Subject: CVS commit: [pkgsrc-2019Q3] pkgsrc/www/ruby-loofah
From: Benny Siegert
Date: 2019-10-23 13:33:38
Message id: 20191023113338.E9AC4FA81@cvs.NetBSD.org

Log Message:
Pullup ticket #6074 - requested by taca
www/ruby-loofah: seucurity fix

Revisions pulled up:
- www/ruby-loofah/Makefile                                      1.6
- www/ruby-loofah/PLIST                                         1.5
- www/ruby-loofah/distinfo                                      1.6

---
   Module Name:	pkgsrc
   Committed By:	taca
   Date:		Tue Oct 22 16:24:20 UTC 2019

   Modified Files:
   	pkgsrc/www/ruby-loofah: Makefile PLIST distinfo

   Log Message:
   www/ruby-loofah: update to 2.3.1

   ## 2.3.1 / 2019-10-22

   ### Security

   Address CVE-2019-15587: Unsanitized JavaScript may occur in sanitized output \ 
when a crafted SVG element is republished.

   This CVE's public notice is at https://github.com/flavorjones/loofah/issues/171

   ## 2.3.0 / unreleased

   ### Features

   * Expand set of allowed protocols to include `tel:` and `line:`. [#104, #147]
   * Expand set of allowed CSS functions. [related to #122]
   * Allow greater precision in shorthand CSS values. [#149] (Thanks, @danfstucky!)
   * Allow CSS property `list-style` [#162] (Thanks, @jaredbeck!)
   * Allow CSS keywords `thick` and `thin` [#168] (Thanks, @georgeclaghorn!)
   * Allow HTML property `contenteditable` [#167] (Thanks, @andreynering!)

   ### Bug fixes

   * CSS hex values are no longer limited to lowercase hex. Previously uppercase \ 
hex were scrubbed. [#165] (Thanks, @asok!)

   ### Deprecations / Name Changes

   The following method and constants are hereby deprecated, and will be \ 
completely removed in a future release:

   * Deprecate `Loofah::Helpers::ActionView.white_list_sanitizer`, please use \ 
`Loofah::Helpers::ActionView.safe_list_sanitizer` instead.
   * Deprecate `Loofah::Helpers::ActionView::WhiteListSanitizer`, please use \ 
`Loofah::Helpers::ActionView::SafeListSanitizer` instead.
   * Deprecate `Loofah::HTML5::WhiteList`, please use `Loofah::HTML5::SafeList` \ 
instead.

   Thanks to @JuanitoFatas for submitting these changes in #164 and for making \ 
the language used in Loofah more inclusive.

Files:
RevisionActionfile
1.5.8.1modifypkgsrc/www/ruby-loofah/Makefile
1.4.8.1modifypkgsrc/www/ruby-loofah/PLIST
1.5.8.1modifypkgsrc/www/ruby-loofah/distinfo