Navigation:
Browse pkgsrc
(this page)
www ruby-rai..
CVSweb ] [ 
Homepage ] [ 
RSS ] [ 
Required by ] [ 
Add to tracker ] 2024-12-13 17:28:41 by Takahiro Kambe | Files touched by this commit (2) |  |
Log message: www/ruby-rails-html-sanitizer: update to 1.6.2 1.6.2 / 2024-12-12 * PermitScrubber fully supports frozen "allowed tags". 1.6.1 introduced safety checks that may remove unsafe tags from the allowed list, which introduced a regression for applications passing a frozen array of allowed tags. Tags and attributes are now properly copied when they are passed to the scrubber. Fixes #195. Mike Dalessio |
| 2024-12-11 15:42:38 by Takahiro Kambe | Files touched by this commit (2) | |
Log message:
www/ruby-rails-html-sanitizer: update to 1.6.1
1.6.1 (2024-12-02)
This is a performance and security release which addresses several possible
XSS vulnerabilities.
* The dependency on Nokogiri is updated to v1.15.7 or >=1.16.8.
This change addresses CVE-2024-53985 (GHSA-w8gc-x259-rc7x).
Mike Dalessio
* Disallowed tags will be pruned when they appear in foreign content
(i.e. SVG or MathML content), regardless of the prune: option
value. Previously, disallowed tags were "stripped" unless the gem was
configured with the prune: true option.
The CVEs addressed by this change are:
- CVE-2024-53986 (GHSA-638j-pmjw-jq48)
- CVE-2024-53987 (GHSA-2x5m-9ch4-qgrr)
Mike Dalessio
* The tags "noscript", "mglyph", and "malignmark" \
will not be allowed, even
if explicitly added to the allowlist. If applications try to allow any of
these tags, a warning is emitted and the tags are removed from the
allow-list.
The CVEs addressed by this change are:
- CVE-2024-53988 (GHSA-cfjx-w229-hgx5)
- CVE-2024-53989 (GHSA-rxv5-gxqc-xx8g)
Please note that we may restore support for allowing "noscript" in a
future release. We do not expect to ever allow "mglyph" or \
"malignmark",
though, especially since browser support is minimal for these tags.
Mike Dalessio
* Improve performance by eliminating needless operations on attributes that
are being removed. #188
Mike Dalessio
|
| 2023-05-28 03:51:44 by Takahiro Kambe | Files touched by this commit (3) | |
Log message: www/ruby-rails-html-sanitizer: update to 1.6.0 1.6.0 (2023-05-26) * Dependencies have been updated: - Loofah ~>2.21 and Nokogiri ~>1.14 for HTML5 parser support - As a result, required Ruby version is now >= 2.7.0 * Security updates will continue to be made on the 1.5.x release branch as long as Rails 6.1 (which supports Ruby 2.5) is still in security support. Mike Dalessio * HTML5 standards-compliant sanitizers are now available on platforms supported by Nokogiri::HTML5. These are available as: - Rails::HTML5::FullSanitizer - Rails::HTML5::LinkSanitizer - Rails::HTML5::SafeListSanitizer And a new "vendor" is provided at Rails::HTML5::Sanitizer that can \ be used in a future version of Rails. Note that for symmetry Rails::HTML4::Sanitizer is also added, though its behavior is identical to the vendor class methods on Rails::HTML::Sanitizer. Users may call Rails::HTML::Sanitizer.best_supported_vendor to get back the HTML5 vendor if it's supported, else the legacy HTML4 vendor. Mike Dalessio * Module namespaces have changed, but backwards compatibility is provided by aliases. The library defines three additional modules: - Rails::HTML for general functionality (replacing Rails::Html) - Rails::HTML4 containing sanitizers that parse content as HTML4 - Rails::HTML5 containing sanitizers that parse content as HTML5 The following aliases are maintained for backwards compatibility: - Rails::Html points to Rails::HTML - Rails::HTML::FullSanitizer points to Rails::HTML4::FullSanitizer - Rails::HTML::LinkSanitizer points to Rails::HTML4::LinkSanitizer - Rails::HTML::SafeListSanitizer points to Rails::HTML4::SafeListSanitizer Mike Dalessio * LinkSanitizer always returns UTF-8 encoded strings. SafeListSanitizer and FullSanitizer already ensured this encoding. Mike Dalessio * SafeListSanitizer allows time tag and lang attribute by default. Mike Dalessio * The constant Rails::Html::XPATHS_TO_REMOVE has been removed. It's not necessary with the existing sanitizers, and should have been a private constant all along anyway. Mike Dalessio |
| 2023-01-21 15:14:29 by Takahiro Kambe | Files touched by this commit (2) | |
Log message: www/ruby-rails-html-sanitizer: update to 1.5.0 1.5.0 (2023-01-20) * SafeListSanitizer, PermitScrubber, and TargetScrubber now all support pruning of unsafe tags. By default, unsafe tags are still stripped, but this behavior can be changed to prune the element and its children from the document by passing prune: true to any of these classes' constructors. @seyerian |
| 2023-01-03 16:19:14 by Takahiro Kambe | Files touched by this commit (2) | |
Log message: www/ruby-rails-html-sanitizer: update to 1.4.4 1.4.4 (2022-12-13) * Address inefficient regular expression complexity with certain configurations of Rails::Html::Sanitizer. Fixes CVE-2022-23517. See GHSA-5x79-w82f-gw8w for more information. Mike Dalessio * Address improper sanitization of data URIs. Fixes CVE-2022-23518 and #135. See GHSA-mcvf-2q2m-x72m for more information. Mike Dalessio * Address possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer. Fixes CVE-2022-23520. See GHSA-rrfc-7g8p-99q8 for more information. Mike Dalessio * Address possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer. Fixes CVE-2022-23519. See GHSA-9h9g-93gc-623h for more information. Mike Dalessio |
| 2022-06-12 14:20:11 by Takahiro Kambe | Files touched by this commit (2) | |
Log message: www/ruby-rails-html-sanitizer: update to 1.4.3 1.4.3 (2022-06-09) * Address a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer. Prevent the combination of `select` and `style` as allowed tags in SafeListSanitizer. Fixes CVE-2022-32209 *Mike Dalessio* |
| 2021-10-26 13:31:15 by Nia Alarie | Files touched by this commit (1030) |
Log message: www: Replace RMD160 checksums with BLAKE2s checksums All checksums have been double-checked against existing RMD160 and SHA512 hashes Not committed (merge conflicts): www/nghttp2/distinfo Unfetchable distfiles (almost certainly fetched conditionally...): ./www/nginx-devel/distinfo array-var-nginx-module-0.05.tar.gz ./www/nginx-devel/distinfo echo-nginx-module-0.62.tar.gz ./www/nginx-devel/distinfo encrypted-session-nginx-module-0.08.tar.gz ./www/nginx-devel/distinfo form-input-nginx-module-0.12.tar.gz ./www/nginx-devel/distinfo headers-more-nginx-module-0.33.tar.gz ./www/nginx-devel/distinfo lua-nginx-module-0.10.19.tar.gz ./www/nginx-devel/distinfo naxsi-1.3.tar.gz ./www/nginx-devel/distinfo nginx-dav-ext-module-3.0.0.tar.gz ./www/nginx-devel/distinfo nginx-rtmp-module-1.2.2.tar.gz ./www/nginx-devel/distinfo nginx_http_push_module-1.2.10.tar.gz ./www/nginx-devel/distinfo ngx_cache_purge-2.5.1.tar.gz ./www/nginx-devel/distinfo ngx_devel_kit-0.3.1.tar.gz ./www/nginx-devel/distinfo ngx_http_geoip2_module-3.3.tar.gz ./www/nginx-devel/distinfo njs-0.5.0.tar.gz ./www/nginx-devel/distinfo set-misc-nginx-module-0.32.tar.gz ./www/nginx/distinfo array-var-nginx-module-0.05.tar.gz ./www/nginx/distinfo echo-nginx-module-0.62.tar.gz ./www/nginx/distinfo encrypted-session-nginx-module-0.08.tar.gz ./www/nginx/distinfo form-input-nginx-module-0.12.tar.gz ./www/nginx/distinfo headers-more-nginx-module-0.33.tar.gz ./www/nginx/distinfo lua-nginx-module-0.10.19.tar.gz ./www/nginx/distinfo naxsi-1.3.tar.gz ./www/nginx/distinfo nginx-dav-ext-module-3.0.0.tar.gz ./www/nginx/distinfo nginx-rtmp-module-1.2.2.tar.gz ./www/nginx/distinfo nginx_http_push_module-1.2.10.tar.gz ./www/nginx/distinfo ngx_cache_purge-2.5.1.tar.gz ./www/nginx/distinfo ngx_devel_kit-0.3.1.tar.gz ./www/nginx/distinfo ngx_http_geoip2_module-3.3.tar.gz ./www/nginx/distinfo njs-0.5.0.tar.gz ./www/nginx/distinfo set-misc-nginx-module-0.32.tar.gz |
| 2021-10-07 17:09:00 by Nia Alarie | Files touched by this commit (1033) |
Log message: www: Remove SHA1 hashes for distfiles |
New packages: