Sync from SUSE:SLFO:Main rubygem-rails-html-sanitizer revision 65472f83bf855ab1517fee5d98094939

2025-02-06 18:13:25 +01:00 · 2025-02-06 18:13:25 +01:00 · 60e1ec9992
commit 60e1ec9992
5 changed files with 290 additions and 0 deletions
--- a/.gitattributes
+++ b/.gitattributes
@ -0,0 +1,23 @@
+## Default LFS
+*.7z filter=lfs diff=lfs merge=lfs -text
+*.bsp filter=lfs diff=lfs merge=lfs -text
+*.bz2 filter=lfs diff=lfs merge=lfs -text
+*.gem filter=lfs diff=lfs merge=lfs -text
+*.gz filter=lfs diff=lfs merge=lfs -text
+*.jar filter=lfs diff=lfs merge=lfs -text
+*.lz filter=lfs diff=lfs merge=lfs -text
+*.lzma filter=lfs diff=lfs merge=lfs -text
+*.obscpio filter=lfs diff=lfs merge=lfs -text
+*.oxt filter=lfs diff=lfs merge=lfs -text
+*.pdf filter=lfs diff=lfs merge=lfs -text
+*.png filter=lfs diff=lfs merge=lfs -text
+*.rpm filter=lfs diff=lfs merge=lfs -text
+*.tbz filter=lfs diff=lfs merge=lfs -text
+*.tbz2 filter=lfs diff=lfs merge=lfs -text
+*.tgz filter=lfs diff=lfs merge=lfs -text
+*.ttf filter=lfs diff=lfs merge=lfs -text
+*.txz filter=lfs diff=lfs merge=lfs -text
+*.whl filter=lfs diff=lfs merge=lfs -text
+*.xz filter=lfs diff=lfs merge=lfs -text
+*.zip filter=lfs diff=lfs merge=lfs -text
+*.zst filter=lfs diff=lfs merge=lfs -text
--- a/gem2rpm.yml
+++ b/gem2rpm.yml
@ -0,0 +1,2 @@
+# ---
+:summary: HTML sanitization to Rails applications (part of Rails)
--- a/rails-html-sanitizer-1.6.0.gem
+++ b/rails-html-sanitizer-1.6.0.gem
--- a/rubygem-rails-html-sanitizer.changes
+++ b/rubygem-rails-html-sanitizer.changes
@ -0,0 +1,200 @@
+-------------------------------------------------------------------
+Thu Aug 31 14:35:11 UTC 2023 - Paolo Perego <paolo.perego@suse.com>
+
+- Updated to version 1.6.0
+
+    * Dependencies have been updated:
+
+      - Loofah `~>2.21` and Nokogiri `~>1.14` for HTML5 parser support
+      - As a result, required Ruby version is now `>= 2.7.0`
+
+      Security updates will continue to be made on the `1.5.x` release branch as long as Rails 6.1
+      (which supports Ruby 2.5) is still in security support.
+
+      *Mike Dalessio*
+
+    * HTML5 standards-compliant sanitizers are now available on platforms supported by
+      Nokogiri::HTML5. These are available as:
+
+      - `Rails::HTML5::FullSanitizer`
+      - `Rails::HTML5::LinkSanitizer`
+      - `Rails::HTML5::SafeListSanitizer`
+
+      And a new "vendor" is provided at `Rails::HTML5::Sanitizer` that can be used in a future version
+      of Rails.
+
+      Note that for symmetry `Rails::HTML4::Sanitizer` is also added, though its behavior is identical
+      to the vendor class methods on `Rails::HTML::Sanitizer`.
+
+      Users may call `Rails::HTML::Sanitizer.best_supported_vendor` to get back the HTML5 vendor if it's
+      supported, else the legacy HTML4 vendor.
+
+      *Mike Dalessio*
+
+    * Module namespaces have changed, but backwards compatibility is provided by aliases.
+
+      The library defines three additional modules:
+
+      - `Rails::HTML` for general functionality (replacing `Rails::Html`)
+      - `Rails::HTML4` containing sanitizers that parse content as HTML4
+      - `Rails::HTML5` containing sanitizers that parse content as HTML5
+
+      The following aliases are maintained for backwards compatibility:
+
+      - `Rails::Html` points to `Rails::HTML`
+      - `Rails::HTML::FullSanitizer` points to `Rails::HTML4::FullSanitizer`
+      - `Rails::HTML::LinkSanitizer` points to `Rails::HTML4::LinkSanitizer`
+      - `Rails::HTML::SafeListSanitizer` points to `Rails::HTML4::SafeListSanitizer`
+
+      *Mike Dalessio*
+
+    * `LinkSanitizer` always returns UTF-8 encoded strings. `SafeListSanitizer` and `FullSanitizer`
+      already ensured this encoding.
+
+      *Mike Dalessio*
+
+    * `SafeListSanitizer` allows `time` tag and `lang` attribute by default.
+
+      *Mike Dalessio*
+
+    * The constant `Rails::Html::XPATHS_TO_REMOVE` has been removed. It's not necessary with the
+      existing sanitizers, and should have been a private constant all along anyway.
+
+      *Mike Dalessio*
+
+- Removed comparison against a very old ruby code no longer maintained
+- Updated description in spec file
+
+-------------------------------------------------------------------
+Wed Feb 22 16:23:02 UTC 2023 - Paolo Perego <paolo.perego@suse.com>
+
+- updated to version 1.5.0
+    * SafeListSanitizer, PermitScrubber, and TargetScrubber now all support pruning of unsafe tags.
+
+        By default, unsafe tags are still stripped, but this behavior can be
+        changed to prune the elementand its children from the document by passing
+        prune: true to any of these classes' constructors.
+
+        @seyerian
+
+    ## 1.4.4 / 2022-12-13
+
+	* Address inefficient regular expression complexity with certain configurations of Rails::Html::Sanitizer.
+	Fixes CVE-2022-23517 (bsc#1206433). See GHSA-5x79-w82f-gw8w for more information.
+
+	_Mike Dalessio_
+
+	* Address improper sanitization of data URIs.
+	Fixes CVE-2022-23518 (bsc#1206434) and #135. See GHSA-mcvf-2q2m-x72m for more information.
+
+	_Mike Dalessio_
+
+	* Address possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.
+	Fixes CVE-2022-23520 (bsc#1206436). See GHSA-rrfc-7g8p-99q8 for more information.
+
+	_Mike Dalessio_
+
+	* Address possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.
+	Fixes CVE-2022-23519 (bsc#1206435). See GHSA-9h9g-93gc-623h for more information.
+
+	_Mike Dalessio_
+
+-------------------------------------------------------------------
+Mon Jun 13 17:09:28 UTC 2022 - Manuel Schnitzer <mschnitzer@suse.com>
+
+- updated to version 1.4.3
+
+  * Address a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.
+
+    Prevent the combination of `select` and `style` as allowed tags in SafeListSanitizer.
+
+    Fixes CVE-2022-32209: bsc#1201183. File 0001_CVE-2022-32209.patch no longer required.
+
+    *Mike Dalessio*
+
+-------------------------------------------------------------------
+Wed Aug 25 05:24:58 UTC 2021 - Manuel Schnitzer <mschnitzer@suse.com>
+
+- updated to version 1.4.2
+
+  * Slightly improve performance.
+
+    Assuming elements are more common than comments, make one less method call per node.
+
+    *Mike Dalessio*
+
+  ## 1.4.1 / 2021-08-18
+
+  * Fix regression in v1.4.0 that did not pass comment nodes to the scrubber.
+
+    Some scrubbers will want to override the default behavior and allow comments, but v1.4.0 only
+    passed through elements to the scrubber's `keep_node?` method.
+
+    This change once again allows the scrubber to make the decision on comment nodes, but still skips
+    other non-elements like processing instructions (see #115).
+
+    *Mike Dalessio*
+
+  ## 1.4.0 / 2021-08-18
+
+  * Processing Instructions are no longer allowed by Rails::Html::PermitScrubber
+
+    Previously, a PI with a name (or "target") matching an allowed tag name was not scrubbed. There
+    are no known security issues associated with these PIs, but similar to comments it's preferred to
+    omit these nodes when possible from sanitized output.
+
+    Fixes #115.
+
+    *Mike Dalessio*
+
+-------------------------------------------------------------------
+Tue Nov 12 15:06:13 UTC 2019 - Manuel Schnitzer <mschnitzer@suse.com>
+
+- updated to version 1.3.0
+
+  * Address deprecations in Loofah 2.3.0.
+
+    *Josh Goodall*
+
+-------------------------------------------------------------------
+Thu Aug 15 18:01:28 UTC 2019 - Manuel Schnitzer <mschnitzer@suse.com>
+
+- updated to version 1.2.0
+
+  * Remove needless `white_list_sanitizer` deprecation.
+
+    By deprecating this, we were forcing Rails 5.2 to be updated or spew
+    deprecations that users could do nothing about.
+
+    That's pointless and I'm sorry for adding that!
+
+    Now there's no deprecation warning and Rails 5.2 works out of the box, while
+    Rails 6 can use the updated naming.
+
+    *Kasper Timm Hansen*
+
+-------------------------------------------------------------------
+Fri Mar 23 09:55:41 UTC 2018 - dkang@suse.com
+
+- updated to version 1.0.4
+  * CVE-2018-3741: XSS vulnerability
+  see installed CHANGELOG.md
+  fix bsc#1086598
+
+-------------------------------------------------------------------
+Tue Jan 26 05:35:48 UTC 2016 - coolo@suse.com
+
+- updated to version 1.0.3:
+  * boo#963326: CVE-2015-7578: XSS vulnerability via attributes
+  * boo#963327: CVE-2015-7579: XSS vulnerability
+  * boo#963328: CVE-2015-7580: XSS via whitelist sanitizer
+
+-------------------------------------------------------------------
+Mon Mar 16 06:51:40 UTC 2015 - coolo@suse.com
+
+- updated to version 1.0.2, no changelog
+
+-------------------------------------------------------------------
+Mon Feb  9 08:20:28 UTC 2015 - coolo@suse.com
+
+- initial package (version 1.0.1)
--- a/rubygem-rails-html-sanitizer.spec
+++ b/rubygem-rails-html-sanitizer.spec
@ -0,0 +1,62 @@
+#
+# spec file for package rubygem-rails-html-sanitizer
+#
+# Copyright (c) 2023 SUSE LLC
+#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
+#
+
+
+#
+# This file was generated with a gem2rpm.yml and not just plain gem2rpm.
+# All sections marked as MANUAL, license headers, summaries and descriptions
+# can be maintained in that file. Please consult this file before editing any
+# of those fields
+#
+
+Name:           rubygem-rails-html-sanitizer
+Version:        1.6.0
+Release:        0
+%define mod_name rails-html-sanitizer
+%define mod_full_name %{mod_name}-%{version}
+BuildRoot:      %{_tmppath}/%{name}-%{version}-build
+BuildRequires:  %{rubygem gem2rpm}
+BuildRequires:  %{ruby}
+BuildRequires:  ruby-macros >= 5
+URL:            https://github.com/rails/rails-html-sanitizer
+Source:         https://rubygems.org/gems/%{mod_full_name}.gem
+Source1:        gem2rpm.yml
+Summary:        HTML sanitization to Rails applications (part of Rails)
+License:        MIT
+Group:          Development/Languages/Ruby
+
+%description
+This gem is responsible for sanitizing HTML fragments in Rails applications.
+Specifically, this is the set of sanitizers used to implement the Action View
+SanitizerHelper methods sanitize, sanitize_css, strip_tags and strip_links.
+
+Rails HTML Sanitizer is only intended to be used with Rails applications. If
+you need similar functionality but aren't using Rails, consider using the
+underlying sanitization library Loofah directly.
+
+%prep
+
+%build
+
+%install
+%gem_install \
+  --doc-files="CHANGELOG.md MIT-LICENSE README.md" \
+  -f
+
+%gem_packages
+
+%changelog