Fix a security vulnerability using :quote in combination with the :escape_html option.
Reported by Johan Smits.
v3.5.0
This release mostly ships with bug fixes and tiny improvements.
Improvements
Avoid mutating the options hash passed to a render object (See #663).
Automatically enable the fenced_code_blocks option passing a HTML_TOC object to the Markdown object's constructor since some languages rely on the sharp to comment code (See #451).
Remove the rel and rev attributes from the output generated for footnotes as they don't pass the HTML 5 validation (See #536).
Allow passing Range objects to the nesting_level option to have a higher level of customization for table of contents (See #519):
Fix a segfault rendering quotes using StripDown and the :quote option.
Fix SmartyPants single quotes right after a link. For example:
[John](http://john.doe)'s cat
Will now properly converts ' to a right single quote (i.e. ’).
v3.4.0
Redcarpet v3.4.0
This new release ships with a bunch of bug fixes especially regarding anchor generation.
Improvements to anchor generation
The anchor generation now relies on a djb2 hashing algorithm whenever the generated anchor is empty as non alpha-numeric chars. This is specifically interesting for CJK contents as Redcarpet used to generate empty anchors dealing with titles in these locales.
Special thanks to Alexey Kopytko and namusyaka for their work on that !
Also now, the html-escaped entities are removed from anchors generated with the HTML render in order to be consistent with the HTML_TOC render and as it is more expected.
Other improvements
Table headers don't require a minimum of three dashes anymore; a single one can be used for each row.
The Markdown and rendering options are now exposed through a Hash inside the @options instance variable inside your custom render objects.
Automatically enable the fenced_code_blocks option passing a
HTML_TOC object to the Markdown object's constructor since
some languages rely on the sharp to comment code.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/18F/brand/network/alerts).
Bumps redcarpet from 3.3.3 to 3.5.1.
Release notes
Sourced from redcarpet's releases.
... (truncated)
Changelog
Sourced from redcarpet's changelog.
... (truncated)
Commits
a699c82
Fix a security issue using:quote
with:escape_html
6270d6b
Redcarpet v3.5.094f6e27
Tiny follow-up to #6633100f65
Merge pull request #663 from maschwenk/dont-mutate-optionsfc52d9c
Add regression test03e7997
Don't mutated passed options92a7b3a
Fix a segfault with StripDown and the:quote
option7352162
Merge pull request #649 from rbalint/mastere23383e
Merge pull request #650 from kolen/fix-warning-options-not-initialized6b86656
Fix "instance variable@options
not initialized" warningDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/18F/brand/network/alerts).