Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update dependency rails-html-sanitizer to '>= 1.4.3', '< 1.6.3' #265

Open
wants to merge 1 commit into
base: gruppi-old
Choose a base branch
from
Open

chore(deps): update dependency rails-html-sanitizer to '>= 1.4.3', '< 1.6.3' #265

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Dec 8, 2024
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
rails-html-sanitizer (changelog) '>= 1.4.3', '< 1.5.0' -> '>= 1.4.3', '< 1.6.3' age adoption passing confidence

Release Notes

rails/rails-html-sanitizer (rails-html-sanitizer)

v1.6.2

Compare Source

  • PermitScrubber fully supports frozen "allowed tags".

    v1.6.1 introduced safety checks that may remove unsafe tags from the allowed list, which
    introduced a regression for applications passing a frozen array of allowed tags. Tags and
    attributes are now properly copied when they are passed to the scrubber.

    Fixes #​195.

    Mike Dalessio

v1.6.1

Compare Source

This is a performance and security release which addresses several possible XSS vulnerabilities.

  • The dependency on Nokogiri is updated to v1.15.7 or >=1.16.8.

    This change addresses CVE-2024-53985 (GHSA-w8gc-x259-rc7x).

    Mike Dalessio

  • Disallowed tags will be pruned when they appear in foreign content (i.e. SVG or MathML content),
    regardless of the prune: option value. Previously, disallowed tags were "stripped" unless the
    gem was configured with the prune: true option.

    The CVEs addressed by this change are:

    Mike Dalessio

  • The tags "noscript", "mglyph", and "malignmark" will not be allowed, even if explicitly added to
    the allowlist. If applications try to allow any of these tags, a warning is emitted and the tags
    are removed from the allow-list.

    The CVEs addressed by this change are:

    Please note that we may restore support for allowing "noscript" in a future release. We do not
    expect to ever allow "mglyph" or "malignmark", though, especially since browser support is minimal
    for these tags.

    Mike Dalessio

  • Improve performance by eliminating needless operations on attributes that are being removed. #​188

    Mike Dalessio

v1.6.0

Compare Source

  • Dependencies have been updated:

    • Loofah ~>2.21 and Nokogiri ~>1.14 for HTML5 parser support
    • As a result, required Ruby version is now >= 2.7.0

    Security updates will continue to be made on the 1.5.x release branch as long as Rails 6.1
    (which supports Ruby 2.5) is still in security support.

    Mike Dalessio

  • HTML5 standards-compliant sanitizers are now available on platforms supported by
    Nokogiri::HTML5. These are available as:

    • Rails::HTML5::FullSanitizer
    • Rails::HTML5::LinkSanitizer
    • Rails::HTML5::SafeListSanitizer

    And a new "vendor" is provided at Rails::HTML5::Sanitizer that can be used in a future version
    of Rails.

    Note that for symmetry Rails::HTML4::Sanitizer is also added, though its behavior is identical
    to the vendor class methods on Rails::HTML::Sanitizer.

    Users may call Rails::HTML::Sanitizer.best_supported_vendor to get back the HTML5 vendor if it's
    supported, else the legacy HTML4 vendor.

    Mike Dalessio

  • Module namespaces have changed, but backwards compatibility is provided by aliases.

    The library defines three additional modules:

    • Rails::HTML for general functionality (replacing Rails::Html)
    • Rails::HTML4 containing sanitizers that parse content as HTML4
    • Rails::HTML5 containing sanitizers that parse content as HTML5

    The following aliases are maintained for backwards compatibility:

    • Rails::Html points to Rails::HTML
    • Rails::HTML::FullSanitizer points to Rails::HTML4::FullSanitizer
    • Rails::HTML::LinkSanitizer points to Rails::HTML4::LinkSanitizer
    • Rails::HTML::SafeListSanitizer points to Rails::HTML4::SafeListSanitizer

    Mike Dalessio

  • LinkSanitizer always returns UTF-8 encoded strings. SafeListSanitizer and FullSanitizer
    already ensured this encoding.

    Mike Dalessio

  • SafeListSanitizer allows time tag and lang attribute by default.

    Mike Dalessio

  • The constant Rails::Html::XPATHS_TO_REMOVE has been removed. It's not necessary with the
    existing sanitizers, and should have been a private constant all along anyway.

    Mike Dalessio

v1.5.0

Compare Source

  • SafeListSanitizer, PermitScrubber, and TargetScrubber now all support pruning of unsafe tags.

    By default, unsafe tags are still stripped, but this behavior can be changed to prune the element
    and its children from the document by passing prune: true to any of these classes' constructors.

    seyerian

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot force-pushed the renovate/rails-html-sanitizer-1.x branch from f5650d8 to dba77de Compare December 12, 2024 23:49
@renovate renovate bot changed the title chore(deps): update dependency rails-html-sanitizer to '>= 1.4.3', '< 1.6.2' chore(deps): update dependency rails-html-sanitizer to '>= 1.4.3', '< 1.6.3' Dec 12, 2024
@renovate Renovate
Copy link
Contributor Author

renovate bot commented Dec 12, 2024

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: Gemfile.lock
[23:48:54.622] INFO (929): Installing tool [email protected]...
installing v2 tool ruby v2.7.0
Download failed: https://github.com/containerbase/ruby-prebuild/releases/download/2.7.0/ruby-2.7.0-jammy-x86_64.tar.xz
Download failed, retrying
Download failed: https://github.com/containerbase/ruby-prebuild/releases/download/2.7.0/ruby-2.7.0-jammy-x86_64.tar.xz
Download failed, retrying
Download failed: https://github.com/containerbase/ruby-prebuild/releases/download/2.7.0/ruby-2.7.0-jammy-x86_64.tar.xz
Download failed: https://github.com/containerbase/ruby-prebuild/releases/download/2.7.0/ruby-2.7.0-jammy-x86_64.tar.xz
[23:48:56.420] INFO (997): Downloading file ...
    url: "https://github.com/containerbase/ruby-prebuild/releases/download/2.7.0/ruby-2.7.0-jammy-x86_64.tar.xz"
    output: "/tmp/renovate/cache/containerbase/0531f43529cd89789cba5fef00a6cee298312a47483cf38c7b97fe8b8af98368/ruby-2.7.0-jammy-x86_64.tar.xz"
[23:48:56.516] ERROR (997): Response code 404 (Not Found)
[23:48:56.517] FATAL (997): Download failed in 101ms.
[23:48:56.606] ERROR (929): Command failed with exit code 1: /usr/local/containerbase/bin/install-tool.sh ruby 2.7.0
[23:48:56.607] FATAL (929): Install tool ruby failed in 2s.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants