search

NullVoxPopuli / aeonvera

A generic registration system aimed towards swing dance events (mirrored from gitlab)
https://aeonvera.com
GNU Affero General Public License v3.0
15 stars 1 forks source link

[Security] Bump loofah from 2.1.1 to 2.2.2 #1192

Open dependabot-preview[bot] opened 6 years ago

dependabot-preview[bot] commented 6 years ago

Bumps loofah from 2.1.1 to 2.2.2. This update includes security fixes.

Vulnerabilities fixed > **Loofah XSS Vulnerability** > Loofah allows non-whitelisted attributes to be present in sanitized > output when input with specially-crafted HTML fragments. > > Patched versions: [">= 2.2.1"] > Unaffected versions: []
Release notes *Sourced from loofah's [releases](https://github.com/flavorjones/loofah/releases).* > ## v2.2.2 > ## 2.2.2 / 2018-03-22 > > Make public `Loofah::HTML5::Scrub.force_correct_attribute_escaping!`, > which was previously a private method. This is so that downstream gems > (like rails-html-sanitizer) can use this logic directly for their own > attribute scrubbers should they need to address CVE-2018-8048.
Changelog *Sourced from loofah's [changelog](https://github.com/flavorjones/loofah/blob/master/CHANGELOG.md).* > ## 2.2.2 / 2018-03-22 > > Make public `Loofah::HTML5::Scrub.force_correct_attribute_escaping!`, > which was previously a private method. This is so that downstream gems > (like rails-html-sanitizer) can use this logic directly for their own > attribute scrubbers should they need to address CVE-2018-8048. > > > ## 2.2.1 / 2018-03-19 > > Addresses CVE-2018-8048. Loofah allowed non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments. > > This CVE's public notice is at https://github-redirect.dependabot.com/flavorjones/loofah/issues/144 > > > ## 2.2.0 / 2018-02-11 > > Features: > > * Support HTML5 `
` tag. [#133](https://github-redirect.dependabot.com/flavorjones/loofah/issues/133) (Thanks, [**MothOnMars**](https://github.com/MothOnMars)!) > * Recognize HTML5 block elements. [#136](https://github-redirect.dependabot.com/flavorjones/loofah/issues/136) (Thanks, [**MothOnMars**](https://github.com/MothOnMars)!) > * Support SVG `` tag. [#131](https://github-redirect.dependabot.com/flavorjones/loofah/issues/131) (Thanks, [**baopham**](https://github.com/baopham)!) > * Support for whitelisting CSS functions, initially just `calc` and `rgb`. #122/#123/#129 (Thanks, [**NikoRoberts**](https://github.com/NikoRoberts)!) > * Whitelist CSS property `list-style-type`. #68/#137/#142 (Thanks, [**andela**](https://github.com/andela)-ysanni and [**NikoRoberts**](https://github.com/NikoRoberts)!) > > Bugfixes: > > * Properly handle nested `script` tags. [#127](https://github-redirect.dependabot.com/flavorjones/loofah/issues/127).
Commits - [`37af4ee`](https://github.com/flavorjones/loofah/commit/37af4ee08f9e9531e24287c2783a79d331fc9243) version bump to 2.2.2 - [`56e95a6`](https://github.com/flavorjones/loofah/commit/56e95a6696b1e17a242eb8ebbbab64d613c4f1fe) Make public `force_correct_attribute_escaping!` - [`9452bff`](https://github.com/flavorjones/loofah/commit/9452bff056f82d6ea7cbc9c054c1eb39900ceeea) use VersionInfo.instance - [`7541374`](https://github.com/flavorjones/loofah/commit/7541374548ee9be53c463a3172cf4d28356ebe1c) version bump to 2.2.1 - [`70bd089`](https://github.com/flavorjones/loofah/commit/70bd089c31eac06f6156893aab0b2665fb9cf320) update Manifest.txt and CHANGELOG.md - [`332ec6a`](https://github.com/flavorjones/loofah/commit/332ec6a7086fbb38cf08a905aed7c8a3ee43e505) Merge branch 'flavorjones-remediate-attribute-escaping' - [`f739cf8`](https://github.com/flavorjones/loofah/commit/f739cf8eac5851f328b8044281d6653f74eff116) tests and fix for CVE-2018-8048 - [`0c97c74`](https://github.com/flavorjones/loofah/commit/0c97c745aaec27f7bba4edd74be0e7d7cb9b82ad) SECURITY.md to publish vuln reporting process - [`d64b74d`](https://github.com/flavorjones/loofah/commit/d64b74d13f6c50c18a9a7168cdcc09b9be5b63d9) bump the fake gemspec - [`08cc110`](https://github.com/flavorjones/loofah/commit/08cc1100ecba81c47184d1b1fe7131f500d2ba15) fix remaining rdoc format in README - Additional commits viewable in [compare view](https://github.com/flavorjones/loofah/compare/v2.1.1...v2.2.2)


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot ignore this [minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use [this|these] label[s]` will set the current labels as the default for future PRs for this repo and language Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Automerge options (never/patch/minor, and dev/runtime dependencies) - Out-of-range updates (receive only lockfile updates, if desired) Finally, you can contact us by mentioning @dependabot.