From 60e1ec9992c6dc51a170b143a181421b24e1b6d03a9880cc0ab92a062674a35b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adrian=20Schr=C3=B6ter?= Date: Thu, 6 Feb 2025 18:13:25 +0100 Subject: [PATCH] Sync from SUSE:SLFO:Main rubygem-rails-html-sanitizer revision 65472f83bf855ab1517fee5d98094939 --- .gitattributes | 23 +++ gem2rpm.yml | 2 + rails-html-sanitizer-1.6.0.gem | 3 + rubygem-rails-html-sanitizer.changes | 200 +++++++++++++++++++++++++++ rubygem-rails-html-sanitizer.spec | 62 +++++++++ 5 files changed, 290 insertions(+) create mode 100644 .gitattributes create mode 100644 gem2rpm.yml create mode 100644 rails-html-sanitizer-1.6.0.gem create mode 100644 rubygem-rails-html-sanitizer.changes create mode 100644 rubygem-rails-html-sanitizer.spec diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/gem2rpm.yml b/gem2rpm.yml new file mode 100644 index 0000000..e8f3639 --- /dev/null +++ b/gem2rpm.yml @@ -0,0 +1,2 @@ +# --- +:summary: HTML sanitization to Rails applications (part of Rails) diff --git a/rails-html-sanitizer-1.6.0.gem b/rails-html-sanitizer-1.6.0.gem new file mode 100644 index 0000000..b8db63a --- /dev/null +++ b/rails-html-sanitizer-1.6.0.gem @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:86e9f19d2e6748890dcc2633c8945ca45baa08a1df9d8c215ce17b3b0afaa4de +size 23552 diff --git a/rubygem-rails-html-sanitizer.changes b/rubygem-rails-html-sanitizer.changes new file mode 100644 index 0000000..a9b51ed --- /dev/null +++ b/rubygem-rails-html-sanitizer.changes @@ -0,0 +1,200 @@ +------------------------------------------------------------------- +Thu Aug 31 14:35:11 UTC 2023 - Paolo Perego + +- Updated to version 1.6.0 + + * Dependencies have been updated: + + - Loofah `~>2.21` and Nokogiri `~>1.14` for HTML5 parser support + - As a result, required Ruby version is now `>= 2.7.0` + + Security updates will continue to be made on the `1.5.x` release branch as long as Rails 6.1 + (which supports Ruby 2.5) is still in security support. + + *Mike Dalessio* + + * HTML5 standards-compliant sanitizers are now available on platforms supported by + Nokogiri::HTML5. These are available as: + + - `Rails::HTML5::FullSanitizer` + - `Rails::HTML5::LinkSanitizer` + - `Rails::HTML5::SafeListSanitizer` + + And a new "vendor" is provided at `Rails::HTML5::Sanitizer` that can be used in a future version + of Rails. + + Note that for symmetry `Rails::HTML4::Sanitizer` is also added, though its behavior is identical + to the vendor class methods on `Rails::HTML::Sanitizer`. + + Users may call `Rails::HTML::Sanitizer.best_supported_vendor` to get back the HTML5 vendor if it's + supported, else the legacy HTML4 vendor. + + *Mike Dalessio* + + * Module namespaces have changed, but backwards compatibility is provided by aliases. + + The library defines three additional modules: + + - `Rails::HTML` for general functionality (replacing `Rails::Html`) + - `Rails::HTML4` containing sanitizers that parse content as HTML4 + - `Rails::HTML5` containing sanitizers that parse content as HTML5 + + The following aliases are maintained for backwards compatibility: + + - `Rails::Html` points to `Rails::HTML` + - `Rails::HTML::FullSanitizer` points to `Rails::HTML4::FullSanitizer` + - `Rails::HTML::LinkSanitizer` points to `Rails::HTML4::LinkSanitizer` + - `Rails::HTML::SafeListSanitizer` points to `Rails::HTML4::SafeListSanitizer` + + *Mike Dalessio* + + * `LinkSanitizer` always returns UTF-8 encoded strings. `SafeListSanitizer` and `FullSanitizer` + already ensured this encoding. + + *Mike Dalessio* + + * `SafeListSanitizer` allows `time` tag and `lang` attribute by default. + + *Mike Dalessio* + + * The constant `Rails::Html::XPATHS_TO_REMOVE` has been removed. It's not necessary with the + existing sanitizers, and should have been a private constant all along anyway. + + *Mike Dalessio* + +- Removed comparison against a very old ruby code no longer maintained +- Updated description in spec file + +------------------------------------------------------------------- +Wed Feb 22 16:23:02 UTC 2023 - Paolo Perego + +- updated to version 1.5.0 + * SafeListSanitizer, PermitScrubber, and TargetScrubber now all support pruning of unsafe tags. + + By default, unsafe tags are still stripped, but this behavior can be + changed to prune the elementand its children from the document by passing + prune: true to any of these classes' constructors. + + @seyerian + + ## 1.4.4 / 2022-12-13 + + * Address inefficient regular expression complexity with certain configurations of Rails::Html::Sanitizer. + Fixes CVE-2022-23517 (bsc#1206433). See GHSA-5x79-w82f-gw8w for more information. + + _Mike Dalessio_ + + * Address improper sanitization of data URIs. + Fixes CVE-2022-23518 (bsc#1206434) and #135. See GHSA-mcvf-2q2m-x72m for more information. + + _Mike Dalessio_ + + * Address possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer. + Fixes CVE-2022-23520 (bsc#1206436). See GHSA-rrfc-7g8p-99q8 for more information. + + _Mike Dalessio_ + + * Address possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer. + Fixes CVE-2022-23519 (bsc#1206435). See GHSA-9h9g-93gc-623h for more information. + + _Mike Dalessio_ + +------------------------------------------------------------------- +Mon Jun 13 17:09:28 UTC 2022 - Manuel Schnitzer + +- updated to version 1.4.3 + + * Address a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer. + + Prevent the combination of `select` and `style` as allowed tags in SafeListSanitizer. + + Fixes CVE-2022-32209: bsc#1201183. File 0001_CVE-2022-32209.patch no longer required. + + *Mike Dalessio* + +------------------------------------------------------------------- +Wed Aug 25 05:24:58 UTC 2021 - Manuel Schnitzer + +- updated to version 1.4.2 + + * Slightly improve performance. + + Assuming elements are more common than comments, make one less method call per node. + + *Mike Dalessio* + + ## 1.4.1 / 2021-08-18 + + * Fix regression in v1.4.0 that did not pass comment nodes to the scrubber. + + Some scrubbers will want to override the default behavior and allow comments, but v1.4.0 only + passed through elements to the scrubber's `keep_node?` method. + + This change once again allows the scrubber to make the decision on comment nodes, but still skips + other non-elements like processing instructions (see #115). + + *Mike Dalessio* + + ## 1.4.0 / 2021-08-18 + + * Processing Instructions are no longer allowed by Rails::Html::PermitScrubber + + Previously, a PI with a name (or "target") matching an allowed tag name was not scrubbed. There + are no known security issues associated with these PIs, but similar to comments it's preferred to + omit these nodes when possible from sanitized output. + + Fixes #115. + + *Mike Dalessio* + +------------------------------------------------------------------- +Tue Nov 12 15:06:13 UTC 2019 - Manuel Schnitzer + +- updated to version 1.3.0 + + * Address deprecations in Loofah 2.3.0. + + *Josh Goodall* + +------------------------------------------------------------------- +Thu Aug 15 18:01:28 UTC 2019 - Manuel Schnitzer + +- updated to version 1.2.0 + + * Remove needless `white_list_sanitizer` deprecation. + + By deprecating this, we were forcing Rails 5.2 to be updated or spew + deprecations that users could do nothing about. + + That's pointless and I'm sorry for adding that! + + Now there's no deprecation warning and Rails 5.2 works out of the box, while + Rails 6 can use the updated naming. + + *Kasper Timm Hansen* + +------------------------------------------------------------------- +Fri Mar 23 09:55:41 UTC 2018 - dkang@suse.com + +- updated to version 1.0.4 + * CVE-2018-3741: XSS vulnerability + see installed CHANGELOG.md + fix bsc#1086598 + +------------------------------------------------------------------- +Tue Jan 26 05:35:48 UTC 2016 - coolo@suse.com + +- updated to version 1.0.3: + * boo#963326: CVE-2015-7578: XSS vulnerability via attributes + * boo#963327: CVE-2015-7579: XSS vulnerability + * boo#963328: CVE-2015-7580: XSS via whitelist sanitizer + +------------------------------------------------------------------- +Mon Mar 16 06:51:40 UTC 2015 - coolo@suse.com + +- updated to version 1.0.2, no changelog + +------------------------------------------------------------------- +Mon Feb 9 08:20:28 UTC 2015 - coolo@suse.com + +- initial package (version 1.0.1) diff --git a/rubygem-rails-html-sanitizer.spec b/rubygem-rails-html-sanitizer.spec new file mode 100644 index 0000000..7752d9d --- /dev/null +++ b/rubygem-rails-html-sanitizer.spec @@ -0,0 +1,62 @@ +# +# spec file for package rubygem-rails-html-sanitizer +# +# Copyright (c) 2023 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +# +# This file was generated with a gem2rpm.yml and not just plain gem2rpm. +# All sections marked as MANUAL, license headers, summaries and descriptions +# can be maintained in that file. Please consult this file before editing any +# of those fields +# + +Name: rubygem-rails-html-sanitizer +Version: 1.6.0 +Release: 0 +%define mod_name rails-html-sanitizer +%define mod_full_name %{mod_name}-%{version} +BuildRoot: %{_tmppath}/%{name}-%{version}-build +BuildRequires: %{rubygem gem2rpm} +BuildRequires: %{ruby} +BuildRequires: ruby-macros >= 5 +URL: https://github.com/rails/rails-html-sanitizer +Source: https://rubygems.org/gems/%{mod_full_name}.gem +Source1: gem2rpm.yml +Summary: HTML sanitization to Rails applications (part of Rails) +License: MIT +Group: Development/Languages/Ruby + +%description +This gem is responsible for sanitizing HTML fragments in Rails applications. +Specifically, this is the set of sanitizers used to implement the Action View +SanitizerHelper methods sanitize, sanitize_css, strip_tags and strip_links. + +Rails HTML Sanitizer is only intended to be used with Rails applications. If +you need similar functionality but aren't using Rails, consider using the +underlying sanitization library Loofah directly. + +%prep + +%build + +%install +%gem_install \ + --doc-files="CHANGELOG.md MIT-LICENSE README.md" \ + -f + +%gem_packages + +%changelog