vendor: delete

1 files changed, 0 insertions, 127 deletions

diff --git a/vendor/github.com/google/safehtml/url.go b/vendor/github.com/google/safehtml/url.go
deleted file mode 100644
index 6e772219c..000000000
--- a/vendor/github.com/google/safehtml/url.go
+++ /dev/null
@@ -1,127 +0,0 @@
-// Copyright (c) 2017 The Go Authors. All rights reserved.
-//
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file or at
-// https://developers.google.com/open-source/licenses/bsd
-
-package safehtml
-
-import (
-	"regexp"
-	"strings"
-)
-
-// A URL is an immutable string-like type that is safe to use in URL contexts in
-// DOM APIs and HTML documents.
-//
-// URL guarantees that its value as a string will not cause untrusted script execution
-// when evaluated as a hyperlink URL in a browser.
-//
-// Values of this type are guaranteed to be safe to use in URL/hyperlink contexts,
-// such as assignment to URL-valued DOM properties, in the sense that the use
-// will not result in a Cross-site Scripting (XSS) vulnerability. Similarly, URLs can
-// be interpolated into the URL context of an HTML template (e.g. inside a href attribute).
-// However, appropriate HTML-escaping must still be applied.
-//
-// Note that this type's contract does not imply any guarantees regarding the resource
-// the URL refers to. In particular, URLs are not safe to use in a context
-// where the referred-to resource is interpreted as trusted code, e.g., as the src of
-// a script tag. For safely loading trusted resources, use the TrustedResourceURL type.
-type URL struct {
-	// We declare a URL not as a string but as a struct wrapping a string
-	// to prevent construction of URL values through string conversion.
-	str string
-}
-
-// InnocuousURL is an innocuous URL generated by URLSanitized when passed an unsafe URL.
-//
-// about:invalid is registered in http://www.w3.org/TR/css3-values/#about-invalid,
-// and "references a non-existent document with a generic error condition. It can be
-// used when a URI is necessary, but the default value shouldn't be resolveable as any
-// type of document."
-//
-// http://tools.ietf.org/html/rfc6694#section-2.1 permits about URLs to contain
-// a fragment, which is not to be considered when determining if an about URL is
-// well-known.
-const InnocuousURL = "about:invalid#zGoSafez"
-
-// URLSanitized returns a URL whose value is url, validating that the input string matches
-// a pattern of commonly used safe URLs. If url fails validation, this method returns a
-// URL containing InnocuousURL.
-//
-// url may be a URL with the http, https, ftp or mailto scheme, or a relative URL,
-// i.e. a URL without a scheme. Specifically, a relative URL may be scheme-relative,
-// absolute-path-relative, or path-relative. See
-// http://url.spec.whatwg.org/#concept-relative-url.
-//
-// url may also be a base64 data URL with an allowed audio, image or video MIME type.
-//
-// No attempt is made at validating that the URL percent-decodes to structurally valid or
-// interchange-valid UTF-8 since the percent-decoded representation is unsafe to use in an
-// HTML context regardless of UTF-8 validity.
-func URLSanitized(url string) URL {
-	if !isSafeURL(url) {
-		return URL{InnocuousURL}
-	}
-	return URL{url}
-}
-
-// safeURLPattern matches URLs that
-//    (a) Start with a scheme in an allowlist (http, https, mailto, ftp); or
-//    (b) Contain no scheme. To ensure that the URL cannot be interpreted as a
-//        disallowed scheme URL, ':' may only appear after one of the runes [/?#].
-//
-// The origin (RFC 6454) in which a URL is loaded depends on
-// its scheme.  We assume that the scheme used by the current document is HTTPS, HTTP, or
-// something equivalent.  We allow relative URLs unless in a particularly sensitive context
-// called a "TrustedResourceUrl" context. In a non-TrustedResourceURL context we allow absolute
-// URLs whose scheme is on a white-list.
-//
-// The position of the first colon (':') character determines whether a URL is absolute or relative.
-// Looking at the prefix leading up to the first colon allows us to identify relative and absolute URLs,
-// extract the scheme, and minimize the risk of a user-agent concluding a URL specifies a scheme not in
-// our allowlist.
-//
-// According to RFC 3986 Section 3, the normative interpretation of the canonicial WHATWG specification
-// (https://url.spec.whatwg.org/#url-scheme-string), colons can appear in a URL in these locations:
-//    * A colon after a non-empty run of (ALPHA *( ALPHA / DIGIT / "+" / "-" / "." )) ends a scheme.
-//      If the colon after the scheme is not followed by "//" then any subsequent colons are part
-//      of an opaque URI body.
-//    * Otherwise, a colon after a hash (#) must be in the fragment.
-//    * Otherwise, a colon after a (?) must be in the query.
-//    * Otherwise, a colon after a single solidus ("/") must be in the path.
-//    * Otherwise, a colon after a double solidus ("//") must be in the authority (before port).
-//    * Otherwise, a colon after a valid protocol must be in the opaque part of the URL.
-var safeURLPattern = regexp.MustCompile(`^(?:(?:https?|mailto|ftp):|[^:/?#]*(?:[/?#]|$))`)
-
-// dataURLPattern matches base-64 data URLs (RFC 2397), with the first capture group being the media type
-// specification given as a MIME type.
-//
-// Note: this pattern does not match data URLs containig media type specifications with optional parameters,
-// such as `data:text/javascript;charset=UTF-8;base64,...`. This is ok since this pattern only needs to
-// match audio, image and video MIME types in its capture group.
-var dataURLPattern = regexp.MustCompile(`^data:([^;,]*);base64,[a-z0-9+/]+=*$`)
-
-// safeMIMETypePattern matches MIME types that are safe to include in a data URL.
-var safeMIMETypePattern = regexp.MustCompile(`^(?:audio/(?:3gpp2|3gpp|aac|midi|mp3|mp4|mpeg|oga|ogg|opus|x-m4a|x-matroska|x-wav|wav|webm)|image/(?:bmp|gif|jpeg|jpg|png|tiff|webp|x-icon)|video/(?:mpeg|mp4|ogg|webm|x-matroska))$`)
-
-// isSafeURL matches url to a subset of URLs that will not cause script execution if used in
-// a URL context within a HTML document. Specifically, this method returns true if url:
-//    (a) Starts with a scheme in the default allowlist (http, https, mailto, ftp); or
-//    (b) Contains no scheme. To ensure that the URL cannot be interpreted as a
-//        disallowed scheme URL, the runes ':', and '&' may only appear
-//        after one of the runes [/?#].
-func isSafeURL(url string) bool {
-	// Ignore case.
-	url = strings.ToLower(url)
-	if safeURLPattern.MatchString(url) {
-		return true
-	}
-	submatches := dataURLPattern.FindStringSubmatch(url)
-	return len(submatches) == 2 && safeMIMETypePattern.MatchString(submatches[1])
-}
-
-// String returns the string form of the URL.
-func (u URL) String() string {
-	return u.str
-}