vendor: delete

1 files changed, 0 insertions, 122 deletions

diff --git a/vendor/github.com/google/safehtml/template/url.go b/vendor/github.com/google/safehtml/template/url.go
deleted file mode 100644
index f63475fcf..000000000
--- a/vendor/github.com/google/safehtml/template/url.go
+++ /dev/null
@@ -1,122 +0,0 @@
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package template
-
-import (
-	"fmt"
-	"html"
-	"regexp"
-	"strings"
-
-	"github.com/google/safehtml/internal/safehtmlutil"
-	"github.com/google/safehtml"
-)
-
-// urlPrefixValidators maps URL and TrustedResourceURL sanitization contexts to functions return an error
-// if the given string is unsafe to use as a URL prefix in that sanitization context.
-var urlPrefixValidators = map[sanitizationContext]func(string) error{
-	sanitizationContextURL:                     validateURLPrefix,
-	sanitizationContextTrustedResourceURLOrURL: validateURLPrefix,
-	sanitizationContextTrustedResourceURL:      validateTrustedResourceURLPrefix,
-}
-
-// startsWithFullySpecifiedSchemePattern matches strings that have a fully-specified scheme component.
-// See RFC 3986 Section 3.
-var startsWithFullySpecifiedSchemePattern = regexp.MustCompile(
-	`^[[:alpha:]](?:[[:alnum:]]|[+.-])*:`)
-
-// validateURLPrefix validates if the given non-empty prefix is a safe safehtml.URL prefix.
-//
-// Prefixes are considered unsafe if they end in an incomplete HTML character reference
-// or percent-encoding character triplet.
-//
-// If the prefix contains a fully-specified scheme component, it is considered safe only if
-// it starts with an allowed scheme. See safehtml.URLSanitized for more details.
-//
-// Otherwise, the prefix is safe only if it contains '/', '?', or '#', since the presence of any
-// of these runes ensures that this prefix, when combined with some arbitrary suffix, cannot be
-// interpreted as a part of a scheme.
-func validateURLPrefix(prefix string) error {
-	decoded, err := decodeURLPrefix(prefix)
-	if err != nil {
-		return err
-	}
-	switch {
-	case startsWithFullySpecifiedSchemePattern.MatchString(decoded):
-		if safehtml.URLSanitized(decoded).String() != decoded {
-			return fmt.Errorf("URL prefix %q contains an unsafe scheme", prefix)
-		}
-	case !strings.ContainsAny(decoded, "/?#"):
-		// If the URL prefix does not already have a ':' scheme delimiter, and does not contain
-		// '/', '?', or '#', any ':' following this prefix will be intepreted as a scheme
-		// delimiter, causing this URL prefix to be interpreted as being part of a scheme.
-		// e.g. `<a href="java{{ "script:" }}alert(1)>`
-		return fmt.Errorf("URL prefix %q is unsafe; it might be interpreted as part of a scheme", prefix)
-	}
-	return nil
-}
-
-// validateTrustedResourceURLPrefix validates if the given non-empty prefix is a safe
-// safehtml.TrustedResourceURL prefix.
-//
-// Prefixes are considered unsafe if they end in an incomplete HTML character reference
-// or percent-encoding character triplet.
-//
-// See safehtmlutil.IsSafeTrustedResourceURLPrefix for details on how the prefix is validated.
-func validateTrustedResourceURLPrefix(prefix string) error {
-	decoded, err := decodeURLPrefix(prefix)
-	if err != nil {
-		return err
-	}
-	if !safehtmlutil.IsSafeTrustedResourceURLPrefix(decoded) {
-		return fmt.Errorf("%q is a disallowed TrustedResourceURL prefix", prefix)
-	}
-	return nil
-}
-
-// endsWithPercentEncodingPrefixPattern matches strings that end in an incomplete
-// URL percent encoding triplet.
-//
-// See https://tools.ietf.org/html/rfc3986#section-2.1.
-var endsWithPercentEncodingPrefixPattern = regexp.MustCompile(
-	`%[[:xdigit:]]?$`)
-
-// containsWhitespaceOrControlPattern matches strings that contain ASCII whitespace
-// or control characters.
-var containsWhitespaceOrControlPattern = regexp.MustCompile(`[[:space:]]|[[:cntrl:]]`)
-
-// decodeURLPrefix returns the given prefix after it has been HTML-unescaped.
-// It returns an error if the prefix:
-//    * ends in an incomplete HTML character reference before HTML-unescaping,
-//    * ends in an incomplete percent-encoding character triplet after HTML-unescaping, or
-//    * contains whitespace before or after HTML-unescaping.
-func decodeURLPrefix(prefix string) (string, error) {
-	if containsWhitespaceOrControlPattern.MatchString(prefix) {
-		return "", fmt.Errorf("URL prefix %q contains whitespace or control characters", prefix)
-	}
-	if err := validateDoesNotEndsWithCharRefPrefix(prefix); err != nil {
-		return "", fmt.Errorf("URL %s", err)
-	}
-	decoded := html.UnescapeString(prefix)
-	// Check again for whitespace that might have previously been masked by a HTML reference,
-	// such as in "javascript&NewLine;".
-	if containsWhitespaceOrControlPattern.MatchString(decoded) {
-		return "", fmt.Errorf("URL prefix %q contains whitespace or control characters", prefix)
-	}
-	if endsWithPercentEncodingPrefixPattern.MatchString(decoded) {
-		return "", fmt.Errorf("URL prefix %q ends with an incomplete percent-encoding character triplet", prefix)
-	}
-	return decoded, nil
-}
-
-func validateTrustedResourceURLSubstitution(args ...interface{}) (string, error) {
-	input := safehtmlutil.Stringify(args...)
-	if safehtmlutil.URLContainsDoubleDotSegment(input) {
-		// Reject substitutions containing the ".." dot-segment to prevent the final TrustedResourceURL from referencing
-		// a resource higher up in the path name hierarchy than the path specified in the prefix.
-		return "", fmt.Errorf(`cannot substitute %q after TrustedResourceURL prefix: ".." is disallowed`, input)
-	}
-	return input, nil
-}