Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
Please login to access the resource
SUSE:SLE-12-SP1:GA
rubygem-loofah
rubygem-loofah.changes
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File rubygem-loofah.changes of Package rubygem-loofah
------------------------------------------------------------------- Tue Oct 25 10:43:26 UTC 2022 - Manuel Schnitzer <mschnitzer@suse.com> - Added patch CVE-2019-15587.patch to fix CVE-2019-15587 (bsc#1154751) - Updated CVE-2018-8048.patch to apply again ------------------------------------------------------------------- Thu Aug 22 06:20:07 UTC 2019 - Manuel Schnitzer <mschnitzer@suse.com> - Update CVE-2018-8048.patch (bsc#1086598) This makes Loofah::HTML5::Scrub.force_correct_attribute_escaping! callable from other gems as well - no need to make it private. In the newest upstream version of loofah, force_correct_attribute_escaping! can already be called by other gems as well (such as rails-html-sanitizer) This fixes an issue with the recent update of rubygem-rails-html-sanitizer which needs to call this method to mitigate CVE-2018-8048 successfully. ------------------------------------------------------------------- Mon Nov 26 13:03:39 UTC 2018 - mschnitzer@suse.com - Modify CVE-2018-8048.patch to patch the gemspec file as well. The gemspec file needs to be patched in order to ship the newly added file 'lib/loofah/html5/libxml2_workarounds.rb' which was introduced with patch CVE-2018-8048.patch ------------------------------------------------------------------- Tue Nov 6 09:35:37 UTC 2018 - mschnitzer@suse.com - Security Vulnerability Fix: libxml2 >= 2.9.2 fails to escape comments within some attributes. It wants to ensure these comments can be treated as "server-side includes", but as a result fails to ensure that serialization is well-formed, resulting in an opportunity for XSS injection of code into a final re-parsed document (presumably in a browser). See #144 for more details and history around this libxml2 issue, which goes back a few years. At this point it's not clear to your humble maintainer why this hasn't been addressed upstream by libxml2 maintainers, and so I'm working around it in Loofah to protect Loofah users, while simultaneously attempting to escalate the issue upstream. * Added CVE-2018-8048.patch to address this security issue (bsc#1085967, CVE-2018-8048) ------------------------------------------------------------------- Tue Nov 6 08:09:40 UTC 2018 - mschnitzer@suse.com - Security Vulnerability Fix: Unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished. * Added CVE-2018-16468.patch to address this security issue (bsc#1113969, CVE-2018-16468) - Added series file for a better patch handling with quilt ------------------------------------------------------------------- Wed May 6 04:30:11 UTC 2015 - coolo@suse.com - updated to version 2.0.2 see installed CHANGELOG.rdoc == 2.0.2 / 2015-05-05 Bug fixes: * Fix error with `#to_text` when Loofah::Helpers hadn't been required. #75 * Allow multi-word data attributes. #84 (Thanks, @jstorimer!) * Allow negative values in CSS properties. #85 (Thanks, @siddhartham!) ------------------------------------------------------------------- Wed Nov 12 05:55:25 UTC 2014 - coolo@suse.com - updated to version 2.0.1 Bug fixes: * Load RR correctly when running test files directly. (Thanks, @ktdreyer!) Notes: * Extracted HTML5::Scrub#scrub_css_attribute to accommodate the Rails integration work. (Thanks, @kaspth!) ------------------------------------------------------------------- Mon Oct 13 14:21:06 UTC 2014 - coolo@suse.com - adapt to new rubygem packaging ------------------------------------------------------------------- Sun May 18 09:04:34 UTC 2014 - coolo@suse.com - updated to version 2.0.0 Compatibility notes: * ActionView helpers now must be required explicitly: `require "loofah/helpers"` * Support for Ruby 1.8.7 and prior has been dropped Enhancements: * HTML5 whitelist allows the following ... * tags: `article`, `aside`, `bdi`, `bdo`, `canvas`, `command`, `datalist`, `details`, `figcaption`, `figure`, `footer`, `header`, `mark`, `meter`, `nav`, `output`, `section`, `summary`, `time` * attributes: `data-*` (Thanks, Rafael Franca!) * URI attributes: `poster` and `preload` * Addition of the `:unprintable` scrubber to remove unprintable characters from text nodes. #65 (Thanks, Matt Swanson!) * `Loofah.fragment` accepts an optional encoding argument, compatible with `Nokogiri::HTML::DocumentFragment.parse`. #62 (Thanks, Ben Atkins!) * HTML5 sanitizers now remove attributes without values. (Thanks, Kasper Timm Hansen!) Bug fixes: * HTML5 sanitizers' CSS keyword check now actually works (broken in v2.0). Additional regression tests added. (Thanks, Kasper Timm Hansen!) * HTML5 sanitizers now allow negative arguments to CSS. #64 (Thanks, Jon Calhoun!) ------------------------------------------------------------------- Mon Jul 30 18:14:41 UTC 2012 - coolo@suse.com - update to 1.2.1 * Declaring encoding in html5/scrub.rb. Without this, use of the ruby -KU option would cause havoc. (#32) ------------------------------------------------------------------- Thu Aug 25 07:42:30 UTC 2011 - fcastelli@novell.com - add 'Provides rubygem-loofah-1_2' ------------------------------------------------------------------- Wed Aug 24 21:45:16 UTC 2011 - fcastelli@novell.com - upgrade to 1.2.0 ------------------------------------------------------------------- Thu Jul 21 16:00:10 UTC 2011 - fcastelli@novell.com - Upgrade to version 1.0.0 - Add provides loofah_1_0 required to build latest version of rubygem-feedzirra. ------------------------------------------------------------------- Fri Jun 11 18:42:16 UTC 2010 - mrueckert@suse.de - additional changes from version 0.4.7 * New methods Loofah::HTML::Document#to_text and Loofah::HTML::DocumentFragment#to_text do the right thing with whitespace. Note that these methods are significantly slower than #text. GH #12 * Loofah::Elements::BLOCK_LEVEL contains a canonical list of HTML4 block-level4 elements. * Loofah::HTML::Document#text and Loofah::HTML::DocumentFragment#text will return unescaped HTML entities by passing :encode_special_chars => false. - additional changes from version 0.4.4, 0.4.5, 0.4.6 * Loofah::HTML::Document#text and Loofah::HTML::DocumentFragment#text now escape HTML entities. * Loofah::XssFoliate was not properly escaping HTML entities when implicitly scrubbing a string attribute. GH #17 - additional changes from version 0.4.3 * All built-in scrubbers are accepted by ActiveRecord::Base.xss_foliate * Loofah::XssFoliate.xss_foliate_all_models replaces use of the constant LOOFAH_XSS_FOLIATE_ALL_MODELS * Modified documentation for bootstrapping XssFoliate in a Rails app, since the use of Bundler breaks the previously-documented method. To be safe, always use an initializer file. - additional changes from version 0.4.2 * Implemented Node#scrub! for scrubbing subtrees. * Implemented NodeSet#scrub! for scrubbing a set of subtrees. * Document.text now only serializes <body> contents (ignores <head>) * <head>, <html> and <body> added to the HTML5lib whitelist. * Supporting Rails apps that aren't loading ActiveRecord. GH #10 ------------------------------------------------------------------- Fri Jun 11 10:00:01 UTC 2010 - mrueckert@suse.de - use rubygems_requires macro ------------------------------------------------------------------- Thu Jan 7 18:17:12 CET 2010 - prusnak@suse.cz - created package
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor