./www/ruby-loofah, HTML sanitizer for Rails applications

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]


Branch: CURRENT, Version: 2.2.3, Package name: ruby24-loofah-2.2.3, Maintainer: minskim

Loofah is a general library for manipulating and transforming HTML/XML
documents and fragments. It's built on top of Nokogiri and libxml2, so
it's fast and has a nice API. Loofah excels at HTML sanitization (XSS
prevention). It includes some nice HTML sanitizers, which are based on
HTML5lib's whitelist, so it most likely won't make your codes less
secure.


Required to run:
[textproc/ruby-nokogiri] [lang/ruby24-base] [www/ruby-crass]

Required to build:
[pkgtools/cwrappers]

Master sites:

SHA1: b907029ec05b39a8f239a83c443e5cf94baecfad
RMD160: 7da4488ecc2a3c341a3716e0286e556b20bde270
Filesize: 64 KB

Version history: (Expand)


CVS history: (Expand)


   2018-11-01 17:11:45 by Takahiro Kambe | Files touched by this commit (3) | Package updated
Log message:
www/ruby-loofah: update to 2.2.3

## 2.2.3 / 2018-10-30

### Security

Address CVE-2018-16468: Unsanitized JavaScript may occur in sanitized output \ 
when a crafted SVG element is republished.

This CVE's public notice is at https://github.com/flavorjones/loofah/issues/154

## Meta / 2018-10-27

The mailing list is now on Google Groups \ 
[#146](https://github.com/flavorjones/loofah/issues/146):

* Mail: loofah-talk@googlegroups.com
* Archive: https://groups.google.com/forum/#!forum/loofah-talk

This change was made because librelist no longer appears to be maintained.
   2018-03-23 15:33:21 by Takahiro Kambe | Files touched by this commit (2) | Package updated
Log message:
www/ruby-loofah: update to 2.2.2

## 2.2.2 / 2018-03-22

Make public `Loofah::HTML5::Scrub.force_correct_attribute_escaping!`,
which was previously a private method. This is so that downstream gems
(like rails-html-sanitizer) can use this logic directly for their own
attribute scrubbers should they need to address CVE-2018-8048.
   2018-03-21 13:09:39 by Takahiro Kambe | Files touched by this commit (3) | Package updated
Log message:
www/ruby-loofah: update to 2.2.1

## 2.2.1 / 2018-03-19

Addresses CVE-2018-8048. Loofah allowed non-whitelisted attributes to be present \ 
in sanitized output when input with specially-crafted HTML fragments.

This CVE's public notice is at https://github.com/flavorjones/loofah/issues/144
   2018-03-17 17:21:48 by Takahiro Kambe | Files touched by this commit (3) | Package updated
Log message:
www/ruby-loofah: update to 2.2.0

## 2.2.0 / 2018-02-11

Features:

* Support HTML5 `<main>` tag. #133 (Thanks, @MothOnMars!)
* Recognize HTML5 block elements. #136 (Thanks, @MothOnMars!)
* Support SVG `<symbol>` tag. #131 (Thanks, @baopham!)
* Support for whitelisting CSS functions, initially just `calc` and `rgb`. \ 
#122/#123/#129 (Thanks, @NikoRoberts!)
* Whitelist CSS property `list-style-type`. #68/#137/#142 (Thanks, \ 
@andela-ysanni and @NikoRoberts!)

Bugfixes:

* Properly handle nested `script` tags. #127.

## 2.1.1 / 2017-09-24

Bugfixes:

* Removed warning for unused variable. #124 (Thanks, @y-yagi!)

## 2.1.0 / 2017-09-24

Notes:

* Re-implemented CSS parsing and sanitization using the \ 
{crass}[https://github.com/rgrove/crass] library. #91

Features:

* Added :noopener HTML scrubber (Thanks, @tastycode!)
* Support `data` URIs with the following media types: text/plain, text/css, \ 
image/png, image/gif, image/jpeg, image/svg+xml. #101, #120. (Thanks, \ 
@mrpasquini!)

Bugfixes:

* The :unprintable scrubber now scrubs unprintable characters in CDATA nodes \ 
(like `<script>`). #124
* Allow negative values in CSS properties. Restores functionality that was \ 
reverted in v2.0.3. #91
   2017-04-06 05:10:52 by Min Sik Kim | Files touched by this commit (4)
Log message:
Import ruby-loofah-2.0.3 as www/ruby-loofah

Loofah is a general library for manipulating and transforming HTML/XML
documents and fragments. It's built on top of Nokogiri and libxml2, so
it's fast and has a nice API. Loofah excels at HTML sanitization (XSS
prevention). It includes some nice HTML sanitizers, which are based on
HTML5lib's whitelist, so it most likely won't make your codes less
secure.