./www/ruby-rails-html-sanitizer, HTML sanitizer for Rails applications

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]

Branch: CURRENT, Version: 1.6.0, Package name: ruby31-rails-html-sanitizer-1.6.0, Maintainer: minskim

HTML sanitization for Rails applications.


Required to run:
[www/ruby-loofah] [lang/ruby26-base]

Required to build:
[pkgtools/cwrappers]

Master sites:

Filesize: 23 KB

Version history: (Expand)

CVS history: (Expand)


   2023-05-28 03:51:44 by Takahiro Kambe | Files touched by this commit (3) | Package updated
Log message:
www/ruby-rails-html-sanitizer: update to 1.6.0

1.6.0 (2023-05-26)

* Dependencies have been updated:

	- Loofah ~>2.21 and Nokogiri ~>1.14 for HTML5 parser support
	- As a result, required Ruby version is now >= 2.7.0

* Security updates will continue to be made on the 1.5.x release branch as
  long as Rails 6.1 (which supports Ruby 2.5) is still in security support.

  Mike Dalessio

* HTML5 standards-compliant sanitizers are now available on platforms
  supported by Nokogiri::HTML5. These are available as:

	- Rails::HTML5::FullSanitizer
	- Rails::HTML5::LinkSanitizer
	- Rails::HTML5::SafeListSanitizer

  And a new "vendor" is provided at Rails::HTML5::Sanitizer that can \ 
be used
  in a future version of Rails.

  Note that for symmetry Rails::HTML4::Sanitizer is also added, though its
  behavior is identical to the vendor class methods on
  Rails::HTML::Sanitizer.

  Users may call Rails::HTML::Sanitizer.best_supported_vendor to get back
  the HTML5 vendor if it's supported, else the legacy HTML4 vendor.

  Mike Dalessio

* Module namespaces have changed, but backwards compatibility is provided by
  aliases.

  The library defines three additional modules:

	- Rails::HTML for general functionality (replacing Rails::Html)
	- Rails::HTML4 containing sanitizers that parse content as HTML4
	- Rails::HTML5 containing sanitizers that parse content as HTML5

  The following aliases are maintained for backwards compatibility:

	- Rails::Html points to Rails::HTML
	- Rails::HTML::FullSanitizer points to Rails::HTML4::FullSanitizer
	- Rails::HTML::LinkSanitizer points to Rails::HTML4::LinkSanitizer
	- Rails::HTML::SafeListSanitizer points to Rails::HTML4::SafeListSanitizer

  Mike Dalessio

* LinkSanitizer always returns UTF-8 encoded strings. SafeListSanitizer and
  FullSanitizer already ensured this encoding.

  Mike Dalessio

* SafeListSanitizer allows time tag and lang attribute by default.

  Mike Dalessio

* The constant Rails::Html::XPATHS_TO_REMOVE has been removed. It's not
  necessary with the existing sanitizers, and should have been a private
  constant all along anyway.

  Mike Dalessio
   2023-01-21 15:14:29 by Takahiro Kambe | Files touched by this commit (2) | Package updated
Log message:
www/ruby-rails-html-sanitizer: update to 1.5.0

1.5.0 (2023-01-20)

* SafeListSanitizer, PermitScrubber, and TargetScrubber now all support
  pruning of unsafe tags.

  By default, unsafe tags are still stripped, but this behavior can be
  changed to prune the element and its children from the document by
  passing prune: true to any of these classes' constructors.

  @seyerian
   2023-01-03 16:19:14 by Takahiro Kambe | Files touched by this commit (2) | Package updated
Log message:
www/ruby-rails-html-sanitizer: update to 1.4.4

1.4.4 (2022-12-13)

* Address inefficient regular expression complexity with certain
  configurations of Rails::Html::Sanitizer.

  Fixes CVE-2022-23517. See GHSA-5x79-w82f-gw8w for more information.

  Mike Dalessio

* Address improper sanitization of data URIs.

  Fixes CVE-2022-23518 and #135. See GHSA-mcvf-2q2m-x72m for more information.

  Mike Dalessio

* Address possible XSS vulnerability with certain configurations of
  Rails::Html::Sanitizer.

  Fixes CVE-2022-23520. See GHSA-rrfc-7g8p-99q8 for more information.

  Mike Dalessio

* Address possible XSS vulnerability with certain configurations of
  Rails::Html::Sanitizer.

  Fixes CVE-2022-23519. See GHSA-9h9g-93gc-623h for more information.

  Mike Dalessio
   2022-06-12 14:20:11 by Takahiro Kambe | Files touched by this commit (2) | Package updated
Log message:
www/ruby-rails-html-sanitizer: update to 1.4.3

1.4.3 (2022-06-09)

* Address a possible XSS vulnerability with certain configurations of
  Rails::Html::Sanitizer.

  Prevent the combination of `select` and `style` as allowed tags in
  SafeListSanitizer.

  Fixes CVE-2022-32209

  *Mike Dalessio*
   2021-10-26 13:31:15 by Nia Alarie | Files touched by this commit (1030) 
Log message:
www: Replace RMD160 checksums with BLAKE2s checksums

All checksums have been double-checked against existing RMD160 and
SHA512 hashes

Not committed (merge conflicts):
www/nghttp2/distinfo

Unfetchable distfiles (almost certainly fetched conditionally...):
./www/nginx-devel/distinfo array-var-nginx-module-0.05.tar.gz
./www/nginx-devel/distinfo echo-nginx-module-0.62.tar.gz
./www/nginx-devel/distinfo encrypted-session-nginx-module-0.08.tar.gz
./www/nginx-devel/distinfo form-input-nginx-module-0.12.tar.gz
./www/nginx-devel/distinfo headers-more-nginx-module-0.33.tar.gz
./www/nginx-devel/distinfo lua-nginx-module-0.10.19.tar.gz
./www/nginx-devel/distinfo naxsi-1.3.tar.gz
./www/nginx-devel/distinfo nginx-dav-ext-module-3.0.0.tar.gz
./www/nginx-devel/distinfo nginx-rtmp-module-1.2.2.tar.gz
./www/nginx-devel/distinfo nginx_http_push_module-1.2.10.tar.gz
./www/nginx-devel/distinfo ngx_cache_purge-2.5.1.tar.gz
./www/nginx-devel/distinfo ngx_devel_kit-0.3.1.tar.gz
./www/nginx-devel/distinfo ngx_http_geoip2_module-3.3.tar.gz
./www/nginx-devel/distinfo njs-0.5.0.tar.gz
./www/nginx-devel/distinfo set-misc-nginx-module-0.32.tar.gz
./www/nginx/distinfo array-var-nginx-module-0.05.tar.gz
./www/nginx/distinfo echo-nginx-module-0.62.tar.gz
./www/nginx/distinfo encrypted-session-nginx-module-0.08.tar.gz
./www/nginx/distinfo form-input-nginx-module-0.12.tar.gz
./www/nginx/distinfo headers-more-nginx-module-0.33.tar.gz
./www/nginx/distinfo lua-nginx-module-0.10.19.tar.gz
./www/nginx/distinfo naxsi-1.3.tar.gz
./www/nginx/distinfo nginx-dav-ext-module-3.0.0.tar.gz
./www/nginx/distinfo nginx-rtmp-module-1.2.2.tar.gz
./www/nginx/distinfo nginx_http_push_module-1.2.10.tar.gz
./www/nginx/distinfo ngx_cache_purge-2.5.1.tar.gz
./www/nginx/distinfo ngx_devel_kit-0.3.1.tar.gz
./www/nginx/distinfo ngx_http_geoip2_module-3.3.tar.gz
./www/nginx/distinfo njs-0.5.0.tar.gz
./www/nginx/distinfo set-misc-nginx-module-0.32.tar.gz
   2021-10-07 17:09:00 by Nia Alarie | Files touched by this commit (1033) 
Log message:
www: Remove SHA1 hashes for distfiles
   2020-03-20 18:54:27 by Takahiro Kambe | Files touched by this commit (2) | Package updated
Log message:
www/ruby-rails-html-sanitizer: update to 1.3.0

Update ruby-rails-html-sanitizer to 1.3.0.

## 1.3.0

* Address deprecations in Loofah 2.3.0.

  *Josh Goodall*

## 1.2.0

* Remove needless `white_list_sanitizer` deprecation.

  By deprecating this, we were forcing Rails 5.2 to be updated or spew
  deprecations that users could do nothing about.

  That's pointless and I'm sorry for adding that!

  Now there's no deprecation warning and Rails 5.2 works out of the box, while
  Rails 6 can use the updated naming.

  *Kasper Timm Hansen*

## 1.1.0

* Add `safe_list_sanitizer` and deprecate `white_list_sanitizer` to be removed
  in 1.2.0. https://github.com/rails/rails-html-sanitizer/pull/87

  *Juanito Fatas*

* Remove `href` from LinkScrubber's `tags` as it's not an element.
  https://github.com/rails/rails-html-sanitizer/pull/92

  *Juanito Fatas*

* Explain that we don't need to bump Loofah here if there's CVEs.
  \ 
https://github.com/rails/rails-html-sanitizer/commit/d4d823c617fdd0064956047f7fbf23fff305a69b

  *Kasper Timm Hansen*
   2018-03-23 15:06:32 by Takahiro Kambe | Files touched by this commit (3) | Package updated
Log message:
www/ruby-rails-html-sanitizer: update to 1.0.4

1.0.4 (2018/03/22)

* Fix CVE-2018-3741. (FIx a possible XSS vulnerability)