File rubygem-loofah.changes of Package rubygem-loofah
-------------------------------------------------------------------
Tue Nov 14 15:13:24 UTC 2023 - Dan Čermák <dan.cermak@posteo.net>
- ## 2.22.0 / 2023-11-13
### Added
* A `:targetblank` HTML scrubber which ensures all hyperlinks have `target="_blank"`. [#275] @stefannibrasil and @thdaraujo
* A `:noreferrer` HTML scrubber which ensures all hyperlinks have `rel=noreferrer`, similar to the `:nofollow` and `:noopener` scrubbers. [#277] @wynksaiddestroy
-------------------------------------------------------------------
Fri Nov 3 07:41:26 UTC 2023 - Dan Čermák <dan.cermak@posteo.net>
- ## 2.21.4 / 2023-10-10
### Fixed
* `Loofah::HTML5::Scrub.scrub_css` is more consistent in preserving whitespace (and lack of whitespace) in CSS property values. In particular, `.scrub_css` no longer inserts whitespace between tokens that did not already have whitespace between them. [[#273](https://github.com/flavorjones/loofah/issues/273), fixes [#271](https://github.com/flavorjones/loofah/issues/271)]
## 2.21.3 / 2023-05-15
### Fixed
* Quash "instance variable not initialized" warning in Ruby < 3.0. [[#268](https://github.com/flavorjones/loofah/issues/268)] (Thanks, [@dharamgollapudi](https://github.com/dharamgollapudi)!)
## 2.21.2 / 2023-05-11
### Dependencies
* Update the dependency on Nokogiri to be `>= 1.12.0`. The dependency in 2.21.0 and 2.21.1 was left at `>= 1.5.9` but versions before 1.12 would result in a `NameError` exception. [[#266](https://github.com/flavorjones/loofah/issues/266)]
## 2.21.1 / 2023-05-10
### Fixed
* Don't define `HTML5::Document` and `HTML5::DocumentFragment` when Nokogiri is `< 1.14`. In 2.21.0 these classes were defined whenever `Nokogiri::HTML5` was defined, but Nokogiri v1.12 and v1.13 do not support Loofah subclassing properly.
## 2.21.0 / 2023-05-10
### HTML5 Support
Classes `Loofah::HTML5::Document` and `Loofah::HTML5::DocumentFragment` are introduced, along with helper methods:
- `Loofah.html5_document`
- `Loofah.html5_fragment`
- `Loofah.scrub_html5_document`
- `Loofah.scrub_html5_fragment`
These classes and methods use Nokogiri's HTML5 parser to ensure modern web standards are used.
⚠ HTML5 functionality is only available with Nokogiri v1.14.0 and higher.
⚠ HTML5 functionality is not available for JRuby. Please see [this upstream Nokogiri issue](https://github.com/sparklemotion/nokogiri/issues/2227) if you're interested in helping implement and support HTML5 support.
### `Loofah::HTML4` module and namespace
`Loofah::HTML` has been renamed to `Loofah::HTML4`, and `Loofah::HTML` is aliased to preserve backwards-compatibility. `Nokogiri::HTML` and `Nokogiri::HTML4` parse methods still use libxml2's (or NekoHTML's) HTML4 parser.
Take special note that if you rely on the class name of an object in your code, objects will now report a class of `Loofah::HTML4::Foo` where they previously reported `Loofah::HTML::Foo`. Instead of relying on the string returned by `Object#class`, prefer `Class#===` or `Object#is_a?` or `Object#instance_of?`.
Future releases of Nokogiri may deprecate `HTML` classes and methods or otherwise change this behavior, so please start using `HTML4` in place of `HTML`.
### Official support for JRuby
This version introduces official support for JRuby. Previously, the test suite had never been green due to differences in behavior in the underlying HTML parser used by Nokogiri. We've updated the test suite to accommodate those differences, and have added JRuby to the CI suite.
## 2.20.0 / 2023-04-01
### Features
* Allow SVG attributes `color-profile`, `cursor`, `filter`, `marker`, and `mask`. [[#246](https://github.com/flavorjones/loofah/issues/246)]
* Allow SVG elements `altGlyph`, `cursor`, `feImage`, `pattern`, and `tref`. [[#246](https://github.com/flavorjones/loofah/issues/246)]
* Allow protocols `fax` and `modem`. [[#255](https://github.com/flavorjones/loofah/issues/255)] (Thanks, [@cjba7](https://github.com/cjba7)!)
-------------------------------------------------------------------
Mon Mar 6 14:42:39 UTC 2023 - Paolo Perego <paolo.perego@suse.com>
- udpated to version 2.19.1
## 2.19.1 / 2022-12-13
### SecurityAddress
* Address CVE-2022-23514, inefficient regular expression complexity. See GHSA-486f-hjj9-9vhh for more information.
* Address CVE-2022-23515, improper neutralization of data URIs. See GHSA-228g-948r-83gx for more information.
* Address CVE-2022-23516, uncontrolled recursion. See GHSA-3x8r-x6xp-q4vm for more information.
-------------------------------------------------------------------
Mon Oct 10 13:09:46 UTC 2022 - Stephan Kulow <coolo@suse.com>
updated to version 2.19.0
see installed CHANGELOG.md
## 2.19.0 / 2022-09-14
### Features
* Allow SVG 1.0 color keyword names in CSS attributes. These colors are part of the [CSS Color Module Level 3](https://www.w3.org/TR/css-color-3/#svg-color) recommendation released 2022-01-18. [[#243](https://github.com/flavorjones/loofah/issues/243)]
-------------------------------------------------------------------
Sun May 15 15:40:12 UTC 2022 - Manuel Schnitzer <mschnitzer@suse.com>
- updated to version 2.18.0
### Features
* Allow CSS property `aspect-ratio`. [[#236](https://github.com/flavorjones/loofah/issues/236)] (Thanks, [@louim](https://github.com/louim)!)
## 2.17.0 / 2022-04-28
### Features
* Allow ARIA attributes. [[#232](https://github.com/flavorjones/loofah/issues/232), [#233](https://github.com/flavorjones/loofah/issues/233)] (Thanks, [@nick-desteffen](https://github.com/nick-desteffen)!)
-------------------------------------------------------------------
Thu Apr 28 05:35:21 UTC 2022 - Stephan Kulow <coolo@suse.com>
updated to version 2.16.0
see installed CHANGELOG.md
## 2.16.0 / 2022-04-01
### Features
* Allow MathML elements `menclose` and `ms`, and MathML attributes `dir`, `href`, `lquote`, `mathsize`, `notation`, and `rquote`. [[#231](https://github.com/flavorjones/loofah/issues/231)] (Thanks, [@nick-desteffen](https://github.com/nick-desteffen)!)
## 2.15.0 / 2022-03-14
### Features
* Expand set of allowed protocols to include `sms:`. [[#228](https://github.com/flavorjones/loofah/issues/228)] (Thanks, [@brendon](https://github.com/brendon)!)
-------------------------------------------------------------------
Thu Mar 3 08:22:28 UTC 2022 - Stephan Kulow <coolo@suse.com>
updated to version 2.14.0
see installed CHANGELOG.md
## 2.14.0 / 2022-02-11
### Features
* The `#to_text` method on `Loofah::HTML::{Document,DocumentFragment}` replaces `<br>` line break elements with a newline. [[#225](https://github.com/flavorjones/loofah/issues/225)]
-------------------------------------------------------------------
Fri Dec 24 23:54:55 UTC 2021 - Manuel Schnitzer <mschnitzer@suse.com>
- updated to version 2.13.0
### Bug fixes
* Loofah::HTML::DocumentFragment#text no longer serializes top-level comment children. [[#221](https://github.com/flavorjones/loofah/issues/221)]
-------------------------------------------------------------------
Wed Aug 25 05:14:19 UTC 2021 - Manuel Schnitzer <mschnitzer@suse.com>
- updated to version 2.12.0
## 2.12.0 / 2021-08-11
### Features
* Support empty HTML5 data attributes. [[#215](https://github.com/flavorjones/loofah/issues/215)]
## 2.11.0 / 2021-07-31
### Features
* Allow HTML5 element `wbr`.
* Allow all CSS property values for `border-collapse`. [[#201](https://github.com/flavorjones/loofah/issues/201)]
### Changes
* Deprecating `Loofah::HTML5::SafeList::VOID_ELEMENTS` which is not a canonical list of void HTML4 or HTML5 elements.
* Removed some elements from `Loofah::HTML5::SafeList::VOID_ELEMENTS` that either are not acceptable elements or aren't considered "void" by libxml2.
-------------------------------------------------------------------
Thu Jun 24 17:35:09 UTC 2021 - Stephan Kulow <coolo@suse.com>
updated to version 2.10.0
see installed CHANGELOG.md
## 2.10.0 / 2021-06-06
### Features
* Allow CSS properties `overflow-x` and `overflow-y`. [[#206](https://github.com/flavorjones/loofah/issues/206)] (Thanks, [@sampokuokkanen](https://github.com/sampokuokkanen)!)
-------------------------------------------------------------------
Tue Apr 20 13:38:21 UTC 2021 - Manuel Schnitzer <mschnitzer@suse.com>
- updated to version 2.9.1
### Bug fixes
* Fix a regression in v2.9.0 which inappropriately removed CSS properties
with quoted string values. [[#202](https://github.com/flavorjones/loofah/issues/202)]
-------------------------------------------------------------------
Wed Jan 20 07:36:46 UTC 2021 - Manuel Schnitzer <mschnitzer@suse.com>
- updated to version 2.9.0
* Handle CSS functions in a CSS shorthand property (like `background`). [[#199](https://github.com/flavorjones/loofah/issues/199),
[#200](https://github.com/flavorjones/loofah/issues/200)]
-------------------------------------------------------------------
Fri Dec 11 03:13:59 UTC 2020 - Manuel Schnitzer <mschnitzer@suse.com>
- updated to version 2.8.0
* Allow CSS properties `order`, `flex-direction`, `flex-grow`, `flex-wrap`, `flex-shrink`, `flex-flow`,
`flex-basis`, `flex`, `justify-content`, `align-self`, `align-items`, and `align-content`.
[[#197](https://github.com/flavorjones/loofah/issues/197)] (Thanks, [@miguelperez](https://github.com/miguelperez)!)
-------------------------------------------------------------------
Sat Sep 12 12:25:01 UTC 2020 - Manuel Schnitzer <mschnitzer@suse.com>
- updated to version 2.7.0
### Features
* Allow CSS properties `page-break-before`, `page-break-inside`, and
`page-break-after`. [[#190](https://github.com/flavorjones/loofah/issues/190)]
(Thanks, [@ahorek](https://github.com/ahorek)!)
### Fixes
* Don't drop the `!important` rule from some CSS properties.
[[#191](https://github.com/flavorjones/loofah/issues/191)]
(Thanks, [@b7kich](https://github.com/b7kich)!)
-------------------------------------------------------------------
Thu Jun 25 10:01:00 UTC 2020 - Manuel Schnitzer <mschnitzer@suse.com>
- updated to version 2.6.0
* Allow CSS border-style keywords. [#188] (Thanks, @tarcisiozf!)
-------------------------------------------------------------------
Mon Apr 27 12:54:33 UTC 2020 - Manuel Schnitzer <mschnitzer@suse.com>
- updated to version 2.5.0
### Features
* Allow more CSS length units: "ch", "vw", "vh", "Q", "lh", "vmin", "vmax". [#178] (Thanks, @JuanitoFatas!)
### Fixes
* Remove comments from `Loofah::HTML::Document`s that exist outside the `html` element. [#80]
### Other changes
* Gem metadata being set [#181] (Thanks, @JuanitoFatas!)
* Test files removed from gem file [#180,#166,#159] (Thanks, @JuanitoFatas and @greysteil!)
-------------------------------------------------------------------
Thu Nov 28 07:22:05 UTC 2019 - Manuel Schnitzer <mschnitzer@suse.com>
- updated to version 2.4.0
### Features
* Allow CSS property `max-width` [#175] (Thanks, @bchaney!)
* Allow CSS sizes expressed in `rem` [#176, #177]
* Add `frozen_string_literal: true` magic comment to all `lib` files. [#118]
-------------------------------------------------------------------
Tue Nov 12 15:24:24 UTC 2019 - Manuel Schnitzer <mschnitzer@suse.com>
- updated to version 2.3.1
Address CVE-2019-15587: Unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.
This CVE's public notice is at #171
-------------------------------------------------------------------
Tue Nov 6 07:47:42 UTC 2018 - mschnitzer@suse.com
- updated to version 2.2.3
### Security (bsc#1113969, CVE-2018-16468)
Address CVE-2018-16468: Unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.
This CVE's public notice is at https://github.com/flavorjones/loofah/issues/154
## Meta / 2018-10-27
The mailing list is now on Google Groups [#146](https://github.com/flavorjones/loofah/issues/146):
* Mail: loofah-talk@googlegroups.com
* Archive: https://groups.google.com/forum/#!forum/loofah-talk
This change was made because librelist no longer appears to be maintained.
-------------------------------------------------------------------
Fri Mar 23 10:15:28 UTC 2018 - dkang@suse.com
- update to version 2.2.2
* Make public Loofah::HTML5::Scrub.force_correct_attribute_escaping!, which was previously a private method.
This is so that downstream gems (like rails-html-sanitizer) can use this logic directly for their own attribute scrubbers should they need to address CVE-2018-8048.
fix bsc#1086598
-------------------------------------------------------------------
Tue Mar 20 09:19:17 UTC 2018 - dkang@suse.com
- Update to version 2.2.1
Fix XSS Vulnerability [CVE-2018-8048]
fix bsc#1085967
-------------------------------------------------------------------
Thu Feb 15 14:13:37 UTC 2018 - mrueckert@suse.de
- also set a description again
-------------------------------------------------------------------
Mon Feb 12 10:11:44 UTC 2018 - bgeuken@suse.com
- Update to version 2.2.0
Features:
* Support HTML5 <main> tag. #133 (Thanks, @MothOnMars!)
* Recognize HTML5 block elements. #136 (Thanks, @MothOnMars!)
* Support SVG <symbol> tag. #131 (Thanks, @baopham!)
* Support for whitelisting CSS functions, initially just calc and rgb. #122/#123/#129 (Thanks, @NikoRoberts!)
* Whitelist CSS property list-style-type. #68/#137/#142 (Thanks, @andela-ysanni and @NikoRoberts!)
Bugfixes:
* Properly handle nested script tags. #127.
-------------------------------------------------------------------
Fri Oct 13 11:25:11 UTC 2017 - mschnitzer@suse.com
- updated to version 2.1.1
2.1.1 / 2017-09-24
Bugfixes:
* Removed warning for unused variable. #124 (Thanks, @y-yagi!)
-------------------------------------------------------------------
Tue Aug 18 04:32:46 UTC 2015 - coolo@suse.com
- updated to version 2.0.3
see installed CHANGELOG.rdoc
== 2.0.3 / 2015-08-17
Bug fixes:
* Revert support for negative values in CSS properties due to slow performance. #90 (Related to #85.)
-------------------------------------------------------------------
Wed May 6 04:30:11 UTC 2015 - coolo@suse.com
- updated to version 2.0.2
see installed CHANGELOG.rdoc
== 2.0.2 / 2015-05-05
Bug fixes:
* Fix error with `#to_text` when Loofah::Helpers hadn't been required. #75
* Allow multi-word data attributes. #84 (Thanks, @jstorimer!)
* Allow negative values in CSS properties. #85 (Thanks, @siddhartham!)
-------------------------------------------------------------------
Wed Nov 12 05:55:25 UTC 2014 - coolo@suse.com
- updated to version 2.0.1
Bug fixes:
* Load RR correctly when running test files directly. (Thanks, @ktdreyer!)
Notes:
* Extracted HTML5::Scrub#scrub_css_attribute to accommodate the Rails integration work. (Thanks, @kaspth!)
-------------------------------------------------------------------
Mon Oct 13 14:21:06 UTC 2014 - coolo@suse.com
- adapt to new rubygem packaging
-------------------------------------------------------------------
Sun May 18 09:04:34 UTC 2014 - coolo@suse.com
- updated to version 2.0.0
Compatibility notes:
* ActionView helpers now must be required explicitly: `require "loofah/helpers"`
* Support for Ruby 1.8.7 and prior has been dropped
Enhancements:
* HTML5 whitelist allows the following ...
* tags: `article`, `aside`, `bdi`, `bdo`, `canvas`, `command`, `datalist`, `details`, `figcaption`, `figure`, `footer`, `header`, `mark`, `meter`, `nav`, `output`, `section`, `summary`, `time`
* attributes: `data-*` (Thanks, Rafael Franca!)
* URI attributes: `poster` and `preload`
* Addition of the `:unprintable` scrubber to remove unprintable characters from text nodes. #65 (Thanks, Matt Swanson!)
* `Loofah.fragment` accepts an optional encoding argument, compatible with `Nokogiri::HTML::DocumentFragment.parse`. #62 (Thanks, Ben Atkins!)
* HTML5 sanitizers now remove attributes without values. (Thanks, Kasper Timm Hansen!)
Bug fixes:
* HTML5 sanitizers' CSS keyword check now actually works (broken in v2.0). Additional regression tests added. (Thanks, Kasper Timm Hansen!)
* HTML5 sanitizers now allow negative arguments to CSS. #64 (Thanks, Jon Calhoun!)
-------------------------------------------------------------------
Mon Jul 30 18:14:41 UTC 2012 - coolo@suse.com
- update to 1.2.1
* Declaring encoding in html5/scrub.rb. Without this, use of the
ruby -KU option would cause havoc. (#32)
-------------------------------------------------------------------
Thu Aug 25 07:42:30 UTC 2011 - fcastelli@novell.com
- add 'Provides rubygem-loofah-1_2'
-------------------------------------------------------------------
Wed Aug 24 21:45:16 UTC 2011 - fcastelli@novell.com
- upgrade to 1.2.0
-------------------------------------------------------------------
Thu Jul 21 16:00:10 UTC 2011 - fcastelli@novell.com
- Upgrade to version 1.0.0
- Add provides loofah_1_0 required to build latest version of
rubygem-feedzirra.
-------------------------------------------------------------------
Fri Jun 11 18:42:16 UTC 2010 - mrueckert@suse.de
- additional changes from version 0.4.7
* New methods Loofah::HTML::Document#to_text and
Loofah::HTML::DocumentFragment#to_text do the right thing with
whitespace. Note that these methods are significantly slower
than #text. GH #12
* Loofah::Elements::BLOCK_LEVEL contains a canonical list of
HTML4 block-level4 elements.
* Loofah::HTML::Document#text and
Loofah::HTML::DocumentFragment#text will return unescaped HTML
entities by passing :encode_special_chars => false.
- additional changes from version 0.4.4, 0.4.5, 0.4.6
* Loofah::HTML::Document#text and
Loofah::HTML::DocumentFragment#text now escape HTML entities.
* Loofah::XssFoliate was not properly escaping HTML entities when
implicitly scrubbing a string attribute. GH #17
- additional changes from version 0.4.3
* All built-in scrubbers are accepted by
ActiveRecord::Base.xss_foliate
* Loofah::XssFoliate.xss_foliate_all_models replaces use of the
constant LOOFAH_XSS_FOLIATE_ALL_MODELS
* Modified documentation for bootstrapping XssFoliate in a Rails
app, since the use of Bundler breaks the previously-documented
method. To be safe, always use an initializer file.
- additional changes from version 0.4.2
* Implemented Node#scrub! for scrubbing subtrees.
* Implemented NodeSet#scrub! for scrubbing a set of subtrees.
* Document.text now only serializes <body> contents
(ignores <head>)
* <head>, <html> and <body> added to the HTML5lib whitelist.
* Supporting Rails apps that aren't loading ActiveRecord. GH #10
-------------------------------------------------------------------
Fri Jun 11 10:00:01 UTC 2010 - mrueckert@suse.de
- use rubygems_requires macro
-------------------------------------------------------------------
Thu Jan 7 18:17:12 CET 2010 - prusnak@suse.cz
- created package
