dancerfly / django-brambling

Event website manager, specifically designed for dance weekends or other events with multiple simultaneous tracks of classes.
BSD 3-Clause "New" or "Revised" License
11 stars 3 forks source link

Bump bleach from 1.4.2 to 3.1.1 #942

Closed dependabot[bot] closed 4 years ago

dependabot[bot] commented 4 years ago

Bumps bleach from 1.4.2 to 3.1.1.

Changelog *Sourced from [bleach's changelog](https://github.com/mozilla/bleach/blob/master/CHANGES).* > Version 3.1.1 (February 13th, 2020) > ----------------------------------- > > **Security fixes** > > * ``bleach.clean`` behavior parsing ``noscript`` tags did not match > browser behavior. > > Calls to ``bleach.clean`` allowing ``noscript`` and one or more of > the raw text tags (``title``, ``textarea``, ``script``, ``style``, > ``noembed``, ``noframes``, ``iframe``, and ``xmp``) were vulnerable > to a mutation XSS. > > This security issue was confirmed in Bleach versions v2.1.4, v3.0.2, > and v3.1.0. Earlier versions are probably affected too. > > Anyone using Bleach <=v3.1.0 is highly encouraged to upgrade. > > https://bugzilla.mozilla.org/show_bug.cgi?id=1615315 > > **Backwards incompatible changes** > > None > > **Features** > > None > > **Bug fixes** > > None > > Bleach changes > ============== > > Version 3.1.0 (January 9th, 2019) > --------------------------------- > > **Security fixes** > > None > > **Backwards incompatible changes** > > None > > **Features** > > * Add ``recognized_tags`` argument to the linkify ``Linker`` class. This > fixes issues when linkifying on its own and having some tags get escaped. > ... (truncated)
Commits - [`0d88dd8`](https://github.com/mozilla/bleach/commit/0d88dd83e425c4ba381d5b83fe61bfae5bbbd627) Update for v3.1.1 release - [`996cde7`](https://github.com/mozilla/bleach/commit/996cde7a2439a2323f9c4b2567c8b8449d393351) fix bug 1615315 - [`2f210e0`](https://github.com/mozilla/bleach/commit/2f210e06baacb1015bdde9896ad465dab0ccc378) Merge pull request [#435](https://github-redirect.dependabot.com/mozilla/bleach/issues/435) from willkg/3_1_0_release - [`ad910ce`](https://github.com/mozilla/bleach/commit/ad910ce30926f8698cf7c8f4ec8b32d00d0897b2) Update for 3.1.0 release - [`948b745`](https://github.com/mozilla/bleach/commit/948b745af35fb19ef4dd41779eba7ba965d97db9) Merge pull request [#433](https://github-redirect.dependabot.com/mozilla/bleach/issues/433) from willkg/357-doctest - [`245c21c`](https://github.com/mozilla/bleach/commit/245c21c3cef788dbfdb380514434497866443e87) Fix doctest failures - [`cabd665`](https://github.com/mozilla/bleach/commit/cabd665db0b0a51aa4c58aac2c47bd4bf76e9c73) Merge pull request [#432](https://github-redirect.dependabot.com/mozilla/bleach/issues/432) from willkg/431-charencoding - [`cb156cb`](https://github.com/mozilla/bleach/commit/cb156cb9054c34b817f8ed2dff92801a594b9107) Fix parsing "meta" tag with encoding attribute - [`93a060e`](https://github.com/mozilla/bleach/commit/93a060e12138e5aeaf8627b305a918c4207b9c02) Merge pull request [#429](https://github-redirect.dependabot.com/mozilla/bleach/issues/429) from willkg/422-amp - [`8d7fd48`](https://github.com/mozilla/bleach/commit/8d7fd48179b5020d9b1521be7b81e06648d868d3) Convert & to & as a Characters token - Additional commits viewable in [compare view](https://github.com/mozilla/bleach/compare/v1.4.2...v3.1.1)


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/dancerfly/django-brambling/network/alerts).
dependabot[bot] commented 4 years ago

Superseded by #943.