pkgsrc.se | The NetBSD package collection

./www/ruby-loofah, HTML sanitizer for Rails applications

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]

Branch: pkgsrc-2019Q3, Version: 2.3.1, Package name: ruby24-loofah-2.3.1, Maintainer: minskim

Loofah is a general library for manipulating and transforming HTML/XML
documents and fragments. It's built on top of Nokogiri and libxml2, so
it's fast and has a nice API. Loofah excels at HTML sanitization (XSS
prevention). It includes some nice HTML sanitizers, which are based on
HTML5lib's whitelist, so it most likely won't make your codes less
secure.

Required to run:
[lang/ruby24-base] [textproc/ruby-nokogiri] [www/ruby-crass]

Required to build:
[pkgtools/cwrappers]

Master sites:

https://rubygems.org/gems/ (Download)

SHA1: 732be438c5a2a3c7e63a8f173b24b05f78df1ff2
RMD160: 382991856327a36978f2c47ccda2b1185338f412
Filesize: 66.5 KB

Version history: (Expand)

(2019-10-23) Updated to version: ruby24-loofah-2.3.1
(2019-10-02) Package added to pkgsrc.se, version ruby24-loofah-2.2.3 (created)

CVS history: (Expand)

2019-10-23 13:33:38 by Benny Siegert | Files touched by this commit (3) | Package updated

Log message:
Pullup ticket #6074 - requested by taca
www/ruby-loofah: seucurity fix

Revisions pulled up:
- www/ruby-loofah/Makefile                                      1.6
- www/ruby-loofah/PLIST                                         1.5
- www/ruby-loofah/distinfo                                      1.6

---
   Module Name:	pkgsrc
   Committed By:	taca
   Date:		Tue Oct 22 16:24:20 UTC 2019

   Modified Files:
   	pkgsrc/www/ruby-loofah: Makefile PLIST distinfo

   Log message:
   www/ruby-loofah: update to 2.3.1

   ## 2.3.1 / 2019-10-22

   ### Security

   Address CVE-2019-15587: Unsanitized JavaScript may occur in sanitized output \ 
when a crafted SVG element is republished.

   This CVE's public notice is at https://github.com/flavorjones/loofah/issues/171

   ## 2.3.0 / unreleased

   ### Features

   * Expand set of allowed protocols to include `tel:` and `line:`. [#104, #147]
   * Expand set of allowed CSS functions. [related to #122]
   * Allow greater precision in shorthand CSS values. [#149] (Thanks, @danfstucky!)
   * Allow CSS property `list-style` [#162] (Thanks, @jaredbeck!)
   * Allow CSS keywords `thick` and `thin` [#168] (Thanks, @georgeclaghorn!)
   * Allow HTML property `contenteditable` [#167] (Thanks, @andreynering!)

   ### Bug fixes

   * CSS hex values are no longer limited to lowercase hex. Previously uppercase \ 
hex were scrubbed. [#165] (Thanks, @asok!)

   ### Deprecations / Name Changes

   The following method and constants are hereby deprecated, and will be \ 
completely removed in a future release:

   * Deprecate `Loofah::Helpers::ActionView.white_list_sanitizer`, please use \ 
`Loofah::Helpers::ActionView.safe_list_sanitizer` instead.
   * Deprecate `Loofah::Helpers::ActionView::WhiteListSanitizer`, please use \ 
`Loofah::Helpers::ActionView::SafeListSanitizer` instead.
   * Deprecate `Loofah::HTML5::WhiteList`, please use `Loofah::HTML5::SafeList` \ 
instead.

   Thanks to @JuanitoFatas for submitting these changes in #164 and for making \ 
the language used in Loofah more inclusive.