ga-wdi-boston / rails-api

Introduction to MVC concepts and their implementation in Rails.
Other
6 stars 159 forks source link

Bump loofah from 2.0.3 to 2.4.0 #59

Closed dependabot[bot] closed 4 years ago

dependabot[bot] commented 4 years ago

Bumps loofah from 2.0.3 to 2.4.0.

Release notes

Sourced from loofah's releases.

2.4.0 / 2019-11-25

Features

  • Allow CSS property max-width #175 (Thanks, @bchaney!)
  • Allow CSS sizes expressed in rem [#176, #177]
  • Add frozen_string_literal: true magic comment to all lib files. #118

2.3.1 / 2019-10-22

Security

Address CVE-2019-15587: Unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.

This CVE's public notice is at flavorjones/loofah#171

2.3.0 / 2019-09-28

Features

  • Expand set of allowed protocols to include tel: and line:. [#104, #147]
  • Expand set of allowed CSS functions. [related to #122]
  • Allow greater precision in shorthand CSS values. #149 (Thanks, @danfstucky!)
  • Allow CSS property list-style #162 (Thanks, @jaredbeck!)
  • Allow CSS keywords thick and thin #168 (Thanks, @georgeclaghorn!)
  • Allow HTML property contenteditable #167 (Thanks, @andreynering!)

Bug fixes

  • CSS hex values are no longer limited to lowercase hex. Previously uppercase hex were scrubbed. #165 (Thanks, @asok!)

Deprecations / Name Changes

The following method and constants are hereby deprecated, and will be completely removed in a future release:

  • Deprecate Loofah::Helpers::ActionView.white_list_sanitizer, please use Loofah::Helpers::ActionView.safe_list_sanitizer instead.
  • Deprecate Loofah::Helpers::ActionView::WhiteListSanitizer, please use Loofah::Helpers::ActionView::SafeListSanitizer instead.
  • Deprecate Loofah::HTML5::WhiteList, please use Loofah::HTML5::SafeList instead.

Thanks to @JuanitoFatas for submitting these changes in #164 and for making the language used in Loofah more inclusive.

v2.2.3

Notably, this release addresses CVE-2018-16468.

v2.2.2

2.2.2 / 2018-03-22

... (truncated)
Changelog

Sourced from loofah's changelog.

2.4.0 / 2019-11-25

Features

  • Allow CSS property max-width #175 (Thanks, @bchaney!)
  • Allow CSS sizes expressed in rem [#176, #177]
  • Add frozen_string_literal: true magic comment to all lib files. #118

2.3.1 / 2019-10-22

Security

Address CVE-2019-15587: Unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.

This CVE's public notice is at flavorjones/loofah#171

2.3.0 / 2019-09-28

Features

  • Expand set of allowed protocols to include tel: and line:. [#104, #147]
  • Expand set of allowed CSS functions. [related to #122]
  • Allow greater precision in shorthand CSS values. #149 (Thanks, @danfstucky!)
  • Allow CSS property list-style #162 (Thanks, @jaredbeck!)
  • Allow CSS keywords thick and thin #168 (Thanks, @georgeclaghorn!)
  • Allow HTML property contenteditable #167 (Thanks, @andreynering!)

Bug fixes

  • CSS hex values are no longer limited to lowercase hex. Previously uppercase hex were scrubbed. #165 (Thanks, @asok!)

Deprecations / Name Changes

The following method and constants are hereby deprecated, and will be completely removed in a future release:

  • Deprecate Loofah::Helpers::ActionView.white_list_sanitizer, please use Loofah::Helpers::ActionView.safe_list_sanitizer instead.
  • Deprecate Loofah::Helpers::ActionView::WhiteListSanitizer, please use Loofah::Helpers::ActionView::SafeListSanitizer instead.
  • Deprecate Loofah::HTML5::WhiteList, please use Loofah::HTML5::SafeList instead.

Thanks to @JuanitoFatas for submitting these changes in #164 and for making the language used in Loofah more inclusive.

2.2.3 / 2018-10-30

Security

... (truncated)
Commits
  • 724ac1c version bump to v2.4.0
  • e808fb6 ci: don't turn on frozen strings until after bundle install
  • 0eb9976 update CHANGELOG
  • 0783f5b add magic comment for frozen string literals to all files
  • 5ce3a71 add rubocop as dev dep and configure security and frozen string cops
  • 82ae384 test suite should check compatibility with frozen string literals
  • 8747065 Merge pull request #175 from bchaney/allow-css-max-width
  • 2767ae3 Merge pull request #177 from flavorjones/176-allow-rem-css-sizes
  • 13f734f css sanitizer allows "rem" sizes
  • 2699b61 Allow CSS property: max-width
  • Additional commits viewable in compare view


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/ga-wdi-boston/rails-api/network/alerts).