File rubygem-loofah.changes of Package rubygem-loofah.9348

Overview Repositories Revisions Requests Users Attributes Meta

File rubygem-loofah.changes of Package rubygem-loofah.9348

-------------------------------------------------------------------
Mon Nov 26 13:03:39 UTC 2018 - mschnitzer@suse.com

- Modify CVE-2018-8048.patch to patch the gemspec file as well.

The gemspec file needs to be patched in order to ship the
  newly added file 'lib/loofah/html5/libxml2_workarounds.rb' which
  was introduced with patch CVE-2018-8048.patch

-------------------------------------------------------------------
Tue Nov  6 09:35:37 UTC 2018 - mschnitzer@suse.com

- Security Vulnerability Fix: libxml2 >= 2.9.2 fails to escape comments within
  some attributes. It wants to ensure these comments can be treated as
  "server-side includes", but as a result fails to ensure that serialization is
  well-formed, resulting in an opportunity for XSS injection of code into a final
  re-parsed document (presumably in a browser).

See #144 for more details
  and history around this libxml2 issue, which goes back a few
  years.

At this point it's not clear to your humble maintainer why this hasn't
  been addressed upstream by libxml2 maintainers, and so I'm working
  around it in Loofah to protect Loofah users, while simultaneously
  attempting to escalate the issue upstream.

* Added CVE-2018-8048.patch to address this security issue

(bsc#1085967, CVE-2018-8048)

-------------------------------------------------------------------
Tue Nov  6 08:09:40 UTC 2018 - mschnitzer@suse.com

- Security Vulnerability Fix: Unsanitized JavaScript may occur in
  sanitized output when a crafted SVG element is republished.

* Added CVE-2018-16468.patch to address this security issue

(bsc#1113969, CVE-2018-16468)

- Added series file for a better patch handling with quilt

-------------------------------------------------------------------
Wed May  6 04:30:11 UTC 2015 - coolo@suse.com

- updated to version 2.0.2
 see installed CHANGELOG.rdoc

== 2.0.2 / 2015-05-05
  
  Bug fixes:
  
  * Fix error with `#to_text` when Loofah::Helpers hadn't been required. #75
  * Allow multi-word data attributes. #84 (Thanks, @jstorimer!)
  * Allow negative values in CSS properties. #85 (Thanks, @siddhartham!)

-------------------------------------------------------------------
Wed Nov 12 05:55:25 UTC 2014 - coolo@suse.com

- updated to version 2.0.1
 Bug fixes:
 * Load RR correctly when running test files directly. (Thanks, @ktdreyer!)
 
 Notes:
 * Extracted HTML5::Scrub#scrub_css_attribute to accommodate the Rails integration work. (Thanks, @kaspth!)

-------------------------------------------------------------------
Mon Oct 13 14:21:06 UTC 2014 - coolo@suse.com

- adapt to new rubygem packaging

-------------------------------------------------------------------
Sun May 18 09:04:34 UTC 2014 - coolo@suse.com

- updated to version 2.0.0
 Compatibility notes:
 
 * ActionView helpers now must be required explicitly: `require "loofah/helpers"`
 * Support for Ruby 1.8.7 and prior has been dropped
 
 Enhancements:
 
 * HTML5 whitelist allows the following ...
   * tags: `article`, `aside`, `bdi`, `bdo`, `canvas`, `command`, `datalist`, `details`, `figcaption`, `figure`, `footer`, `header`, `mark`, `meter`, `nav`, `output`, `section`, `summary`, `time`
   * attributes: `data-*` (Thanks, Rafael Franca!)
   * URI attributes: `poster` and `preload`
 * Addition of the `:unprintable` scrubber to remove unprintable characters from text nodes. #65 (Thanks, Matt Swanson!)
 * `Loofah.fragment` accepts an optional encoding argument, compatible with `Nokogiri::HTML::DocumentFragment.parse`. #62 (Thanks, Ben Atkins!)
 * HTML5 sanitizers now remove attributes without values. (Thanks, Kasper Timm Hansen!)
 
 Bug fixes:
 
 * HTML5 sanitizers' CSS keyword check now actually works (broken in v2.0). Additional regression tests added. (Thanks, Kasper Timm Hansen!)
 * HTML5 sanitizers now allow negative arguments to CSS. #64 (Thanks, Jon Calhoun!)

-------------------------------------------------------------------
Mon Jul 30 18:14:41 UTC 2012 - coolo@suse.com

- update to 1.2.1
  * Declaring encoding in html5/scrub.rb. Without this, use of the 
    ruby -KU option would cause havoc. (#32)

-------------------------------------------------------------------
Thu Aug 25 07:42:30 UTC 2011 - fcastelli@novell.com

- add 'Provides rubygem-loofah-1_2'

-------------------------------------------------------------------
Wed Aug 24 21:45:16 UTC 2011 - fcastelli@novell.com

- upgrade to 1.2.0

-------------------------------------------------------------------
Thu Jul 21 16:00:10 UTC 2011 - fcastelli@novell.com

- Upgrade to version 1.0.0
- Add provides loofah_1_0 required to build latest version of
  rubygem-feedzirra.

-------------------------------------------------------------------
Fri Jun 11 18:42:16 UTC 2010 - mrueckert@suse.de

- additional changes from version 0.4.7
  * New methods Loofah::HTML::Document#to_text and
    Loofah::HTML::DocumentFragment#to_text do the right thing with
    whitespace. Note that these methods are significantly slower
    than #text. GH #12
  * Loofah::Elements::BLOCK_LEVEL contains a canonical list of
    HTML4 block-level4 elements.
  * Loofah::HTML::Document#text and
    Loofah::HTML::DocumentFragment#text will return unescaped HTML
    entities by passing :encode_special_chars => false.
- additional changes from version 0.4.4, 0.4.5, 0.4.6
  * Loofah::HTML::Document#text and
    Loofah::HTML::DocumentFragment#text now escape HTML entities.
  * Loofah::XssFoliate was not properly escaping HTML entities when
    implicitly scrubbing a string attribute. GH #17
- additional changes from version 0.4.3
  * All built-in scrubbers are accepted by
    ActiveRecord::Base.xss_foliate
  * Loofah::XssFoliate.xss_foliate_all_models replaces use of the
    constant LOOFAH_XSS_FOLIATE_ALL_MODELS
  * Modified documentation for bootstrapping XssFoliate in a Rails
    app, since the use of Bundler breaks the previously-documented
    method. To be safe, always use an initializer file.
- additional changes from version 0.4.2
  * Implemented Node#scrub! for scrubbing subtrees.
  * Implemented NodeSet#scrub! for scrubbing a set of subtrees.
  * Document.text now only serializes <body> contents
    (ignores <head>)
  * <head>, <html> and <body> added to the HTML5lib whitelist.
  * Supporting Rails apps that aren't loading ActiveRecord. GH #10

-------------------------------------------------------------------
Fri Jun 11 10:00:01 UTC 2010 - mrueckert@suse.de

- use rubygems_requires macro

-------------------------------------------------------------------
Thu Jan  7 18:17:12 CET 2010 - prusnak@suse.cz

- created package

Places

File rubygem-loofah.changes of Package rubygem-loofah.9348

Places