Update to bluemonday-1.0.6 (#15294) (#15297)

Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: zeripath <art27@cantab.net>
2025-11-04 05:25:15 +01:00 · 2021-04-06 02:36:58 +02:00 · 2021-04-06 02:36:58 +02:00 · e6050e80f7
commit e6050e80f7
parent 3803b15d76
14 changed files with 155 additions and 70 deletions
--- a/go.mod
+++ b/go.mod
@ -86,7 +86,7 @@ require (
 	github.com/mgechev/revive v1.0.3
 	github.com/mholt/acmez v0.1.3 // indirect
 	github.com/mholt/archiver/v3 v3.5.0
-	github.com/microcosm-cc/bluemonday v1.0.5
+	github.com/microcosm-cc/bluemonday v1.0.6
 	github.com/miekg/dns v1.1.40 // indirect
 	github.com/minio/md5-simd v1.1.2 // indirect
 	github.com/minio/minio-go/v7 v7.0.10
@ -136,7 +136,7 @@ require (
 	go.uber.org/multierr v1.6.0 // indirect
 	go.uber.org/zap v1.16.0 // indirect
 	golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83
-	golang.org/x/net v0.0.0-20210331212208-0fccb6fa2b5c
+	golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4
 	golang.org/x/oauth2 v0.0.0-20210220000619-9bb904979d93
 	golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44
 	golang.org/x/text v0.3.5
@ -153,5 +153,3 @@ require (
 )
 replace github.com/hashicorp/go-version => github.com/6543/go-version v1.2.4
 replace github.com/microcosm-cc/bluemonday => github.com/lunny/bluemonday v1.0.5-0.20201227154428-ca34796141e8
--- a/go.sum
+++ b/go.sum
@ -196,8 +196,6 @@ github.com/cespare/xxhash/v2 v2.1.1 h1:6MnRN8NT7+YBpUIWxHtefFZOKTAPgGjpQSxqLNn0+
 github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/chi-middleware/proxy v1.1.1 h1:4HaXUp8o2+bhHr1OhVy+VjN0+L7/07JDcn6v7YrTjrQ=
 github.com/chi-middleware/proxy v1.1.1/go.mod h1:jQwMEJct2tz9VmtCELxvnXoMfa+SOdikvbVJVHv/M+0=
 github.com/chris-ramon/douceur v0.2.0 h1:IDMEdxlEUUBYBKE4z/mJnFyVXox+MjuEVDJNN27glkU=
 github.com/chris-ramon/douceur v0.2.0/go.mod h1:wDW5xjJdeoMm1mRt4sD4c/LbF/mWdEpRXQKjTR8nIBE=
 github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
 github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
 github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
@ -776,8 +774,6 @@ github.com/libdns/libdns v0.2.0 h1:ewg3ByWrdUrxrje8ChPVMBNcotg7H9LQYg+u5De2RzI=
 github.com/libdns/libdns v0.2.0/go.mod h1:yQCXzk1lEZmmCPa857bnk4TsOiqYasqpyOEeSObbb40=
 github.com/lightstep/lightstep-tracer-common/golang/gogo v0.0.0-20190605223551-bc2310a04743/go.mod h1:qklhhLq1aX+mtWk9cPHPzaBjWImj5ULL6C7HFJtXQMM=
 github.com/lightstep/lightstep-tracer-go v0.18.1/go.mod h1:jlF1pusYV4pidLvZ+XD0UBX0ZE6WURAspgAczcDHrL4=
 github.com/lunny/bluemonday v1.0.5-0.20201227154428-ca34796141e8 h1:1omo92DLtxQu6VwVPSZAmduHaK5zssed6cvkHyl1XOg=
 github.com/lunny/bluemonday v1.0.5-0.20201227154428-ca34796141e8/go.mod h1:8iwZnFn2CDDNZ0r6UXhF4xawGvzaqzCRa1n3/lO3W2w=
 github.com/lunny/dingtalk_webhook v0.0.0-20171025031554-e3534c89ef96 h1:uNwtsDp7ci48vBTTxDuwcoTXz4lwtDTe7TjCQ0noaWY=
 github.com/lunny/dingtalk_webhook v0.0.0-20171025031554-e3534c89ef96/go.mod h1:mmIfjCSQlGYXmJ95jFN84AkQFnVABtKuJL8IrzwvUKQ=
 github.com/lunny/log v0.0.0-20160921050905-7887c61bf0de/go.mod h1:3q8WtuPQsoRbatJuy3nvq/hRSvuBJrHHr+ybPPiNvHQ=
@ -834,6 +830,8 @@ github.com/mholt/acmez v0.1.3 h1:J7MmNIk4Qf9b8mAGqAh4XkNeowv3f1zW816yf4zt7Qk=
 github.com/mholt/acmez v0.1.3/go.mod h1:8qnn8QA/Ewx8E3ZSsmscqsIjhhpxuy9vqdgbX2ceceM=
 github.com/mholt/archiver/v3 v3.5.0 h1:nE8gZIrw66cu4osS/U7UW7YDuGMHssxKutU8IfWxwWE=
 github.com/mholt/archiver/v3 v3.5.0/go.mod h1:qqTTPUK/HZPFgFQ/TJ3BzvTpF/dPtFVJXdQbCmeMxwc=
 github.com/microcosm-cc/bluemonday v1.0.6 h1:ZOvqHKtnx0fUpnbQm3m3zKFWE+DRC+XB1onh8JoEObE=
 github.com/microcosm-cc/bluemonday v1.0.6/go.mod h1:HOT/6NaBlR0f9XlxD3zolN6Z3N8Lp4pvhp+jLS5ihnI=
 github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
 github.com/miekg/dns v1.1.30/go.mod h1:KNUDUusw/aVsxyTYZM1oqvCicbwhgbNgztCETuNZ7xM=
 github.com/miekg/dns v1.1.40 h1:pyyPFfGMnciYUk/mXpKkVmeMQjfXqt3FAJ2hy7tPiLA=
@ -1321,8 +1319,9 @@ golang.org/x/net v0.0.0-20201202161906-c7110b5ffcbb/go.mod h1:sp8m0HH+o8qH0wwXwY
 golang.org/x/net v0.0.0-20201209123823-ac852fbbde11/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210119194325-5f4716e94777/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210331212208-0fccb6fa2b5c h1:KHUzaHIpjWVlVVNh65G3hhuj3KB1HnjY6Cq5cTvRQT8=
 golang.org/x/net v0.0.0-20210331212208-0fccb6fa2b5c/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
 golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4 h1:4nGaVu0QrbjT/AK2PRLuQfQuh6DJve+pELhqTdAj3x0=
 golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20181106182150-f42d05182288/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
--- a/modules/markup/sanitizer.go
+++ b/modules/markup/sanitizer.go
@ -46,7 +46,9 @@ func ReplaceSanitizer() {
 	sanitizer.policy.AllowAttrs("checked", "disabled").OnElements("input")
 	// Custom URL-Schemes
-	sanitizer.policy.AllowURLSchemes(setting.Markdown.CustomURLSchemes...)
+	if len(setting.Markdown.CustomURLSchemes) > 0 {
 		sanitizer.policy.AllowURLSchemes(setting.Markdown.CustomURLSchemes...)
 	}
 	// Allow keyword markup
 	sanitizer.policy.AllowAttrs("class").Matching(regexp.MustCompile(`^` + keywordClass + `$`)).OnElements("span")
--- a/modules/markup/sanitizer_test.go
+++ b/modules/markup/sanitizer_test.go
@ -6,6 +6,8 @@
 package markup
 import (
 	"html/template"
 	"strings"
 	"testing"
 	"github.com/stretchr/testify/assert"
@ -50,3 +52,13 @@ func Test_Sanitizer(t *testing.T) {
 		assert.Equal(t, testCases[i+1], string(SanitizeBytes([]byte(testCases[i]))))
 	}
 }
 func TestSanitizeNonEscape(t *testing.T) {
 	descStr := "<scrİpt>&lt;script&gt;alert(document.domain)&lt;/script&gt;</scrİpt>"
 	output := template.HTML(Sanitize(string(descStr)))
 	if strings.Contains(string(output), "<script>") {
 		t.Errorf("un-escaped <script> in output: %q", output)
 	}
 }
--- a/vendor/github.com/chris-ramon/douceur/parser/parser.go
+++ b/vendor/github.com/chris-ramon/douceur/parser/parser.go
--- a/vendor/github.com/chris-ramon/douceur/LICENSE
+++ b/vendor/github.com/chris-ramon/douceur/LICENSE
@ -1,22 +0,0 @@
 The MIT License (MIT)
 Copyright (c) 2015 Aymerick JEHANNE
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
 in the Software without restriction, including without limitation the rights
 to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 copies of the Software, and to permit persons to whom the Software is
 furnished to do so, subject to the following conditions:
 The above copyright notice and this permission notice shall be included in all
 copies or substantial portions of the Software.
 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 SOFTWARE.
--- a/vendor/github.com/microcosm-cc/bluemonday/SECURITY.md
+++ b/vendor/github.com/microcosm-cc/bluemonday/SECURITY.md
@ -0,0 +1,15 @@
 # Security Policy
 ## Supported Versions
 Latest tag and tip are supported.
 Older tags remain present but changes result in new tags and are not back ported... please verify any issue against the latest tag and tip.
 ## Reporting a Vulnerability
 Email: <bluemonday@buro9.com>
 Bluemonday is pure OSS and not maintained by a company. As such there is no bug bounty program but security issues will be taken seriously and resolved as soon as possible.
 The maintainer lives in the United Kingdom and whilst the email is monitored expect a reply or ACK when the maintainer is awake.
--- a/vendor/github.com/microcosm-cc/bluemonday/go.mod
+++ b/vendor/github.com/microcosm-cc/bluemonday/go.mod
@ -1,10 +1,9 @@
 module github.com/microcosm-cc/bluemonday
-go 1.9
+go 1.16
 require (
-	github.com/aymerick/douceur v0.2.0 // indirect
+	github.com/aymerick/douceur v0.2.0
 	github.com/chris-ramon/douceur v0.2.0
 	github.com/gorilla/css v1.0.0 // indirect
-	golang.org/x/net v0.0.0-20181220203305-927f97764cc3
+	golang.org/x/net v0.0.0-20210331212208-0fccb6fa2b5c
 )
--- a/vendor/github.com/microcosm-cc/bluemonday/go.sum
+++ b/vendor/github.com/microcosm-cc/bluemonday/go.sum
@ -1,8 +1,11 @@
 github.com/aymerick/douceur v0.2.0 h1:Mv+mAeH1Q+n9Fr+oyamOlAkUNPWPlA8PPGR0QAaYuPk=
 github.com/aymerick/douceur v0.2.0/go.mod h1:wlT5vV2O3h55X9m7iVYN0TBM0NH/MmbLnd30/FjWUq4=
 github.com/chris-ramon/douceur v0.2.0 h1:IDMEdxlEUUBYBKE4z/mJnFyVXox+MjuEVDJNN27glkU=
 github.com/chris-ramon/douceur v0.2.0/go.mod h1:wDW5xjJdeoMm1mRt4sD4c/LbF/mWdEpRXQKjTR8nIBE=
 github.com/gorilla/css v1.0.0 h1:BQqNyPTi50JCFMTw/b67hByjMVXZRwGha6wxVGkeihY=
 github.com/gorilla/css v1.0.0/go.mod h1:Dn721qIggHpt4+EFCcTLTU/vk5ySda2ReITrtgBl60c=
-golang.org/x/net v0.0.0-20181220203305-927f97764cc3 h1:eH6Eip3UpmR+yM/qI9Ijluzb1bNv/cAU/n+6l8tRSis=
+golang.org/x/net v0.0.0-20210331212208-0fccb6fa2b5c h1:KHUzaHIpjWVlVVNh65G3hhuj3KB1HnjY6Cq5cTvRQT8=
-golang.org/x/net v0.0.0-20181220203305-927f97764cc3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20210331212208-0fccb6fa2b5c/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
--- a/vendor/github.com/microcosm-cc/bluemonday/handlers.go
+++ b/vendor/github.com/microcosm-cc/bluemonday/handlers.go
@ -26,6 +26,7 @@
 // CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
 // OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 package bluemonday
 import (
--- a/vendor/github.com/microcosm-cc/bluemonday/policy.go
+++ b/vendor/github.com/microcosm-cc/bluemonday/policy.go
@ -69,6 +69,9 @@ type Policy struct {
 	// Will skip for href="/foo" or href="foo"
 	requireNoReferrerFullyQualifiedLinks bool
 	// When true, add crossorigin="anonymous" to HTML audio, img, link, script, and video tags
 	requireCrossOriginAnonymous bool
 	// When true add target="_blank" to fully qualified links
 	// Will add for href="http://foo"
 	// Will skip for href="/foo" or href="foo"
@ -433,25 +436,25 @@ func (spb *stylePolicyBuilder) OnElements(elements ...string) *Policy {
 // and return the updated policy
 func (spb *stylePolicyBuilder) OnElementsMatching(regex *regexp.Regexp) *Policy {
-		for _, attr := range spb.propertyNames {
+	for _, attr := range spb.propertyNames {
-			if _, ok := spb.p.elsMatchingAndStyles[regex]; !ok {
+		if _, ok := spb.p.elsMatchingAndStyles[regex]; !ok {
-				spb.p.elsMatchingAndStyles[regex] = make(map[string]stylePolicy)
+			spb.p.elsMatchingAndStyles[regex] = make(map[string]stylePolicy)
 			}
 			sp := stylePolicy{}
 			if spb.handler != nil {
 				sp.handler = spb.handler
 			} else if len(spb.enum) > 0 {
 				sp.enum = spb.enum
 			} else if spb.regexp != nil {
 				sp.regexp = spb.regexp
 			} else {
 				sp.handler = getDefaultHandler(attr)
 			}
 			spb.p.elsMatchingAndStyles[regex][attr] = sp
 		}
 		sp := stylePolicy{}
 		if spb.handler != nil {
 			sp.handler = spb.handler
 		} else if len(spb.enum) > 0 {
 			sp.enum = spb.enum
 		} else if spb.regexp != nil {
 			sp.regexp = spb.regexp
 		} else {
 			sp.handler = getDefaultHandler(attr)
 		}
 		spb.p.elsMatchingAndStyles[regex][attr] = sp
 	}
 	return spb.p
 }
@ -558,6 +561,16 @@ func (p *Policy) RequireNoReferrerOnFullyQualifiedLinks(require bool) *Policy {
 	return p
 }
 // RequireCrossOriginAnonymous will result in all audio, img, link, script, and
 // video tags having a crossorigin="anonymous" added to them if one does not
 // already exist
 func (p *Policy) RequireCrossOriginAnonymous(require bool) *Policy {
 	p.requireCrossOriginAnonymous = require
 	return p
 }
 // AddTargetBlankToFullyQualifiedLinks will result in all a, area and link tags
 // that point to a non-local destination (i.e. starts with a protocol and has a
 // host) having a target="_blank" added to them if one does not already exist
--- a/vendor/github.com/microcosm-cc/bluemonday/sanitize.go
+++ b/vendor/github.com/microcosm-cc/bluemonday/sanitize.go
@ -39,7 +39,7 @@ import (
 	"golang.org/x/net/html"
-	cssparser "github.com/chris-ramon/douceur/parser"
+	"github.com/aymerick/douceur/parser"
 )
 var (
@ -286,7 +286,7 @@ func (p *Policy) sanitize(r io.Reader) *bytes.Buffer {
 		case html.StartTagToken:
-			mostRecentlyStartedToken = strings.ToLower(token.Data)
+			mostRecentlyStartedToken = normaliseElementName(token.Data)
 			aps, ok := p.elsAndAttrs[token.Data]
 			if !ok {
@ -329,7 +329,7 @@ func (p *Policy) sanitize(r io.Reader) *bytes.Buffer {
 		case html.EndTagToken:
-			if mostRecentlyStartedToken == strings.ToLower(token.Data) {
+			if mostRecentlyStartedToken == normaliseElementName(token.Data) {
 				mostRecentlyStartedToken = ""
 			}
@ -407,11 +407,11 @@ func (p *Policy) sanitize(r io.Reader) *bytes.Buffer {
 			if !skipElementContent {
 				switch mostRecentlyStartedToken {
-				case "script":
+				case `script`:
 					// not encouraged, but if a policy allows JavaScript we
 					// should not HTML escape it as that would break the output
 					buff.WriteString(token.Data)
-				case "style":
+				case `style`:
 					// not encouraged, but if a policy allows CSS styles we
 					// should not HTML escape it as that would break the output
 					buff.WriteString(token.Data)
@ -721,6 +721,26 @@ func (p *Policy) sanitizeAttrs(
 		}
 	}
 	if p.requireCrossOriginAnonymous && len(cleanAttrs) > 0 {
 		switch elementName {
 		case "audio", "img", "link", "script", "video":
 			var crossOriginFound bool
 			for _, htmlAttr := range cleanAttrs {
 				if htmlAttr.Key == "crossorigin" {
 					crossOriginFound = true
 					htmlAttr.Val = "anonymous"
 				}
 			}
 			if !crossOriginFound {
 				crossOrigin := html.Attribute{}
 				crossOrigin.Key = "crossorigin"
 				crossOrigin.Val = "anonymous"
 				cleanAttrs = append(cleanAttrs, crossOrigin)
 			}
 		}
 	}
 	return cleanAttrs
 }
@ -744,7 +764,7 @@ func (p *Policy) sanitizeStyles(attr html.Attribute, elementName string) html.At
 	if len(attr.Val) > 0 && attr.Val[len(attr.Val)-1] != ';' {
 		attr.Val = attr.Val + ";"
 	}
-	decs, err := cssparser.ParseDeclarations(attr.Val)
+	decs, err := parser.ParseDeclarations(attr.Val)
 	if err != nil {
 		attr.Val = ""
 		return attr
@ -944,3 +964,23 @@ func (p *Policy) matchRegex(elementName string) (map[string]attrPolicy, bool) {
 	}
 	return aps, matched
 }
 // normaliseElementName takes a HTML element like <script> which is user input
 // and returns a lower case version of it that is immune to UTF-8 to ASCII
 // conversion tricks (like the use of upper case cyrillic i scrİpt which a
 // strings.ToLower would convert to script). Instead this func will preserve
 // all non-ASCII as their escaped equivalent, i.e. \u0130 which reveals the
 // characters when lower cased
 func normaliseElementName(str string) string {
 	// that useful QuoteToASCII put quote marks at the start and end
 	// so those are trimmed off
 	return strings.TrimSuffix(
 		strings.TrimPrefix(
 			strings.ToLower(
 				strconv.QuoteToASCII(str),
 			),
 			`"`),
 		`"`,
 	)
 }
--- a/vendor/golang.org/x/net/internal/socket/rawconn.go
+++ b/vendor/golang.org/x/net/internal/socket/rawconn.go
@ -17,18 +17,45 @@ type Conn struct {
 	c       syscall.RawConn
 }
 // tcpConn is an interface implemented by net.TCPConn.
 // It can be used for interface assertions to check if a net.Conn is a TCP connection.
 type tcpConn interface {
 	SyscallConn() (syscall.RawConn, error)
 	SetLinger(int) error
 }
 var _ tcpConn = (*net.TCPConn)(nil)
 // udpConn is an interface implemented by net.UDPConn.
 // It can be used for interface assertions to check if a net.Conn is a UDP connection.
 type udpConn interface {
 	SyscallConn() (syscall.RawConn, error)
 	ReadMsgUDP(b, oob []byte) (n, oobn, flags int, addr *net.UDPAddr, err error)
 }
 var _ udpConn = (*net.UDPConn)(nil)
 // ipConn is an interface implemented by net.IPConn.
 // It can be used for interface assertions to check if a net.Conn is an IP connection.
 type ipConn interface {
 	SyscallConn() (syscall.RawConn, error)
 	ReadMsgIP(b, oob []byte) (n, oobn, flags int, addr *net.IPAddr, err error)
 }
 var _ ipConn = (*net.IPConn)(nil)
 // NewConn returns a new raw connection.
 func NewConn(c net.Conn) (*Conn, error) {
 	var err error
 	var cc Conn
 	switch c := c.(type) {
-	case *net.TCPConn:
+	case tcpConn:
 		cc.network = "tcp"
 		cc.c, err = c.SyscallConn()
-	case *net.UDPConn:
+	case udpConn:
 		cc.network = "udp"
 		cc.c, err = c.SyscallConn()
-	case *net.IPConn:
+	case ipConn:
 		cc.network = "ip"
 		cc.c, err = c.SyscallConn()
 	default:
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@ -92,6 +92,7 @@ github.com/anmitsu/go-shlex
 github.com/asaskevich/govalidator
 # github.com/aymerick/douceur v0.2.0
 github.com/aymerick/douceur/css
 github.com/aymerick/douceur/parser
 # github.com/beorn7/perks v1.0.1
 github.com/beorn7/perks/quantile
 # github.com/blevesearch/bleve/v2 v2.0.2
@ -178,8 +179,6 @@ github.com/cespare/xxhash/v2
 # github.com/chi-middleware/proxy v1.1.1
 ## explicit
 github.com/chi-middleware/proxy
 # github.com/chris-ramon/douceur v0.2.0
 github.com/chris-ramon/douceur/parser
 # github.com/couchbase/go-couchbase v0.0.0-20210224140812-5740cd35f448
 ## explicit
 github.com/couchbase/go-couchbase
@ -597,7 +596,7 @@ github.com/mholt/acmez/acme
 # github.com/mholt/archiver/v3 v3.5.0
 ## explicit
 github.com/mholt/archiver/v3
-# github.com/microcosm-cc/bluemonday v1.0.5 => github.com/lunny/bluemonday v1.0.5-0.20201227154428-ca34796141e8
+# github.com/microcosm-cc/bluemonday v1.0.6
 ## explicit
 github.com/microcosm-cc/bluemonday
 # github.com/miekg/dns v1.1.40
@ -891,7 +890,7 @@ golang.org/x/crypto/ssh/knownhosts
 # golang.org/x/mod v0.4.1
 golang.org/x/mod/module
 golang.org/x/mod/semver
-# golang.org/x/net v0.0.0-20210331212208-0fccb6fa2b5c
+# golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4
 ## explicit
 golang.org/x/net/bpf
 golang.org/x/net/context
@ -1065,4 +1064,3 @@ xorm.io/xorm/names
 xorm.io/xorm/schemas
 xorm.io/xorm/tags
 # github.com/hashicorp/go-version => github.com/6543/go-version v1.2.4
 # github.com/microcosm-cc/bluemonday => github.com/lunny/bluemonday v1.0.5-0.20201227154428-ca34796141e8