factory
lofah issue should be okay now
- Update to version 1.7.0
* Add Rails::HTML::Sanitizer.allowed_uri? which delegates to
Loofah::HTML5::Scrub.allowed_uri?, allowing the Rails framework to check
URI safety without a direct dependency on Loofah.
* The minimum Loofah dependency is now ~> 2.25.
- Update to version 1.6.2
* PermitScrubber fully supports frozen "allowed tags".
- v1.6.1 introduced safety checks that may remove unsafe tags from the
allowed list, which introduced a regression for applications passing
a frozen array of allowed tags. Tags and attributes are now properly
copied when they are passed to the scrubber.
- Version 1.6.1
* The dependency on Nokogiri is updated to v1.15.7 or >=1.16.8. This change
addresses CVE-2024-53985 (GHSA-w8gc-x259-rc7x).
* Disallowed tags will be pruned when they appear in foreign content (i.e.
SVG or MathML content), regardless of the prune: option value. Previously,
disallowed tags were "stripped" unless the gem was configured with the
prune: true option.
The CVEs addressed by this change are:
* CVE-2024-53986 (GHSA-638j-pmjw-jq48)
* CVE-2024-53987 (GHSA-2x5m-9ch4-qgrr)
* The tags "noscript", "mglyph", and "malignmark" will not be allowed, even
if explicitly added to the allowlist. If applications try to allow any of
these tags, a warning is emitted and the tags are removed from the
allow-list.
The CVEs addressed by this change are:
* CVE-2024-53988 (GHSA-cfjx-w229-hgx5)
* CVE-2024-53989 (GHSA-rxv5-gxqc-xx8g)
Please note that we may restore support for allowing "noscript" in a future
OBS-URL: https://build.opensuse.org/request/show/1347656
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/rubygem-rails-html-sanitizer?expand=0&rev=13
Description
No description provided
Languages
RPM Spec
100%