Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security] Bump rails-html-sanitizer from 1.0.3 to 1.1.0 #14

Closed
wants to merge 1 commit into from
Closed

[Security] Bump rails-html-sanitizer from 1.0.3 to 1.1.0 #14

wants to merge 1 commit into from

Conversation

dependabot-preview[bot]
Copy link

Bumps rails-html-sanitizer from 1.0.3 to 1.1.0. This update includes a security fix.

Vulnerabilities fixed

Sourced from The Ruby Advisory Database.

XSS vulnerability in rails-html-sanitizer
There is a possible XSS vulnerability in rails-html-sanitizer. The gem allows
non-whitelisted attributes to be present in sanitized output when input with
specially-crafted HTML fragments, and these attributes can lead to an XSS attack
on target applications.

This issue is similar to CVE-2018-8048 in Loofah.

Patched versions: >= 1.0.4
Unaffected versions: none

Release notes

Sourced from rails-html-sanitizer's releases.

v1.1.0

  • Add safe_list_sanitizer and deprecate white_list_sanitizer to be removed
    in 1.2.0. #87

    Juanito Fatas

  • Remove href from LinkScrubber's tags as it's not an element.
    #92

    Juanito Fatas

  • Explain that we don't need to bump Loofah here if there's CVEs.
    rails/rails-html-sanitizer@d4d823c

    Kasper Timm Hansen

v1.0.4

Changelog

Sourced from rails-html-sanitizer's changelog.

1.1.0

  • Add safe_list_sanitizer and deprecate white_list_sanitizer to be removed
    in 1.2.0. #87

    Juanito Fatas

  • Remove href from LinkScrubber's tags as it's not an element.
    #92

    Juanito Fatas

  • Explain that we don't need to bump Loofah here if there's CVEs.
    rails/rails-html-sanitizer@d4d823c

    Kasper Timm Hansen

1.0.1

  • Added support for Rails 4.2.0.beta2 and above

1.0.0

  • First release.
Commits
  • df0c946 Prepare version 1.1.0
  • bf6adff Merge pull request #91 from JuanitoFatas/doc/scrubbers
  • c5912e7 Merge pull request #92 from JuanitoFatas/link-sanitizer
  • 5d735a7 Improve LinkSanitizer's documentation
  • 2523282 href is not a HTML element
  • b3c4f7d Improve Scrubber documentations
  • 2191bfe Merge pull request #87 from JuanitoFatas/migrate-to-safelist
  • 41b0b49 Migrate to SafeListSanitizer
  • 5b73a09 Merge pull request #90 from JuanitoFatas/jf.fix-tests
  • 3ca8a87 Update test behavior for Nokogiri > 1.9.1.
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it). To ignore the version in this PR you can just close it
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
  • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

  • Update frequency (including time of day and day of week)
  • Pull request limits (per update run and/or open at any time)
  • Out-of-range updates (receive only lockfile updates, if desired)
  • Security updates (receive only security updates, if desired)

Finally, you can contact us by mentioning @dependabot.

@dependabot-preview dependabot-preview bot added dependencies Pull requests that update a dependency file security Pull requests that address a security vulnerability labels Aug 5, 2019
@dependabot-preview dependabot-preview bot mentioned this pull request Aug 5, 2019
Closed
@dependabot-preview
Copy link
Author

Superseded by #15.

@dependabot-preview dependabot-preview bot deleted the dependabot/bundler/rails-html-sanitizer-1.1.0 branch August 9, 2019 06:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file security Pull requests that address a security vulnerability
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants