Overview

File rubygem-rails-html-sanitizer.changes of Package rubygem-rails-html-sanitizer

-------------------------------------------------------------------
Mon Jun 13 17:09:28 UTC 2022 - Manuel Schnitzer <mschnitzer@suse.com>

- updated to version 1.4.3

  * Address a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.

    Prevent the combination of `select` and `style` as allowed tags in SafeListSanitizer.

    Fixes CVE-2022-32209

    *Mike Dalessio*

-------------------------------------------------------------------
Wed Aug 25 05:24:58 UTC 2021 - Manuel Schnitzer <mschnitzer@suse.com>

- updated to version 1.4.2

  * Slightly improve performance.

    Assuming elements are more common than comments, make one less method call per node.

    *Mike Dalessio*

  ## 1.4.1 / 2021-08-18

  * Fix regression in v1.4.0 that did not pass comment nodes to the scrubber.

    Some scrubbers will want to override the default behavior and allow comments, but v1.4.0 only
    passed through elements to the scrubber's `keep_node?` method.

    This change once again allows the scrubber to make the decision on comment nodes, but still skips
    other non-elements like processing instructions (see #115).

    *Mike Dalessio*

  ## 1.4.0 / 2021-08-18

  * Processing Instructions are no longer allowed by Rails::Html::PermitScrubber

    Previously, a PI with a name (or "target") matching an allowed tag name was not scrubbed. There
    are no known security issues associated with these PIs, but similar to comments it's preferred to
    omit these nodes when possible from sanitized output.

    Fixes #115.

    *Mike Dalessio*

-------------------------------------------------------------------
Tue Nov 12 15:06:13 UTC 2019 - Manuel Schnitzer <mschnitzer@suse.com>

- updated to version 1.3.0

  * Address deprecations in Loofah 2.3.0.

    *Josh Goodall*

-------------------------------------------------------------------
Thu Aug 15 18:01:28 UTC 2019 - Manuel Schnitzer <mschnitzer@suse.com>

- updated to version 1.2.0

  * Remove needless `white_list_sanitizer` deprecation.

    By deprecating this, we were forcing Rails 5.2 to be updated or spew
    deprecations that users could do nothing about.

    That's pointless and I'm sorry for adding that!

    Now there's no deprecation warning and Rails 5.2 works out of the box, while
    Rails 6 can use the updated naming.

    *Kasper Timm Hansen*

-------------------------------------------------------------------
Fri Mar 23 09:55:41 UTC 2018 - dkang@suse.com

- updated to version 1.0.4
  * CVE-2018-3741: XSS vulnerability
  see installed CHANGELOG.md
  fix bsc#1086598

-------------------------------------------------------------------
Tue Jan 26 05:35:48 UTC 2016 - coolo@suse.com

- updated to version 1.0.3:
  * boo#963326: CVE-2015-7578: XSS vulnerability via attributes 
  * boo#963327: CVE-2015-7579: XSS vulnerability
  * boo#963328: CVE-2015-7580: XSS via whitelist sanitizer 

-------------------------------------------------------------------
Mon Mar 16 06:51:40 UTC 2015 - coolo@suse.com

- updated to version 1.0.2, no changelog

-------------------------------------------------------------------
Mon Feb  9 08:20:28 UTC 2015 - coolo@suse.com

- initial package (version 1.0.1)
openSUSE Build Service is sponsored by
Places