megamsys / nilavu

Open Source Cloud Management Platform - VM's, Docker, Containers, Applications on the go
https:/www.megam.io
MIT License
56 stars 169 forks source link

Bump loofah from 2.0.3 to 2.2.3 #1243

Closed dependabot[bot] closed 5 years ago

dependabot[bot] commented 5 years ago

Bumps loofah from 2.0.3 to 2.2.3.

Release notes *Sourced from [loofah's releases](https://github.com/flavorjones/loofah/releases).* > ## v2.2.3 > Notably, this release addresses [CVE-2018-16468](https://github-redirect.dependabot.com/flavorjones/loofah/issues/154). > > ## v2.2.2 > ## 2.2.2 / 2018-03-22 > > Make public `Loofah::HTML5::Scrub.force_correct_attribute_escaping!`, > which was previously a private method. This is so that downstream gems > (like rails-html-sanitizer) can use this logic directly for their own > attribute scrubbers should they need to address CVE-2018-8048. > > ## v2.2.1 > Notably, this release mitigates [CVE-2018-8048](https://github-redirect.dependabot.com/flavorjones/loofah/issues/144).
Changelog *Sourced from [loofah's changelog](https://github.com/flavorjones/loofah/blob/master/CHANGELOG.md).* > ## 2.2.3 / 2018-10-30 > > ### Security > > Address CVE-2018-16468: Unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished. > > This CVE's public notice is at [#154](https://github-redirect.dependabot.com/flavorjones/loofah/issues/154) > > > ## Meta / 2018-10-27 > > The mailing list is now on Google Groups [#146](https://github-redirect.dependabot.com/flavorjones/loofah/issues/146): > > * Mail: loofah-talk@googlegroups.com > * Archive: https://groups.google.com/forum/#!forum/loofah-talk > > This change was made because librelist no longer appears to be maintained. > > > ## 2.2.2 / 2018-03-22 > > Make public `Loofah::HTML5::Scrub.force_correct_attribute_escaping!`, > which was previously a private method. This is so that downstream gems > (like rails-html-sanitizer) can use this logic directly for their own > attribute scrubbers should they need to address CVE-2018-8048. > > > ## 2.2.1 / 2018-03-19 > > ### Security > > Addresses CVE-2018-8048. Loofah allowed non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments. > > This CVE's public notice is at [#144](https://github-redirect.dependabot.com/flavorjones/loofah/issues/144) > > > ## 2.2.0 / 2018-02-11 > > ### Features: > > * Support HTML5 `
` tag. [#133](https://github-redirect.dependabot.com/flavorjones/loofah/issues/133) (Thanks, [@​MothOnMars](https://github.com/MothOnMars)!) > * Recognize HTML5 block elements. [#136](https://github-redirect.dependabot.com/flavorjones/loofah/issues/136) (Thanks, [@​MothOnMars](https://github.com/MothOnMars)!) > * Support SVG `` tag. [#131](https://github-redirect.dependabot.com/flavorjones/loofah/issues/131) (Thanks, [@​baopham](https://github.com/baopham)!) > * Support for whitelisting CSS functions, initially just `calc` and `rgb`. [#122](https://github-redirect.dependabot.com/flavorjones/loofah/issues/122)/[#123](https://github-redirect.dependabot.com/flavorjones/loofah/issues/123)/[#129](https://github-redirect.dependabot.com/flavorjones/loofah/issues/129) (Thanks, [@​NikoRoberts](https://github.com/NikoRoberts)!) > * Whitelist CSS property `list-style-type`. [#68](https://github-redirect.dependabot.com/flavorjones/loofah/issues/68)/[#137](https://github-redirect.dependabot.com/flavorjones/loofah/issues/137)/[#142](https://github-redirect.dependabot.com/flavorjones/loofah/issues/142) (Thanks, [@​andela-ysanni](https://github.com/andela-ysanni) and [@​NikoRoberts](https://github.com/NikoRoberts)!) > > ### Bugfixes: > > * Properly handle nested `script` tags. [#127](https://github-redirect.dependabot.com/flavorjones/loofah/issues/127). > > ... (truncated)
Commits - [`cb3dbfa`](https://github.com/flavorjones/loofah/commit/cb3dbfa604195b99b3a811e040584daec7663504) version bump to v2.2.3 and update CHANGELOG - [`71e4b54`](https://github.com/flavorjones/loofah/commit/71e4b5434fbcb2ad87643f0c9fecfc3a847943c4) remove the svg animate attribute `from` from the allowlist - [`3556e2b`](https://github.com/flavorjones/loofah/commit/3556e2b44f7401aaccbb10e2abac4e044391267a) add formatting to CHANGELOG - [`ac7c50d`](https://github.com/flavorjones/loofah/commit/ac7c50de12398c90ffba907bf132af66bcc242be) updated mailing list to a new Google Group - [`de6b0f3`](https://github.com/flavorjones/loofah/commit/de6b0f33cde92b6028c1ef973e5fc24478890fc9) extract msword html data into an asset file - [`37af4ee`](https://github.com/flavorjones/loofah/commit/37af4ee08f9e9531e24287c2783a79d331fc9243) version bump to 2.2.2 - [`56e95a6`](https://github.com/flavorjones/loofah/commit/56e95a6696b1e17a242eb8ebbbab64d613c4f1fe) Make public `force_correct_attribute_escaping!` - [`9452bff`](https://github.com/flavorjones/loofah/commit/9452bff056f82d6ea7cbc9c054c1eb39900ceeea) use VersionInfo.instance - [`7541374`](https://github.com/flavorjones/loofah/commit/7541374548ee9be53c463a3172cf4d28356ebe1c) version bump to 2.2.1 - [`70bd089`](https://github.com/flavorjones/loofah/commit/70bd089c31eac06f6156893aab0b2665fb9cf320) update Manifest.txt and CHANGELOG.md - Additional commits viewable in [compare view](https://github.com/flavorjones/loofah/compare/v2.0.3...v2.2.3)


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/megamsys/nilavu/network/alerts).
dependabot[bot] commented 5 years ago

Superseded by #1246.