Release notes
*Sourced from [loofah's releases](https://github.com/flavorjones/loofah/releases).*
> ## 2.3.1 / 2019-10-22
>
> ### Security
>
> Address CVE-2019-15587: Unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.
>
> This CVE's public notice is at [flavorjones/loofah#171](https://github-redirect.dependabot.com/flavorjones/loofah/issues/171)
>
> ## 2.3.0 / 2019-09-28
>
> ### Features
>
> * Expand set of allowed protocols to include `tel:` and `line:`. [#104, [#147](https://github-redirect.dependabot.com/flavorjones/loofah/issues/147)]
> * Expand set of allowed CSS functions. [related to [#122](https://github-redirect.dependabot.com/flavorjones/loofah/issues/122)]
> * Allow greater precision in shorthand CSS values. [#149](https://github-redirect.dependabot.com/flavorjones/loofah/issues/149) (Thanks, [@danfstucky](https://github.com/danfstucky)!)
> * Allow CSS property `list-style` [#162](https://github-redirect.dependabot.com/flavorjones/loofah/issues/162) (Thanks, [@jaredbeck](https://github.com/jaredbeck)!)
> * Allow CSS keywords `thick` and `thin` [#168](https://github-redirect.dependabot.com/flavorjones/loofah/issues/168) (Thanks, [@georgeclaghorn](https://github.com/georgeclaghorn)!)
> * Allow HTML property `contenteditable` [#167](https://github-redirect.dependabot.com/flavorjones/loofah/issues/167) (Thanks, [@andreynering](https://github.com/andreynering)!)
>
>
> ### Bug fixes
>
> * CSS hex values are no longer limited to lowercase hex. Previously uppercase hex were scrubbed. [#165](https://github-redirect.dependabot.com/flavorjones/loofah/issues/165) (Thanks, [@asok](https://github.com/asok)!)
>
>
> ### Deprecations / Name Changes
>
> The following method and constants are hereby deprecated, and will be completely removed in a future release:
>
> * Deprecate `Loofah::Helpers::ActionView.white_list_sanitizer`, please use `Loofah::Helpers::ActionView.safe_list_sanitizer` instead.
> * Deprecate `Loofah::Helpers::ActionView::WhiteListSanitizer`, please use `Loofah::Helpers::ActionView::SafeListSanitizer` instead.
> * Deprecate `Loofah::HTML5::WhiteList`, please use `Loofah::HTML5::SafeList` instead.
>
> Thanks to [@JuanitoFatas](https://github.com/JuanitoFatas) for submitting these changes in [#164](https://github-redirect.dependabot.com/flavorjones/loofah/issues/164) and for making the language used in Loofah more inclusive.
>
>
>
> ## v2.2.3
> Notably, this release addresses [CVE-2018-16468](https://github-redirect.dependabot.com/flavorjones/loofah/issues/154).
>
> ## v2.2.2
> ## 2.2.2 / 2018-03-22
>
> Make public `Loofah::HTML5::Scrub.force_correct_attribute_escaping!`,
> which was previously a private method. This is so that downstream gems
> (like rails-html-sanitizer) can use this logic directly for their own
> attribute scrubbers should they need to address CVE-2018-8048.
>
> ## v2.2.1
> Notably, this release mitigates [CVE-2018-8048](https://github-redirect.dependabot.com/flavorjones/loofah/issues/144).
> ... (truncated)
Changelog
*Sourced from [loofah's changelog](https://github.com/flavorjones/loofah/blob/master/CHANGELOG.md).*
> ## 2.3.1 / 2019-10-22
>
> ### Security
>
> Address CVE-2019-15587: Unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.
>
> This CVE's public notice is at [flavorjones/loofah#171](https://github-redirect.dependabot.com/flavorjones/loofah/issues/171)
>
>
> ## 2.3.0 / 2019-09-28
>
> ### Features
>
> * Expand set of allowed protocols to include `tel:` and `line:`. [#104, [#147](https://github-redirect.dependabot.com/flavorjones/loofah/issues/147)]
> * Expand set of allowed CSS functions. [related to [#122](https://github-redirect.dependabot.com/flavorjones/loofah/issues/122)]
> * Allow greater precision in shorthand CSS values. [#149](https://github-redirect.dependabot.com/flavorjones/loofah/issues/149) (Thanks, [@danfstucky](https://github.com/danfstucky)!)
> * Allow CSS property `list-style` [#162](https://github-redirect.dependabot.com/flavorjones/loofah/issues/162) (Thanks, [@jaredbeck](https://github.com/jaredbeck)!)
> * Allow CSS keywords `thick` and `thin` [#168](https://github-redirect.dependabot.com/flavorjones/loofah/issues/168) (Thanks, [@georgeclaghorn](https://github.com/georgeclaghorn)!)
> * Allow HTML property `contenteditable` [#167](https://github-redirect.dependabot.com/flavorjones/loofah/issues/167) (Thanks, [@andreynering](https://github.com/andreynering)!)
>
>
> ### Bug fixes
>
> * CSS hex values are no longer limited to lowercase hex. Previously uppercase hex were scrubbed. [#165](https://github-redirect.dependabot.com/flavorjones/loofah/issues/165) (Thanks, [@asok](https://github.com/asok)!)
>
>
> ### Deprecations / Name Changes
>
> The following method and constants are hereby deprecated, and will be completely removed in a future release:
>
> * Deprecate `Loofah::Helpers::ActionView.white_list_sanitizer`, please use `Loofah::Helpers::ActionView.safe_list_sanitizer` instead.
> * Deprecate `Loofah::Helpers::ActionView::WhiteListSanitizer`, please use `Loofah::Helpers::ActionView::SafeListSanitizer` instead.
> * Deprecate `Loofah::HTML5::WhiteList`, please use `Loofah::HTML5::SafeList` instead.
>
> Thanks to [@JuanitoFatas](https://github.com/JuanitoFatas) for submitting these changes in [#164](https://github-redirect.dependabot.com/flavorjones/loofah/issues/164) and for making the language used in Loofah more inclusive.
>
>
> ## 2.2.3 / 2018-10-30
>
> ### Security
>
> Address CVE-2018-16468: Unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.
>
> This CVE's public notice is at [flavorjones/loofah#154](https://github-redirect.dependabot.com/flavorjones/loofah/issues/154)
>
>
> ## Meta / 2018-10-27
>
> The mailing list is now on Google Groups [#146](https://github-redirect.dependabot.com/flavorjones/loofah/issues/146):
>
> ... (truncated)
Commits
- [`83df303`](https://github.com/flavorjones/loofah/commit/83df303aa14d58f76349b59e6917ae61ce011a83) version bump to v2.3.1
- [`e323a77`](https://github.com/flavorjones/loofah/commit/e323a776dd2755a837a67895eaa3cdae44495254) Merge pull request [#172](https://github-redirect.dependabot.com/flavorjones/loofah/issues/172) from flavorjones/171-xss-vulnerability
- [`1d81f91`](https://github.com/flavorjones/loofah/commit/1d81f919bd29458a3b80966f9b6870b74b839dc9) update CHANGELOG
- [`0c6617a`](https://github.com/flavorjones/loofah/commit/0c6617af440879ce97440f6eb6c58636456dc8ec) mitigate XSS vulnerability in SVG animate attributes
- [`a5bd819`](https://github.com/flavorjones/loofah/commit/a5bd819f3ef13d5d4595106557c26169df2ef3a0) rufo formatting
- [`1bdf276`](https://github.com/flavorjones/loofah/commit/1bdf27600cf2433eb71fa542cce210663d8abef8) formatting in README
- [`1908dc2`](https://github.com/flavorjones/loofah/commit/1908dc2defba6049bc17519c8b128d7030915204) update CHANGELOG with release date
- [`bcbd7b3`](https://github.com/flavorjones/loofah/commit/bcbd7b373176db3b4b2b249caaf196b625779c1b) update dev gemspec
- [`f6d4c2d`](https://github.com/flavorjones/loofah/commit/f6d4c2d1b094e33848ed454f4a69f3c12cd44084) version bump to v2.3.0
- [`08fee8c`](https://github.com/flavorjones/loofah/commit/08fee8c85fb9e1c5a910491c1f5a8f8926a0600d) update dev deps
- Additional commits viewable in [compare view](https://github.com/flavorjones/loofah/compare/v2.1.1...v2.3.1)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/para-cms/para/network/alerts).
Bumps loofah from 2.1.1 to 2.3.1.
Release notes
*Sourced from [loofah's releases](https://github.com/flavorjones/loofah/releases).* > ## 2.3.1 / 2019-10-22 > > ### Security > > Address CVE-2019-15587: Unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished. > > This CVE's public notice is at [flavorjones/loofah#171](https://github-redirect.dependabot.com/flavorjones/loofah/issues/171) > > ## 2.3.0 / 2019-09-28 > > ### Features > > * Expand set of allowed protocols to include `tel:` and `line:`. [#104, [#147](https://github-redirect.dependabot.com/flavorjones/loofah/issues/147)] > * Expand set of allowed CSS functions. [related to [#122](https://github-redirect.dependabot.com/flavorjones/loofah/issues/122)] > * Allow greater precision in shorthand CSS values. [#149](https://github-redirect.dependabot.com/flavorjones/loofah/issues/149) (Thanks, [@danfstucky](https://github.com/danfstucky)!) > * Allow CSS property `list-style` [#162](https://github-redirect.dependabot.com/flavorjones/loofah/issues/162) (Thanks, [@jaredbeck](https://github.com/jaredbeck)!) > * Allow CSS keywords `thick` and `thin` [#168](https://github-redirect.dependabot.com/flavorjones/loofah/issues/168) (Thanks, [@georgeclaghorn](https://github.com/georgeclaghorn)!) > * Allow HTML property `contenteditable` [#167](https://github-redirect.dependabot.com/flavorjones/loofah/issues/167) (Thanks, [@andreynering](https://github.com/andreynering)!) > > > ### Bug fixes > > * CSS hex values are no longer limited to lowercase hex. Previously uppercase hex were scrubbed. [#165](https://github-redirect.dependabot.com/flavorjones/loofah/issues/165) (Thanks, [@asok](https://github.com/asok)!) > > > ### Deprecations / Name Changes > > The following method and constants are hereby deprecated, and will be completely removed in a future release: > > * Deprecate `Loofah::Helpers::ActionView.white_list_sanitizer`, please use `Loofah::Helpers::ActionView.safe_list_sanitizer` instead. > * Deprecate `Loofah::Helpers::ActionView::WhiteListSanitizer`, please use `Loofah::Helpers::ActionView::SafeListSanitizer` instead. > * Deprecate `Loofah::HTML5::WhiteList`, please use `Loofah::HTML5::SafeList` instead. > > Thanks to [@JuanitoFatas](https://github.com/JuanitoFatas) for submitting these changes in [#164](https://github-redirect.dependabot.com/flavorjones/loofah/issues/164) and for making the language used in Loofah more inclusive. > > > > ## v2.2.3 > Notably, this release addresses [CVE-2018-16468](https://github-redirect.dependabot.com/flavorjones/loofah/issues/154). > > ## v2.2.2 > ## 2.2.2 / 2018-03-22 > > Make public `Loofah::HTML5::Scrub.force_correct_attribute_escaping!`, > which was previously a private method. This is so that downstream gems > (like rails-html-sanitizer) can use this logic directly for their own > attribute scrubbers should they need to address CVE-2018-8048. > > ## v2.2.1 > Notably, this release mitigates [CVE-2018-8048](https://github-redirect.dependabot.com/flavorjones/loofah/issues/144). > ... (truncated)Changelog
*Sourced from [loofah's changelog](https://github.com/flavorjones/loofah/blob/master/CHANGELOG.md).* > ## 2.3.1 / 2019-10-22 > > ### Security > > Address CVE-2019-15587: Unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished. > > This CVE's public notice is at [flavorjones/loofah#171](https://github-redirect.dependabot.com/flavorjones/loofah/issues/171) > > > ## 2.3.0 / 2019-09-28 > > ### Features > > * Expand set of allowed protocols to include `tel:` and `line:`. [#104, [#147](https://github-redirect.dependabot.com/flavorjones/loofah/issues/147)] > * Expand set of allowed CSS functions. [related to [#122](https://github-redirect.dependabot.com/flavorjones/loofah/issues/122)] > * Allow greater precision in shorthand CSS values. [#149](https://github-redirect.dependabot.com/flavorjones/loofah/issues/149) (Thanks, [@danfstucky](https://github.com/danfstucky)!) > * Allow CSS property `list-style` [#162](https://github-redirect.dependabot.com/flavorjones/loofah/issues/162) (Thanks, [@jaredbeck](https://github.com/jaredbeck)!) > * Allow CSS keywords `thick` and `thin` [#168](https://github-redirect.dependabot.com/flavorjones/loofah/issues/168) (Thanks, [@georgeclaghorn](https://github.com/georgeclaghorn)!) > * Allow HTML property `contenteditable` [#167](https://github-redirect.dependabot.com/flavorjones/loofah/issues/167) (Thanks, [@andreynering](https://github.com/andreynering)!) > > > ### Bug fixes > > * CSS hex values are no longer limited to lowercase hex. Previously uppercase hex were scrubbed. [#165](https://github-redirect.dependabot.com/flavorjones/loofah/issues/165) (Thanks, [@asok](https://github.com/asok)!) > > > ### Deprecations / Name Changes > > The following method and constants are hereby deprecated, and will be completely removed in a future release: > > * Deprecate `Loofah::Helpers::ActionView.white_list_sanitizer`, please use `Loofah::Helpers::ActionView.safe_list_sanitizer` instead. > * Deprecate `Loofah::Helpers::ActionView::WhiteListSanitizer`, please use `Loofah::Helpers::ActionView::SafeListSanitizer` instead. > * Deprecate `Loofah::HTML5::WhiteList`, please use `Loofah::HTML5::SafeList` instead. > > Thanks to [@JuanitoFatas](https://github.com/JuanitoFatas) for submitting these changes in [#164](https://github-redirect.dependabot.com/flavorjones/loofah/issues/164) and for making the language used in Loofah more inclusive. > > > ## 2.2.3 / 2018-10-30 > > ### Security > > Address CVE-2018-16468: Unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished. > > This CVE's public notice is at [flavorjones/loofah#154](https://github-redirect.dependabot.com/flavorjones/loofah/issues/154) > > > ## Meta / 2018-10-27 > > The mailing list is now on Google Groups [#146](https://github-redirect.dependabot.com/flavorjones/loofah/issues/146): > > ... (truncated)Commits
- [`83df303`](https://github.com/flavorjones/loofah/commit/83df303aa14d58f76349b59e6917ae61ce011a83) version bump to v2.3.1 - [`e323a77`](https://github.com/flavorjones/loofah/commit/e323a776dd2755a837a67895eaa3cdae44495254) Merge pull request [#172](https://github-redirect.dependabot.com/flavorjones/loofah/issues/172) from flavorjones/171-xss-vulnerability - [`1d81f91`](https://github.com/flavorjones/loofah/commit/1d81f919bd29458a3b80966f9b6870b74b839dc9) update CHANGELOG - [`0c6617a`](https://github.com/flavorjones/loofah/commit/0c6617af440879ce97440f6eb6c58636456dc8ec) mitigate XSS vulnerability in SVG animate attributes - [`a5bd819`](https://github.com/flavorjones/loofah/commit/a5bd819f3ef13d5d4595106557c26169df2ef3a0) rufo formatting - [`1bdf276`](https://github.com/flavorjones/loofah/commit/1bdf27600cf2433eb71fa542cce210663d8abef8) formatting in README - [`1908dc2`](https://github.com/flavorjones/loofah/commit/1908dc2defba6049bc17519c8b128d7030915204) update CHANGELOG with release date - [`bcbd7b3`](https://github.com/flavorjones/loofah/commit/bcbd7b373176db3b4b2b249caaf196b625779c1b) update dev gemspec - [`f6d4c2d`](https://github.com/flavorjones/loofah/commit/f6d4c2d1b094e33848ed454f4a69f3c12cd44084) version bump to v2.3.0 - [`08fee8c`](https://github.com/flavorjones/loofah/commit/08fee8c85fb9e1c5a910491c1f5a8f8926a0600d) update dev deps - Additional commits viewable in [compare view](https://github.com/flavorjones/loofah/compare/v2.1.1...v2.3.1)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/para-cms/para/network/alerts).