./www/ruby-rails-html-sanitizer, HTML sanitizer for Rails applications

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]


Branch: CURRENT, Version: 1.6.2, Package name: ruby32-rails-html-sanitizer-1.6.2, Maintainer: minskim

HTML sanitization for Rails applications.


Required to run:
[www/ruby-loofah] [lang/ruby26-base]

Required to build:
[pkgtools/cwrappers]

Master sites:

Filesize: 25 KB

Version history: (Expand)


CVS history: (Expand)


   2024-12-13 17:28:41 by Takahiro Kambe | Files touched by this commit (2) | Package updated
Log message:
www/ruby-rails-html-sanitizer: update to 1.6.2

1.6.2 / 2024-12-12

* PermitScrubber fully supports frozen "allowed tags".

  1.6.1 introduced safety checks that may remove unsafe tags from the
  allowed list, which introduced a regression for applications passing a
  frozen array of allowed tags. Tags and attributes are now properly copied
  when they are passed to the scrubber.

  Fixes #195.

  Mike Dalessio
   2024-12-11 15:42:38 by Takahiro Kambe | Files touched by this commit (2) | Package updated
Log message:
www/ruby-rails-html-sanitizer: update to 1.6.1

1.6.1 (2024-12-02)

This is a performance and security release which addresses several possible
XSS vulnerabilities.

* The dependency on Nokogiri is updated to v1.15.7 or >=1.16.8.

  This change addresses CVE-2024-53985 (GHSA-w8gc-x259-rc7x).

  Mike Dalessio

* Disallowed tags will be pruned when they appear in foreign content
  (i.e. SVG or MathML content), regardless of the prune: option
  value. Previously, disallowed tags were "stripped" unless the gem was
  configured with the prune: true option.

  The CVEs addressed by this change are:

        - CVE-2024-53986 (GHSA-638j-pmjw-jq48)
        - CVE-2024-53987 (GHSA-2x5m-9ch4-qgrr)

  Mike Dalessio

* The tags "noscript", "mglyph", and "malignmark" \ 
will not be allowed, even
  if explicitly added to the allowlist. If applications try to allow any of
  these tags, a warning is emitted and the tags are removed from the
  allow-list.

  The CVEs addressed by this change are:

        - CVE-2024-53988 (GHSA-cfjx-w229-hgx5)
        - CVE-2024-53989 (GHSA-rxv5-gxqc-xx8g)

  Please note that we may restore support for allowing "noscript" in a
  future release. We do not expect to ever allow "mglyph" or \ 
"malignmark",
  though, especially since browser support is minimal for these tags.

  Mike Dalessio

* Improve performance by eliminating needless operations on attributes that
  are being removed. #188

  Mike Dalessio
   2023-05-28 03:51:44 by Takahiro Kambe | Files touched by this commit (3) | Package updated
Log message:
www/ruby-rails-html-sanitizer: update to 1.6.0

1.6.0 (2023-05-26)

* Dependencies have been updated:

	- Loofah ~>2.21 and Nokogiri ~>1.14 for HTML5 parser support
	- As a result, required Ruby version is now >= 2.7.0

* Security updates will continue to be made on the 1.5.x release branch as
  long as Rails 6.1 (which supports Ruby 2.5) is still in security support.

  Mike Dalessio

* HTML5 standards-compliant sanitizers are now available on platforms
  supported by Nokogiri::HTML5. These are available as:

	- Rails::HTML5::FullSanitizer
	- Rails::HTML5::LinkSanitizer
	- Rails::HTML5::SafeListSanitizer

  And a new "vendor" is provided at Rails::HTML5::Sanitizer that can \ 
be used
  in a future version of Rails.

  Note that for symmetry Rails::HTML4::Sanitizer is also added, though its
  behavior is identical to the vendor class methods on
  Rails::HTML::Sanitizer.

  Users may call Rails::HTML::Sanitizer.best_supported_vendor to get back
  the HTML5 vendor if it's supported, else the legacy HTML4 vendor.

  Mike Dalessio

* Module namespaces have changed, but backwards compatibility is provided by
  aliases.

  The library defines three additional modules:

	- Rails::HTML for general functionality (replacing Rails::Html)
	- Rails::HTML4 containing sanitizers that parse content as HTML4
	- Rails::HTML5 containing sanitizers that parse content as HTML5

  The following aliases are maintained for backwards compatibility:

	- Rails::Html points to Rails::HTML
	- Rails::HTML::FullSanitizer points to Rails::HTML4::FullSanitizer
	- Rails::HTML::LinkSanitizer points to Rails::HTML4::LinkSanitizer
	- Rails::HTML::SafeListSanitizer points to Rails::HTML4::SafeListSanitizer

  Mike Dalessio

* LinkSanitizer always returns UTF-8 encoded strings. SafeListSanitizer and
  FullSanitizer already ensured this encoding.

  Mike Dalessio

* SafeListSanitizer allows time tag and lang attribute by default.

  Mike Dalessio

* The constant Rails::Html::XPATHS_TO_REMOVE has been removed. It's not
  necessary with the existing sanitizers, and should have been a private
  constant all along anyway.

  Mike Dalessio
   2023-01-21 15:14:29 by Takahiro Kambe | Files touched by this commit (2) | Package updated
Log message:
www/ruby-rails-html-sanitizer: update to 1.5.0

1.5.0 (2023-01-20)

* SafeListSanitizer, PermitScrubber, and TargetScrubber now all support
  pruning of unsafe tags.

  By default, unsafe tags are still stripped, but this behavior can be
  changed to prune the element and its children from the document by
  passing prune: true to any of these classes' constructors.

  @seyerian
   2023-01-03 16:19:14 by Takahiro Kambe | Files touched by this commit (2) | Package updated
Log message:
www/ruby-rails-html-sanitizer: update to 1.4.4

1.4.4 (2022-12-13)

* Address inefficient regular expression complexity with certain
  configurations of Rails::Html::Sanitizer.

  Fixes CVE-2022-23517. See GHSA-5x79-w82f-gw8w for more information.

  Mike Dalessio

* Address improper sanitization of data URIs.

  Fixes CVE-2022-23518 and #135. See GHSA-mcvf-2q2m-x72m for more information.

  Mike Dalessio

* Address possible XSS vulnerability with certain configurations of
  Rails::Html::Sanitizer.

  Fixes CVE-2022-23520. See GHSA-rrfc-7g8p-99q8 for more information.

  Mike Dalessio

* Address possible XSS vulnerability with certain configurations of
  Rails::Html::Sanitizer.

  Fixes CVE-2022-23519. See GHSA-9h9g-93gc-623h for more information.

  Mike Dalessio
   2022-06-12 14:20:11 by Takahiro Kambe | Files touched by this commit (2) | Package updated
Log message:
www/ruby-rails-html-sanitizer: update to 1.4.3

1.4.3 (2022-06-09)

* Address a possible XSS vulnerability with certain configurations of
  Rails::Html::Sanitizer.

  Prevent the combination of `select` and `style` as allowed tags in
  SafeListSanitizer.

  Fixes CVE-2022-32209

  *Mike Dalessio*
   2021-10-26 13:31:15 by Nia Alarie | Files touched by this commit (1030)
Log message:
www: Replace RMD160 checksums with BLAKE2s checksums

All checksums have been double-checked against existing RMD160 and
SHA512 hashes

Not committed (merge conflicts):
www/nghttp2/distinfo

Unfetchable distfiles (almost certainly fetched conditionally...):
./www/nginx-devel/distinfo array-var-nginx-module-0.05.tar.gz
./www/nginx-devel/distinfo echo-nginx-module-0.62.tar.gz
./www/nginx-devel/distinfo encrypted-session-nginx-module-0.08.tar.gz
./www/nginx-devel/distinfo form-input-nginx-module-0.12.tar.gz
./www/nginx-devel/distinfo headers-more-nginx-module-0.33.tar.gz
./www/nginx-devel/distinfo lua-nginx-module-0.10.19.tar.gz
./www/nginx-devel/distinfo naxsi-1.3.tar.gz
./www/nginx-devel/distinfo nginx-dav-ext-module-3.0.0.tar.gz
./www/nginx-devel/distinfo nginx-rtmp-module-1.2.2.tar.gz
./www/nginx-devel/distinfo nginx_http_push_module-1.2.10.tar.gz
./www/nginx-devel/distinfo ngx_cache_purge-2.5.1.tar.gz
./www/nginx-devel/distinfo ngx_devel_kit-0.3.1.tar.gz
./www/nginx-devel/distinfo ngx_http_geoip2_module-3.3.tar.gz
./www/nginx-devel/distinfo njs-0.5.0.tar.gz
./www/nginx-devel/distinfo set-misc-nginx-module-0.32.tar.gz
./www/nginx/distinfo array-var-nginx-module-0.05.tar.gz
./www/nginx/distinfo echo-nginx-module-0.62.tar.gz
./www/nginx/distinfo encrypted-session-nginx-module-0.08.tar.gz
./www/nginx/distinfo form-input-nginx-module-0.12.tar.gz
./www/nginx/distinfo headers-more-nginx-module-0.33.tar.gz
./www/nginx/distinfo lua-nginx-module-0.10.19.tar.gz
./www/nginx/distinfo naxsi-1.3.tar.gz
./www/nginx/distinfo nginx-dav-ext-module-3.0.0.tar.gz
./www/nginx/distinfo nginx-rtmp-module-1.2.2.tar.gz
./www/nginx/distinfo nginx_http_push_module-1.2.10.tar.gz
./www/nginx/distinfo ngx_cache_purge-2.5.1.tar.gz
./www/nginx/distinfo ngx_devel_kit-0.3.1.tar.gz
./www/nginx/distinfo ngx_http_geoip2_module-3.3.tar.gz
./www/nginx/distinfo njs-0.5.0.tar.gz
./www/nginx/distinfo set-misc-nginx-module-0.32.tar.gz
   2021-10-07 17:09:00 by Nia Alarie | Files touched by this commit (1033)
Log message:
www: Remove SHA1 hashes for distfiles