🚨 [security] Update loofah: 2.9.1 → 2.19.1 (minor) #218
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
🚨 Your current dependencies have known security vulnerabilities 🚨
This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!
Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.
What changed?
Security Advisories 🚨
🚨 Inefficient Regular Expression Complexity in Loofah
🚨 Improper neutralization of data URIs may allow XSS in Loofah
🚨 Uncontrolled Recursion in Loofah
Release Notes
2.19.1
2.19.0
2.18.0
2.17.0
2.16.0
2.15.0
2.14.0
2.13.0
2.12.0
2.11.0
2.10.0
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 68 commits:
version bump to v2.19.1
docs: preserve the context and decision record
fix: replace recursive approach to cdata with escaping solution
fix: do not allow "image/svg+xml" in data URIs
refactor: extract scrub_uri_attribute for downstream use
ci: pin psych to v4 until v5 builds properly on CI
fix: replace slow regex attribute check with crass parser
Merge pull request #247 from flavorjones/flavorjones-downstream-test-rhs
ci: test downstream rails-html-sanitizer
Merge pull request #245 from flavorjones/flavorjones-fix-ruby-2.5-ci
ci: ensure a min rubygems version
version bump to v2.19.0
Merge pull request #244 from flavorjones/243-extended-css-colors
feat: support SVG 1.0 extended color keywords
prefactor: separate colors from other safelisted CSS keywords
version bump to v2.18.0
Merge pull request #237 from flavorjones/flavorjones-fix-2.5-ci
ci: do not fail fast
Merge pull request #236 from louim/patch-1
Add aspect-ratio to the list of css properties
update README to remove pledgie link
Merge pull request #235 from flavorjones/flavorjones-update-tests-for-libxml_2_9_14
test: ensure we pass with libxml 2.9.14
version bump to 2.17.0
Merge pull request #233 from flavorjones/flavorjones-aria-attributes
feat: add the remaining aria attributes and an ad-hoc test
Adds ARIA attributes
version bump to v2.16.0
Merge pull request #231 from watermelonexpress/mathml-updates
Adds menclose and ms MathML elements and supported attributes
version bump to v2.15.0
Merge pull request #229 from brendon/patch-1
Allow sms: as a valid protocol
Merge pull request #227 from flavorjones/flavorjones-add-coverage-for-entities
test: add coverage for entities
version bump to v2.14.0
Merge pull request #226 from flavorjones/225-to_text-should-newline-for-br
feat: Node#to_text replaces <br> with a newline
Merge pull request #223 from flavorjones/flavorjones-update-ci-with-ruby31
ci: update to cover Ruby 3.1
meta: Github Sponsors link
version bump to v2.13.0
Merge pull request #222 from flavorjones/221-fragment-text-should-not-serialize-comment
fix: comments should not be emitted by DocumentFragment#text
Merge pull request #220 from flavorjones/flavorjones-test-css-hex-encoded-exploit
test: use CSS hex-encoded strings to test sanitization
Merge pull request #217 from gogainda/main
Update ci.yml
version bump to v2.12.0
Merge pull request #216 from flavorjones/215-support-empty-data-attributes
feat: support empty HTML5 data attributes
version bump to v2.11.0
Merge pull request #214 from flavorjones/201-border-collapse
feat: allow all `border-collapse` CSS property values
Merge pull request #213 from flavorjones/flavorjones-allow-wbr-element
feat: allow HTML5 element `wbr`
remove disallowed elements from VOID_ELEMENTS
dev: remove concourse pipelines and dev dependency
version bump to v2.10.0, and update CHANGELOG
Merge pull request #206 from sampokuokkanen/patch-1
Update safelist.rb to include overflow-x and y
Merge pull request #208 from flavorjones/flavorjones-move-to-github-actions
ci: create github actions pipeline
Merge pull request #207 from flavorjones/flavorjones-update-tests-to-pass-with-libxml-2_9_11
test: libxml 2.9.11 handles namespaces in HTML docs differently
test: unicode every character in the unicode test, for completeness
Merge pull request #205 from flavorjones/flavorjones-test-unicode-encoded-exploit
test: actually test against a working unicode-encoded exploit
Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with
@depfu rebase
.All Depfu comment commands