Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
devel:languages:ruby:extensions
rubygem-sanitize
rubygem-sanitize.changes
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File rubygem-sanitize.changes of Package rubygem-sanitize
------------------------------------------------------------------- Tue Nov 14 18:38:27 UTC 2023 - Dan Čermák <dan.cermak@posteo.net> - New upstream release 6.1.0, see bundled HISTORY.md ------------------------------------------------------------------- Tue Jan 25 07:34:21 UTC 2022 - Stephan Kulow <coolo@suse.com> updated to version 6.0.0 see installed HISTORY.md ## 6.0.0 (2021-08-03) ### Potentially Breaking Changes * Ruby 2.5.0 is now the oldest officially supported Ruby version. * Sanitize now requires Nokogiri 1.12.0 or higher, which includes Nokogumbo. The separate dependency on Nokogumbo has been removed. [@lis2 - #211][211] [211]:https://github.com/rgrove/sanitize/pull/211 ------------------------------------------------------------------- Wed Jan 20 13:21:08 UTC 2021 - Stephan Kulow <coolo@suse.com> updated to version 5.2.3 see installed HISTORY.md ## 5.2.3 (2021-01-11) ### Bug Fixes * Ensure protocol sanitization is applied to data attributes. [@ccutrer - #207][207] [207]:https://github.com/rgrove/sanitize/pull/207 ## 5.2.2 (2021-01-06) ### Bug Fixes * Fixed a deprecation warning in Ruby 2.7+ when using keyword arguments in a custom transformer. [@mscrivo - #206][206] [206]:https://github.com/rgrove/sanitize/pull/206 ------------------------------------------------------------------- Sun Jul 12 04:25:38 UTC 2020 - Matthew Trescott <matthewtrescott@gmail.com> - updated to version 5.2.1 (fixes CVE-2020-4054) see installed HISTORY.md ## 5.2.1 (2020-06-16) ### Bug Fixes * Fixed an HTML sanitization bypass that could allow XSS. This issue affects Sanitize versions 3.0.0 through 5.2.0. When HTML was sanitized using the "relaxed" config or a custom config that allows certain elements, some content in a `<math>` or `<svg>` element may not have beeen sanitized correctly even if `math` and `svg` were not in the allowlist. This could allow carefully crafted input to sneak arbitrary HTML through Sanitize, potentially enabling an XSS (cross-site scripting) attack. You are likely to be vulnerable to this issue if you use Sanitize's relaxed config or a custom config that allows one or more of the following HTML elements: - `iframe` - `math` - `noembed` - `noframes` - `noscript` - `plaintext` - `script` - `style` - `svg` - `xmp` See the security advisory for more details, including a workaround if you're not able to upgrade: [GHSA-p4x4-rw2p-8j8m] Many thanks to Michał Bentkowski of Securitum for reporting this issue and helping to verify the fix. [GHSA-p4x4-rw2p-8j8m]:https://github.com/rgrove/sanitize/security/advisories/GHSA-p4x4-rw2p-8j8m ## 5.2.0 (2020-06-06) ### Changes * The term "whitelist" has been replaced with "allowlist" throughout Sanitize's source and documentation. While the etymology of "whitelist" may not be explicitly racist in origin or intent, there are inherent racial connotations in the implication that white is good and black (as in "blacklist") is not. This is a change I should have made long ago, and I apologize for not making it sooner. * In transformer input, the `:is_whitelisted` and `:node_whitelist` keys are now deprecated. New `:is_allowlisted` and `:node_allowlist` keys have been added. The old keys will continue to work in order to avoid breaking existing code, but they are no longer documented and may be removed in a future semver major release. ------------------------------------------------------------------- Mon Feb 10 15:45:56 UTC 2020 - Stephan Kulow <coolo@suse.com> - updated to version 5.1.0 see installed HISTORY.md ## 5.1.0 (2019-09-07) ### Features * Added a `:parser_options` config hash, which makes it possible to pass custom parsing options to Nokogumbo. [@austin-wang - #194][194] ### Bug Fixes * Non-characters and non-whitespace control characters are now stripped from HTML input before parsing to comply with the HTML Standard's [preprocessing guidelines][html-preprocessing]. Prior to this Sanitize had adhered to [older W3C guidelines][unicode-xml] that have since been withdrawn. [#179][179] [179]:https://github.com/rgrove/sanitize/issues/179 [194]:https://github.com/rgrove/sanitize/pull/194 [html-preprocessing]:https://html.spec.whatwg.org/multipage/parsing.html#preprocessing-the-input-stream [unicode-xml]:https://www.w3.org/TR/unicode-xml/ ------------------------------------------------------------------- Thu Nov 22 05:35:22 UTC 2018 - Stephan Kulow <coolo@suse.com> - updated to version 5.0.0 see installed HISTORY.md ## 5.0.0 (2018-10-14) For most users, upgrading from 4.x shouldn't require any changes. However, the minimum required Ruby version has changed, and Sanitize 5.x's HTML output may differ in some small ways from 4.x's output. If this matters to you, please review the changes below carefully. ### Potentially Breaking Changes * Ruby 2.3.0 is now the oldest officially supported Ruby version. Sanitize may work in older 2.x Rubies, but they aren't actively tested. Sanitize definitely no longer works in Ruby 1.9.x. * Upgraded to Nokogumbo 2.x, which fixes various bugs and adds standard-compliant HTML serialization. [@stevecheckoway - #189][189] * Children of the following elements are now removed by default when these elements are removed, rather than being preserved and escaped: - `iframe` - `noembed` - `noframes` - `noscript` - `script` - `style` * Children of whitelisted `iframe` elements are now always removed. In modern HTML, `iframe` elements should never have children. In HTML 4 and earlier `iframe` elements were allowed to contain fallback content for legacy browsers, but it's been almost two decades since that was useful. * Fixed a bug that caused `:remove_contents` to behave as if it were set to `true` when it was actually an Array. [189]:https://github.com/rgrove/sanitize/pull/189 ------------------------------------------------------------------- Wed Sep 5 10:41:41 UTC 2018 - coolo@suse.com - updated to version 4.6.6 see installed HISTORY.md ## 4.6.6 (2018-07-23) * Improved performance and memory usage by optimizing `Sanitize#transform_node!` [@stanhu - #183][183] [183]:https://github.com/rgrove/sanitize/pull/183 ------------------------------------------------------------------- Thu May 17 04:24:09 UTC 2018 - factory-auto@kulow.org - updated to version 4.6.5 see installed HISTORY.md ## 4.6.5 (2018-05-16) * Improved performance slightly by tweaking the order of built-in transformers. [@rafbm - #180][180] [180]:https://github.com/rgrove/sanitize/pull/180 ------------------------------------------------------------------- Wed Mar 21 05:31:08 UTC 2018 - factory-auto@kulow.org - updated to version 4.6.4 see installed HISTORY.md ## 4.6.4 (2018-03-20) * Fixed: A change introduced in 4.6.2 broke certain transformers that relied on being able to mutate the name of an HTML node. That change has been reverted and a test has been added to cover this case. [@zetter - #177][177] [177]:https://github.com/rgrove/sanitize/issues/177 ------------------------------------------------------------------- Tue Mar 20 10:16:57 UTC 2018 - factory-auto@kulow.org - updated to version 4.6.3 see installed HISTORY.md ## 4.6.3 (2018-03-19) * Fixed an HTML injection vulnerability that could allow XSS. When Sanitize <= 4.6.2 is used in combination with libxml2 >= 2.9.2, a specially crafted HTML fragment can cause libxml2 to generate improperly escaped output, allowing non-whitelisted attributes to be used on whitelisted elements. Sanitize now performs additional escaping on affected attributes to prevent this. Many thanks to the Shopify Application Security Team for responsibly reporting this issue. ## 4.6.2 (2018-03-19) * Reduced string allocations to optimize memory usage. [@janklimo - #175][175] [175]:https://github.com/rgrove/sanitize/pull/175 ## 4.6.1 (2018-03-15) * Added support for frozen string literals in Ruby 2.4+. [@flavorjones - #174][174] [174]:https://github.com/rgrove/sanitize/pull/174 ------------------------------------------------------------------- Tue Jan 30 12:56:20 UTC 2018 - cbruckmayer@suse.com - updated to version 4.6.0 ## 4.6.0 (2018-01-29) * Loosened the Nokogumbo dependency to allow installing semver-compatible versions greater than or equal to v1.4. @rafbm - #171 ------------------------------------------------------------------- Tue Jun 6 05:40:56 UTC 2017 - coolo@suse.com - updated to version 4.5.0 see installed HISTORY.md ## 4.5.0 (2017-06-04) * Added SVG-related CSS properties to the relaxed config. See [the diff][161] for the full list of added properties. [@louim - #161][161] * Fixed: Sanitize now strips null bytes (``) before passing input to Nokogumbo, since they can cause recent versions to crash with a failed assertion in the Gumbo parser. [161]:https://github.com/rgrove/sanitize/pull/161 ------------------------------------------------------------------- Sat Oct 8 04:36:29 UTC 2016 - coolo@suse.com - updated to version 4.4.0 see installed HISTORY.md ## 4.4.0 (2016-09-29) * Added `srcset` to the attribute whitelist for `img` elements in the relaxed config. [@ejtttje - #156][156] [156]:https://github.com/rgrove/sanitize/pull/156 ------------------------------------------------------------------- Wed Sep 21 04:50:39 UTC 2016 - coolo@suse.com - updated to version 4.3.0 see installed HISTORY.md ## 4.3.0 (2016-09-20) * Methods can now be used as transformers. [@Skipants - #155][155] [155]:https://github.com/rgrove/sanitize/pull/155 ------------------------------------------------------------------- Tue Aug 23 04:41:24 UTC 2016 - coolo@suse.com - updated to version 4.2.0 see installed HISTORY.md ## 4.2.0 (2016-08-22) * Added `-webkit-font-smoothing` to the relaxed CSS config. [@louim - #154][154] * Fixed: Nokogumbo >=1.4.9 changed its behavior in a way that allowed invalid doctypes (like `<!DOCTYPE nonsense>`) when the `:allow_doctype` config setting was `true`. Invalid doctypes are now coerced to valid ones as they were prior to this Nokogumbo change. [154]:https://github.com/rgrove/sanitize/pull/154 ------------------------------------------------------------------- Mon Jul 18 04:39:33 UTC 2016 - coolo@suse.com - updated to version 4.1.0 see installed HISTORY.md ------------------------------------------------------------------- Thu Dec 10 05:35:22 UTC 2015 - coolo@suse.com - updated to version 4.0.1 see installed HISTORY.md Version 4.0.1 (2015-12-09) -------------------------- * Unpinned the Nokogumbo dependency. [@rubys - #141][141] [141]:https://github.com/rgrove/sanitize/pull/141 ------------------------------------------------------------------- Tue Apr 21 04:30:53 UTC 2015 - coolo@suse.com - updated to version 4.0.0 ------------------------------------------------------------------- Mon Feb 23 05:30:10 UTC 2015 - coolo@suse.com - updated to version 3.1.2 ------------------------------------------------------------------- Mon Feb 9 08:06:40 UTC 2015 - coolo@suse.com - updated to version 3.1.1, see HISTORY.md ------------------------------------------------------------------- Mon Oct 13 18:44:15 UTC 2014 - coolo@suse.com - adapt to new rubygem packaging ------------------------------------------------------------------- Thu Feb 6 18:00:13 UTC 2014 - coolo@suse.com - updated to version 2.1.0 * Added support for whitelisting arbitrary HTML5 `data-*` attributes. Use the symbol `:data` instead of an attribute name in the `:attributes` config to indicate that arbitrary data attributes should be allowed on an element. * Added the following elements to the relaxed config: `address`, `bdi`, `hr`, and `summary`. * Fixed: A colon (`:`) character in a URL fragment identifier such as `#foo:1` was incorrectly treated as a protocol delimiter. [@heathd - #87][87] [87]:https://github.com/rgrove/sanitize/pull/87 ------------------------------------------------------------------- Sun Jul 21 06:32:19 UTC 2013 - coolo@suse.com - updated to version 2.0.6 * Fixed: Version 2.0.5 inadvertently included some work-in-progress changes that shouldn't have made their way into the master branch. This is what happens when I release before coffee instead of after. * Loosened the Nokogiri dependency back to >= 1.4.4 to allow Sanitize to coexist in newer Rubies with other libraries that restrict Nokogiri to 1.5.x for 1.8.7 compatibility. Sanitize still no longer supports 1.8.7, but this should make life easier for people who need those other libs. ------------------------------------------------------------------- Thu Jun 13 05:25:48 UTC 2013 - coolo@suse.com - updated to version 2.0.4 * Added `Sanitize.clean_document`, which sanitizes a full HTML document rather than just a fragment. [Ben Anderson] * Nokogiri dependency bumped to 1.6.x. * Dropped support for Ruby versions older than 1.9.2. ------------------------------------------------------------------- Fri Dec 28 13:01:28 UTC 2012 - coolo@suse.com - initial package (version 2.0.3)
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor