need performance and good productivity, you will love Gin.
+
+
+
+```sh
+$ cat test.go
+```
+```go
+package main
+
+import "gopkg.in/gin-gonic/gin.v1"
+
+func main() {
+ r := gin.Default()
+ r.GET("/ping", func(c *gin.Context) {
+ c.JSON(200, gin.H{
+ "message": "pong",
+ })
+ })
+ r.Run() // listen and serve on 0.0.0.0:8080
+}
+```
+
+## Benchmarks
+
+Gin uses a custom version of [HttpRouter](https://github.com/julienschmidt/httprouter)
+
+[See all benchmarks](/BENCHMARKS.md)
+
+
+Benchmark name | (1) | (2) | (3) | (4)
+--------------------------------|----------:|----------:|----------:|------:
+BenchmarkAce_GithubAll | 10000 | 109482 | 13792 | 167
+BenchmarkBear_GithubAll | 10000 | 287490 | 79952 | 943
+BenchmarkBeego_GithubAll | 3000 | 562184 | 146272 | 2092
+BenchmarkBone_GithubAll | 500 | 2578716 | 648016 | 8119
+BenchmarkDenco_GithubAll | 20000 | 94955 | 20224 | 167
+BenchmarkEcho_GithubAll | 30000 | 58705 | 0 | 0
+**BenchmarkGin_GithubAll** | **30000** | **50991** | **0** | **0**
+BenchmarkGocraftWeb_GithubAll | 5000 | 449648 | 133280 | 1889
+BenchmarkGoji_GithubAll | 2000 | 689748 | 56113 | 334
+BenchmarkGoJsonRest_GithubAll | 5000 | 537769 | 135995 | 2940
+BenchmarkGoRestful_GithubAll | 100 | 18410628 | 797236 | 7725
+BenchmarkGorillaMux_GithubAll | 200 | 8036360 | 153137 | 1791
+BenchmarkHttpRouter_GithubAll | 20000 | 63506 | 13792 | 167
+BenchmarkHttpTreeMux_GithubAll | 10000 | 165927 | 56112 | 334
+BenchmarkKocha_GithubAll | 10000 | 171362 | 23304 | 843
+BenchmarkMacaron_GithubAll | 2000 | 817008 | 224960 | 2315
+BenchmarkMartini_GithubAll | 100 | 12609209 | 237952 | 2686
+BenchmarkPat_GithubAll | 300 | 4830398 | 1504101 | 32222
+BenchmarkPossum_GithubAll | 10000 | 301716 | 97440 | 812
+BenchmarkR2router_GithubAll | 10000 | 270691 | 77328 | 1182
+BenchmarkRevel_GithubAll | 1000 | 1491919 | 345553 | 5918
+BenchmarkRivet_GithubAll | 10000 | 283860 | 84272 | 1079
+BenchmarkTango_GithubAll | 5000 | 473821 | 87078 | 2470
+BenchmarkTigerTonic_GithubAll | 2000 | 1120131 | 241088 | 6052
+BenchmarkTraffic_GithubAll | 200 | 8708979 | 2664762 | 22390
+BenchmarkVulcan_GithubAll | 5000 | 353392 | 19894 | 609
+BenchmarkZeus_GithubAll | 2000 | 944234 | 300688 | 2648
+
+(1): Total Repetitions
+(2): Single Repetition Duration (ns/op)
+(3): Heap Memory (B/op)
+(4): Average Allocations per Repetition (allocs/op)
+
+## Gin v1. stable
+
+- [x] Zero allocation router.
+- [x] Still the fastest http router and framework. From routing to writing.
+- [x] Complete suite of unit tests
+- [x] Battle tested
+- [x] API frozen, new releases will not break your code.
+
+
+## Start using it
+
+1. Download and install it:
+
+ ```sh
+ $ go get gopkg.in/gin-gonic/gin.v1
+ ```
+
+2. Import it in your code:
+
+ ```go
+ import "gopkg.in/gin-gonic/gin.v1"
+ ```
+
+3. (Optional) Import `net/http`. This is required for example if using constants such as `http.StatusOK`.
+
+ ```go
+ import "net/http"
+ ```
+
+## API Examples
+
+#### Using GET, POST, PUT, PATCH, DELETE and OPTIONS
+
+```go
+func main() {
+ // Creates a gin router with default middleware:
+ // logger and recovery (crash-free) middleware
+ router := gin.Default()
+
+ router.GET("/someGet", getting)
+ router.POST("/somePost", posting)
+ router.PUT("/somePut", putting)
+ router.DELETE("/someDelete", deleting)
+ router.PATCH("/somePatch", patching)
+ router.HEAD("/someHead", head)
+ router.OPTIONS("/someOptions", options)
+
+ // By default it serves on :8080 unless a
+ // PORT environment variable was defined.
+ router.Run()
+ // router.Run(":3000") for a hard coded port
+}
+```
+
+#### Parameters in path
+
+```go
+func main() {
+ router := gin.Default()
+
+ // This handler will match /user/john but will not match neither /user/ or /user
+ router.GET("/user/:name", func(c *gin.Context) {
+ name := c.Param("name")
+ c.String(http.StatusOK, "Hello %s", name)
+ })
+
+ // However, this one will match /user/john/ and also /user/john/send
+ // If no other routers match /user/john, it will redirect to /user/john/
+ router.GET("/user/:name/*action", func(c *gin.Context) {
+ name := c.Param("name")
+ action := c.Param("action")
+ message := name + " is " + action
+ c.String(http.StatusOK, message)
+ })
+
+ router.Run(":8080")
+}
+```
+
+#### Querystring parameters
+```go
+func main() {
+ router := gin.Default()
+
+ // Query string parameters are parsed using the existing underlying request object.
+ // The request responds to a url matching: /welcome?firstname=Jane&lastname=Doe
+ router.GET("/welcome", func(c *gin.Context) {
+ firstname := c.DefaultQuery("firstname", "Guest")
+ lastname := c.Query("lastname") // shortcut for c.Request.URL.Query().Get("lastname")
+
+ c.String(http.StatusOK, "Hello %s %s", firstname, lastname)
+ })
+ router.Run(":8080")
+}
+```
+
+### Multipart/Urlencoded Form
+
+```go
+func main() {
+ router := gin.Default()
+
+ router.POST("/form_post", func(c *gin.Context) {
+ message := c.PostForm("message")
+ nick := c.DefaultPostForm("nick", "anonymous")
+
+ c.JSON(200, gin.H{
+ "status": "posted",
+ "message": message,
+ "nick": nick,
+ })
+ })
+ router.Run(":8080")
+}
+```
+
+### Another example: query + post form
+
+```
+POST /post?id=1234&page=1 HTTP/1.1
+Content-Type: application/x-www-form-urlencoded
+
+name=manu&message=this_is_great
+```
+
+```go
+func main() {
+ router := gin.Default()
+
+ router.POST("/post", func(c *gin.Context) {
+
+ id := c.Query("id")
+ page := c.DefaultQuery("page", "0")
+ name := c.PostForm("name")
+ message := c.PostForm("message")
+
+ fmt.Printf("id: %s; page: %s; name: %s; message: %s", id, page, name, message)
+ })
+ router.Run(":8080")
+}
+```
+
+```
+id: 1234; page: 1; name: manu; message: this_is_great
+```
+
+### Another example: upload file
+
+References issue [#548](https://github.com/gin-gonic/gin/issues/548).
+
+```go
+func main() {
+ router := gin.Default()
+
+ router.POST("/upload", func(c *gin.Context) {
+
+ file, header , err := c.Request.FormFile("upload")
+ filename := header.Filename
+ fmt.Println(header.Filename)
+ out, err := os.Create("./tmp/"+filename+".png")
+ if err != nil {
+ log.Fatal(err)
+ }
+ defer out.Close()
+ _, err = io.Copy(out, file)
+ if err != nil {
+ log.Fatal(err)
+ }
+ })
+ router.Run(":8080")
+}
+```
+
+#### Grouping routes
+```go
+func main() {
+ router := gin.Default()
+
+ // Simple group: v1
+ v1 := router.Group("/v1")
+ {
+ v1.POST("/login", loginEndpoint)
+ v1.POST("/submit", submitEndpoint)
+ v1.POST("/read", readEndpoint)
+ }
+
+ // Simple group: v2
+ v2 := router.Group("/v2")
+ {
+ v2.POST("/login", loginEndpoint)
+ v2.POST("/submit", submitEndpoint)
+ v2.POST("/read", readEndpoint)
+ }
+
+ router.Run(":8080")
+}
+```
+
+
+#### Blank Gin without middleware by default
+
+Use
+
+```go
+r := gin.New()
+```
+instead of
+
+```go
+r := gin.Default()
+```
+
+
+#### Using middleware
+```go
+func main() {
+ // Creates a router without any middleware by default
+ r := gin.New()
+
+ // Global middleware
+ r.Use(gin.Logger())
+ r.Use(gin.Recovery())
+
+ // Per route middleware, you can add as many as you desire.
+ r.GET("/benchmark", MyBenchLogger(), benchEndpoint)
+
+ // Authorization group
+ // authorized := r.Group("/", AuthRequired())
+ // exactly the same as:
+ authorized := r.Group("/")
+ // per group middleware! in this case we use the custom created
+ // AuthRequired() middleware just in the "authorized" group.
+ authorized.Use(AuthRequired())
+ {
+ authorized.POST("/login", loginEndpoint)
+ authorized.POST("/submit", submitEndpoint)
+ authorized.POST("/read", readEndpoint)
+
+ // nested group
+ testing := authorized.Group("testing")
+ testing.GET("/analytics", analyticsEndpoint)
+ }
+
+ // Listen and serve on 0.0.0.0:8080
+ r.Run(":8080")
+}
+```
+
+#### Model binding and validation
+
+To bind a request body into a type, use model binding. We currently support binding of JSON, XML and standard form values (foo=bar&boo=baz).
+
+Note that you need to set the corresponding binding tag on all fields you want to bind. For example, when binding from JSON, set `json:"fieldname"`.
+
+When using the Bind-method, Gin tries to infer the binder depending on the Content-Type header. If you are sure what you are binding, you can use BindWith.
+
+You can also specify that specific fields are required. If a field is decorated with `binding:"required"` and has a empty value when binding, the current request will fail with an error.
+
+```go
+// Binding from JSON
+type Login struct {
+ User string `form:"user" json:"user" binding:"required"`
+ Password string `form:"password" json:"password" binding:"required"`
+}
+
+func main() {
+ router := gin.Default()
+
+ // Example for binding JSON ({"user": "manu", "password": "123"})
+ router.POST("/loginJSON", func(c *gin.Context) {
+ var json Login
+ if c.BindJSON(&json) == nil {
+ if json.User == "manu" && json.Password == "123" {
+ c.JSON(http.StatusOK, gin.H{"status": "you are logged in"})
+ } else {
+ c.JSON(http.StatusUnauthorized, gin.H{"status": "unauthorized"})
+ }
+ }
+ })
+
+ // Example for binding a HTML form (user=manu&password=123)
+ router.POST("/loginForm", func(c *gin.Context) {
+ var form Login
+ // This will infer what binder to use depending on the content-type header.
+ if c.Bind(&form) == nil {
+ if form.User == "manu" && form.Password == "123" {
+ c.JSON(http.StatusOK, gin.H{"status": "you are logged in"})
+ } else {
+ c.JSON(http.StatusUnauthorized, gin.H{"status": "unauthorized"})
+ }
+ }
+ })
+
+ // Listen and serve on 0.0.0.0:8080
+ router.Run(":8080")
+}
+```
+
+
+###Multipart/Urlencoded binding
+```go
+package main
+
+import (
+ "gopkg.in/gin-gonic/gin.v1"
+)
+
+type LoginForm struct {
+ User string `form:"user" binding:"required"`
+ Password string `form:"password" binding:"required"`
+}
+
+func main() {
+ router := gin.Default()
+ router.POST("/login", func(c *gin.Context) {
+ // you can bind multipart form with explicit binding declaration:
+ // c.BindWith(&form, binding.Form)
+ // or you can simply use autobinding with Bind method:
+ var form LoginForm
+ // in this case proper binding will be automatically selected
+ if c.Bind(&form) == nil {
+ if form.User == "user" && form.Password == "password" {
+ c.JSON(200, gin.H{"status": "you are logged in"})
+ } else {
+ c.JSON(401, gin.H{"status": "unauthorized"})
+ }
+ }
+ })
+ router.Run(":8080")
+}
+```
+
+Test it with:
+```sh
+$ curl -v --form user=user --form password=password http://localhost:8080/login
+```
+
+
+#### XML, JSON and YAML rendering
+
+```go
+func main() {
+ r := gin.Default()
+
+ // gin.H is a shortcut for map[string]interface{}
+ r.GET("/someJSON", func(c *gin.Context) {
+ c.JSON(http.StatusOK, gin.H{"message": "hey", "status": http.StatusOK})
+ })
+
+ r.GET("/moreJSON", func(c *gin.Context) {
+ // You also can use a struct
+ var msg struct {
+ Name string `json:"user"`
+ Message string
+ Number int
+ }
+ msg.Name = "Lena"
+ msg.Message = "hey"
+ msg.Number = 123
+ // Note that msg.Name becomes "user" in the JSON
+ // Will output : {"user": "Lena", "Message": "hey", "Number": 123}
+ c.JSON(http.StatusOK, msg)
+ })
+
+ r.GET("/someXML", func(c *gin.Context) {
+ c.XML(http.StatusOK, gin.H{"message": "hey", "status": http.StatusOK})
+ })
+
+ r.GET("/someYAML", func(c *gin.Context) {
+ c.YAML(http.StatusOK, gin.H{"message": "hey", "status": http.StatusOK})
+ })
+
+ // Listen and serve on 0.0.0.0:8080
+ r.Run(":8080")
+}
+```
+
+####Serving static files
+
+```go
+func main() {
+ router := gin.Default()
+ router.Static("/assets", "./assets")
+ router.StaticFS("/more_static", http.Dir("my_file_system"))
+ router.StaticFile("/favicon.ico", "./resources/favicon.ico")
+
+ // Listen and serve on 0.0.0.0:8080
+ router.Run(":8080")
+}
+```
+
+####HTML rendering
+
+Using LoadHTMLTemplates()
+
+```go
+func main() {
+ router := gin.Default()
+ router.LoadHTMLGlob("templates/*")
+ //router.LoadHTMLFiles("templates/template1.html", "templates/template2.html")
+ router.GET("/index", func(c *gin.Context) {
+ c.HTML(http.StatusOK, "index.tmpl", gin.H{
+ "title": "Main website",
+ })
+ })
+ router.Run(":8080")
+}
+```
+templates/index.tmpl
+```html
+
+