File rubygem-sanitize.changes of Package rubygem-sanitize
-------------------------------------------------------------------
Wed Jan 29 08:18:05 UTC 2025 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 7.0.0:
Sanitize has no breaking API changes in this release, but the
major version number has been incremented because we've dropped
support for end-of-life versions of Ruby. As long as you're using
Ruby 3.1.0 or later, this should be a painless upgrade!
* Added
- Added over 100 new CSS properties to the relaxed config,
representing all properties that are listed with a status of
"Working Draft" or better in the latest W3C "All Properties"
list.
- Added the @container CSS at-rule to the relaxed config.
- Added the -webkit-text-fill-color CSS property to the relaxed
config. @radar - #244
* Changed
- Ruby 3.1.0 is now the oldest supported Ruby version.
- Sanitize now requires Nokogiri 1.16.8 or higher.
-------------------------------------------------------------------
Mon Nov 4 17:32:31 UTC 2024 - Dan Čermák <dan.cermak@posteo.net>
- New upstream release 6.1.3, see bundled HISTORY.md
-------------------------------------------------------------------
Fri Jun 21 10:43:09 UTC 2024 - Dan Čermák <dan.cermak@posteo.net>
- New upstream release 6.1.1, see bundled HISTORY.md
-------------------------------------------------------------------
Tue Nov 14 18:38:27 UTC 2023 - Dan Čermák <dan.cermak@posteo.net>
- New upstream release 6.1.0, see bundled HISTORY.md
-------------------------------------------------------------------
Tue Jan 25 07:34:21 UTC 2022 - Stephan Kulow <coolo@suse.com>
updated to version 6.0.0
see installed HISTORY.md
## 6.0.0 (2021-08-03)
### Potentially Breaking Changes
* Ruby 2.5.0 is now the oldest officially supported Ruby version.
* Sanitize now requires Nokogiri 1.12.0 or higher, which includes Nokogumbo.
The separate dependency on Nokogumbo has been removed. [@lis2 - #211][211]
[211]:https://github.com/rgrove/sanitize/pull/211
-------------------------------------------------------------------
Wed Jan 20 13:21:08 UTC 2021 - Stephan Kulow <coolo@suse.com>
updated to version 5.2.3
see installed HISTORY.md
## 5.2.3 (2021-01-11)
### Bug Fixes
* Ensure protocol sanitization is applied to data attributes.
[@ccutrer - #207][207]
[207]:https://github.com/rgrove/sanitize/pull/207
## 5.2.2 (2021-01-06)
### Bug Fixes
* Fixed a deprecation warning in Ruby 2.7+ when using keyword arguments in a
custom transformer. [@mscrivo - #206][206]
[206]:https://github.com/rgrove/sanitize/pull/206
-------------------------------------------------------------------
Sun Jul 12 04:25:38 UTC 2020 - Matthew Trescott <matthewtrescott@gmail.com>
- updated to version 5.2.1 (fixes CVE-2020-4054)
see installed HISTORY.md
## 5.2.1 (2020-06-16)
### Bug Fixes
* Fixed an HTML sanitization bypass that could allow XSS. This issue affects
Sanitize versions 3.0.0 through 5.2.0.
When HTML was sanitized using the "relaxed" config or a custom config that
allows certain elements, some content in a `<math>` or `<svg>` element may not
have beeen sanitized correctly even if `math` and `svg` were not in the
allowlist. This could allow carefully crafted input to sneak arbitrary HTML
through Sanitize, potentially enabling an XSS (cross-site scripting) attack.
You are likely to be vulnerable to this issue if you use Sanitize's relaxed
config or a custom config that allows one or more of the following HTML
elements:
- `iframe`
- `math`
- `noembed`
- `noframes`
- `noscript`
- `plaintext`
- `script`
- `style`
- `svg`
- `xmp`
See the security advisory for more details, including a workaround if you're
not able to upgrade: [GHSA-p4x4-rw2p-8j8m]
Many thanks to Michał Bentkowski of Securitum for reporting this issue and
helping to verify the fix.
[GHSA-p4x4-rw2p-8j8m]:https://github.com/rgrove/sanitize/security/advisories/GHSA-p4x4-rw2p-8j8m
## 5.2.0 (2020-06-06)
### Changes
* The term "whitelist" has been replaced with "allowlist" throughout Sanitize's
source and documentation.
While the etymology of "whitelist" may not be explicitly racist in origin or
intent, there are inherent racial connotations in the implication that white
is good and black (as in "blacklist") is not.
This is a change I should have made long ago, and I apologize for not making
it sooner.
* In transformer input, the `:is_whitelisted` and `:node_whitelist` keys are now
deprecated. New `:is_allowlisted` and `:node_allowlist` keys have been added.
The old keys will continue to work in order to avoid breaking existing code,
but they are no longer documented and may be removed in a future semver major
release.
-------------------------------------------------------------------
Mon Feb 10 15:45:56 UTC 2020 - Stephan Kulow <coolo@suse.com>
- updated to version 5.1.0
see installed HISTORY.md
## 5.1.0 (2019-09-07)
### Features
* Added a `:parser_options` config hash, which makes it possible to pass custom
parsing options to Nokogumbo. [@austin-wang - #194][194]
### Bug Fixes
* Non-characters and non-whitespace control characters are now stripped from
HTML input before parsing to comply with the HTML Standard's [preprocessing
guidelines][html-preprocessing]. Prior to this Sanitize had adhered to [older
W3C guidelines][unicode-xml] that have since been withdrawn. [#179][179]
[179]:https://github.com/rgrove/sanitize/issues/179
[194]:https://github.com/rgrove/sanitize/pull/194
[html-preprocessing]:https://html.spec.whatwg.org/multipage/parsing.html#preprocessing-the-input-stream
[unicode-xml]:https://www.w3.org/TR/unicode-xml/
-------------------------------------------------------------------
Thu Nov 22 05:35:22 UTC 2018 - Stephan Kulow <coolo@suse.com>
- updated to version 5.0.0
see installed HISTORY.md
## 5.0.0 (2018-10-14)
For most users, upgrading from 4.x shouldn't require any changes. However, the
minimum required Ruby version has changed, and Sanitize 5.x's HTML output may
differ in some small ways from 4.x's output. If this matters to you, please
review the changes below carefully.
### Potentially Breaking Changes
* Ruby 2.3.0 is now the oldest officially supported Ruby version. Sanitize may
work in older 2.x Rubies, but they aren't actively tested. Sanitize definitely
no longer works in Ruby 1.9.x.
* Upgraded to Nokogumbo 2.x, which fixes various bugs and adds
standard-compliant HTML serialization. [@stevecheckoway - #189][189]
* Children of the following elements are now removed by default when these
elements are removed, rather than being preserved and escaped:
- `iframe`
- `noembed`
- `noframes`
- `noscript`
- `script`
- `style`
* Children of whitelisted `iframe` elements are now always removed. In modern
HTML, `iframe` elements should never have children. In HTML 4 and earlier
`iframe` elements were allowed to contain fallback content for legacy
browsers, but it's been almost two decades since that was useful.
* Fixed a bug that caused `:remove_contents` to behave as if it were set to
`true` when it was actually an Array.
[189]:https://github.com/rgrove/sanitize/pull/189
-------------------------------------------------------------------
Wed Sep 5 10:41:41 UTC 2018 - coolo@suse.com
- updated to version 4.6.6
see installed HISTORY.md
## 4.6.6 (2018-07-23)
* Improved performance and memory usage by optimizing `Sanitize#transform_node!`
[@stanhu - #183][183]
[183]:https://github.com/rgrove/sanitize/pull/183
-------------------------------------------------------------------
Thu May 17 04:24:09 UTC 2018 - factory-auto@kulow.org
- updated to version 4.6.5
see installed HISTORY.md
## 4.6.5 (2018-05-16)
* Improved performance slightly by tweaking the order of built-in transformers.
[@rafbm - #180][180]
[180]:https://github.com/rgrove/sanitize/pull/180
-------------------------------------------------------------------
Wed Mar 21 05:31:08 UTC 2018 - factory-auto@kulow.org
- updated to version 4.6.4
see installed HISTORY.md
## 4.6.4 (2018-03-20)
* Fixed: A change introduced in 4.6.2 broke certain transformers that relied on
being able to mutate the name of an HTML node. That change has been reverted
and a test has been added to cover this case. [@zetter - #177][177]
[177]:https://github.com/rgrove/sanitize/issues/177
-------------------------------------------------------------------
Tue Mar 20 10:16:57 UTC 2018 - factory-auto@kulow.org
- updated to version 4.6.3
see installed HISTORY.md
## 4.6.3 (2018-03-19)
* Fixed an HTML injection vulnerability that could allow XSS.
When Sanitize <= 4.6.2 is used in combination with libxml2 >= 2.9.2, a
specially crafted HTML fragment can cause libxml2 to generate improperly
escaped output, allowing non-whitelisted attributes to be used on whitelisted
elements.
Sanitize now performs additional escaping on affected attributes to prevent
this.
Many thanks to the Shopify Application Security Team for responsibly reporting
this issue.
## 4.6.2 (2018-03-19)
* Reduced string allocations to optimize memory usage. [@janklimo - #175][175]
[175]:https://github.com/rgrove/sanitize/pull/175
## 4.6.1 (2018-03-15)
* Added support for frozen string literals in Ruby 2.4+.
[@flavorjones - #174][174]
[174]:https://github.com/rgrove/sanitize/pull/174
-------------------------------------------------------------------
Tue Jan 30 12:56:20 UTC 2018 - cbruckmayer@suse.com
- updated to version 4.6.0
## 4.6.0 (2018-01-29)
* Loosened the Nokogumbo dependency to allow installing semver-compatible versions greater than or equal to v1.4. @rafbm - #171
-------------------------------------------------------------------
Tue Jun 6 05:40:56 UTC 2017 - coolo@suse.com
- updated to version 4.5.0
see installed HISTORY.md
## 4.5.0 (2017-06-04)
* Added SVG-related CSS properties to the relaxed config. See [the diff][161]
for the full list of added properties. [@louim - #161][161]
* Fixed: Sanitize now strips null bytes (``) before passing input to
Nokogumbo, since they can cause recent versions to crash with a failed
assertion in the Gumbo parser.
[161]:https://github.com/rgrove/sanitize/pull/161
-------------------------------------------------------------------
Sat Oct 8 04:36:29 UTC 2016 - coolo@suse.com
- updated to version 4.4.0
see installed HISTORY.md
## 4.4.0 (2016-09-29)
* Added `srcset` to the attribute whitelist for `img` elements in the relaxed
config. [@ejtttje - #156][156]
[156]:https://github.com/rgrove/sanitize/pull/156
-------------------------------------------------------------------
Wed Sep 21 04:50:39 UTC 2016 - coolo@suse.com
- updated to version 4.3.0
see installed HISTORY.md
## 4.3.0 (2016-09-20)
* Methods can now be used as transformers. [@Skipants - #155][155]
[155]:https://github.com/rgrove/sanitize/pull/155
-------------------------------------------------------------------
Tue Aug 23 04:41:24 UTC 2016 - coolo@suse.com
- updated to version 4.2.0
see installed HISTORY.md
## 4.2.0 (2016-08-22)
* Added `-webkit-font-smoothing` to the relaxed CSS config. [@louim - #154][154]
* Fixed: Nokogumbo >=1.4.9 changed its behavior in a way that allowed invalid
doctypes (like `<!DOCTYPE nonsense>`) when the `:allow_doctype` config setting
was `true`. Invalid doctypes are now coerced to valid ones as they were prior
to this Nokogumbo change.
[154]:https://github.com/rgrove/sanitize/pull/154
-------------------------------------------------------------------
Mon Jul 18 04:39:33 UTC 2016 - coolo@suse.com
- updated to version 4.1.0
see installed HISTORY.md
-------------------------------------------------------------------
Thu Dec 10 05:35:22 UTC 2015 - coolo@suse.com
- updated to version 4.0.1
see installed HISTORY.md
Version 4.0.1 (2015-12-09)
--------------------------
* Unpinned the Nokogumbo dependency. [@rubys - #141][141]
[141]:https://github.com/rgrove/sanitize/pull/141
-------------------------------------------------------------------
Tue Apr 21 04:30:53 UTC 2015 - coolo@suse.com
- updated to version 4.0.0
-------------------------------------------------------------------
Mon Feb 23 05:30:10 UTC 2015 - coolo@suse.com
- updated to version 3.1.2
-------------------------------------------------------------------
Mon Feb 9 08:06:40 UTC 2015 - coolo@suse.com
- updated to version 3.1.1, see HISTORY.md
-------------------------------------------------------------------
Mon Oct 13 18:44:15 UTC 2014 - coolo@suse.com
- adapt to new rubygem packaging
-------------------------------------------------------------------
Thu Feb 6 18:00:13 UTC 2014 - coolo@suse.com
- updated to version 2.1.0
* Added support for whitelisting arbitrary HTML5 `data-*` attributes. Use the
symbol `:data` instead of an attribute name in the `:attributes` config to
indicate that arbitrary data attributes should be allowed on an element.
* Added the following elements to the relaxed config: `address`, `bdi`, `hr`,
and `summary`.
* Fixed: A colon (`:`) character in a URL fragment identifier such as `#foo:1`
was incorrectly treated as a protocol delimiter. [@heathd - #87][87]
[87]:https://github.com/rgrove/sanitize/pull/87
-------------------------------------------------------------------
Sun Jul 21 06:32:19 UTC 2013 - coolo@suse.com
- updated to version 2.0.6
* Fixed: Version 2.0.5 inadvertently included some work-in-progress changes that
shouldn't have made their way into the master branch. This is what happens
when I release before coffee instead of after.
* Loosened the Nokogiri dependency back to >= 1.4.4 to allow Sanitize to coexist
in newer Rubies with other libraries that restrict Nokogiri to 1.5.x for 1.8.7
compatibility. Sanitize still no longer supports 1.8.7, but this should make
life easier for people who need those other libs.
-------------------------------------------------------------------
Thu Jun 13 05:25:48 UTC 2013 - coolo@suse.com
- updated to version 2.0.4
* Added `Sanitize.clean_document`, which sanitizes a full HTML document rather
than just a fragment. [Ben Anderson]
* Nokogiri dependency bumped to 1.6.x.
* Dropped support for Ruby versions older than 1.9.2.
-------------------------------------------------------------------
Fri Dec 28 13:01:28 UTC 2012 - coolo@suse.com
- initial package (version 2.0.3)
