Closed renovate[bot] closed 3 years ago
renovate[bot] is not a collaborator of the repo
Merging #139 (98d46d3) into master (cd449f6) will increase coverage by
3.45%
. The diff coverage isn/a
.
Impacted Files | Coverage Δ | |
---|---|---|
webapp/app.py | 15.73% <0.00%> (+4.66%) |
:arrow_up: |
As this PR has been closed unmerged, Renovate will now ignore this update (==3.3.0). You will still receive a PR once a newer version is released, so if you wish to permanently ignore this dependency, please add it to the ignoreDeps
array of your renovate config.
If this PR was closed by mistake or you changed your mind, you can simply rename this PR and you will soon get a fresh replacement PR opened.
This PR contains the following updates:
==3.2.1
->==3.3.0
GitHub Vulnerability Alerts
CVE-2021-23980
Impact
A mutation XSS affects users calling
bleach.clean
with all of:svg
ormath
in the allowed tagsp
orbr
in allowed tagsstyle
,title
,noscript
,script
,textarea
,noframes
,iframe
, orxmp
in allowed tagsstrip_comments=False
Note: none of the above tags are in the default allowed tags and
strip_comments
defaults toTrue
.Patches
Users are encouraged to upgrade to bleach v3.3.0 or greater.
Note: bleach v3.3.0 introduces a breaking change to escape HTML comments by default.
Workarounds
modify
bleach.clean
calls to at least one of:style
,title
,noscript
,script
,textarea
,noframes
,iframe
, orxmp
tagsvg
ormath
tagsp
orbr
tagsstrip_comments=True
A strong Content-Security-Policy without
unsafe-inline
andunsafe-eval
script-src
s) will also help mitigate the risk.References
Credits
For more information
If you have any questions or comments about this advisory:
Release Notes
mozilla/bleach
### [`v3.3.0`](https://togithub.com/mozilla/bleach/blob/master/CHANGES#Version-330-February-1st-2021) [Compare Source](https://togithub.com/mozilla/bleach/compare/v3.2.3...v3.3.0) **Backwards incompatible changes** - clean escapes HTML comments even when strip_comments=False **Security fixes** - Fix bug [`1621692`](https://togithub.com/mozilla/bleach/commit/1621692) / GHSA-m6xf-fq7q-8743. See the advisory for details. **Features** None **Bug fixes** None ### [`v3.2.3`](https://togithub.com/mozilla/bleach/blob/master/CHANGES#Version-323-January-26th-2021) [Compare Source](https://togithub.com/mozilla/bleach/compare/v3.2.2...v3.2.3) **Security fixes** None **Features** None **Bug fixes** - fix clean and linkify raising ValueErrors for certain inputs. Thank you [@Google-Autofuzz](https://togithub.com/Google-Autofuzz). ### [`v3.2.2`](https://togithub.com/mozilla/bleach/blob/master/CHANGES#Version-322-January-20th-2021) [Compare Source](https://togithub.com/mozilla/bleach/compare/v3.2.1...v3.2.2) **Security fixes** None **Features** - Migrate CI to Github Actions. Thank you [@hugovk](https://togithub.com/hugovk). **Bug fixes** - fix linkify raising an IndexError on certain inputs. Thank you [@Google-Autofuzz](https://togithub.com/Google-Autofuzz).Renovate configuration
:date: Schedule: "" (UTC).
:vertical_traffic_light: Automerge: Disabled by config. Please merge this manually once you are satisfied.
:recycle: Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
:no_bell: Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by WhiteSource Renovate. View repository job log here.