shinosakarb / tebukuro

Build communities and ticketing
https://shinosakarb.github.io/tebukuro/
BSD 3-Clause "New" or "Revised" License
44 stars 17 forks source link

[Security] Bump loofah from 2.2.3 to 2.6.0 #349

Closed dependabot-preview[bot] closed 4 years ago

dependabot-preview[bot] commented 4 years ago

Bumps loofah from 2.2.3 to 2.6.0. This update includes a security fix.

Vulnerabilities fixed

Sourced from The Ruby Advisory Database.

Loofah XSS Vulnerability In the Loofah gem, through v2.3.0, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.

Patched versions: >= 2.3.1 Unaffected versions: none

Release notes

Sourced from loofah's releases.

2.4.0 / 2019-11-25

Features

  • Allow CSS property max-width #175 (Thanks, @bchaney!)
  • Allow CSS sizes expressed in rem [#176, #177]
  • Add frozen_string_literal: true magic comment to all lib files. #118

2.3.1 / 2019-10-22

Security

Address CVE-2019-15587: Unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.

This CVE's public notice is at flavorjones/loofah#171

2.3.0 / 2019-09-28

Features

  • Expand set of allowed protocols to include tel: and line:. [#104, #147]
  • Expand set of allowed CSS functions. [related to #122]
  • Allow greater precision in shorthand CSS values. #149 (Thanks, @danfstucky!)
  • Allow CSS property list-style #162 (Thanks, @jaredbeck!)
  • Allow CSS keywords thick and thin #168 (Thanks, @georgeclaghorn!)
  • Allow HTML property contenteditable #167 (Thanks, @andreynering!)

Bug fixes

  • CSS hex values are no longer limited to lowercase hex. Previously uppercase hex were scrubbed. #165 (Thanks, @asok!)

Deprecations / Name Changes

The following method and constants are hereby deprecated, and will be completely removed in a future release:

  • Deprecate Loofah::Helpers::ActionView.white_list_sanitizer, please use Loofah::Helpers::ActionView.safe_list_sanitizer instead.
  • Deprecate Loofah::Helpers::ActionView::WhiteListSanitizer, please use Loofah::Helpers::ActionView::SafeListSanitizer instead.
  • Deprecate Loofah::HTML5::WhiteList, please use Loofah::HTML5::SafeList instead.

Thanks to @JuanitoFatas for submitting these changes in #164 and for making the language used in Loofah more inclusive.

Changelog

Sourced from loofah's changelog.

2.6.0 / 2020-06-16

Features

2.5.0 / 2020-04-05

Features

  • Allow more CSS length units: "ch", "vw", "vh", "Q", "lh", "vmin", "vmax". [#178] (Thanks, @JuanitoFatas!)

Fixes

  • Remove comments from Loofah::HTML::Documents that exist outside the html element. [#80]

Other changes

2.4.0 / 2019-11-25

Features

  • Allow CSS property max-width [#175] (Thanks, @bchaney!)
  • Allow CSS sizes expressed in rem [#176, #177]
  • Add frozen_string_literal: true magic comment to all lib files. [#118]

2.3.1 / 2019-10-22

Security

Address CVE-2019-15587: Unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.

This CVE's public notice is at #171

2.3.0 / 2019-09-28

Features

  • Expand set of allowed protocols to include tel: and line:. [#104, #147]
  • Expand set of allowed CSS functions. [related to #122]
  • Allow greater precision in shorthand CSS values. [#149] (Thanks, @danfstucky!)
... (truncated)
Commits
  • e48f298 version bump to v2.6.0
  • 4e8a64c ci: update pipeline icon to "cog"
  • c3d8a6d update CHANGELOG
  • 93289f2 dep: update to hoe-markdown ~> v1.2
  • 9ac6450 ci: remove serial group on PR pipeline
  • e14b903 Merge pull request #188 from pipefy/add-css-keywords
  • b519a4a order alphabeticaly
  • 6c329e8 ci: update github icons
  • deb3fa3 maintenance: use hoe-markdown to manage markdown files
  • 296da9b packaging: update gemspec changelog URL
  • Additional commits viewable in compare view


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Pull request limits (per update run and/or open at any time) - Automerge options (never/patch/minor, and dev/runtime dependencies) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired)
dependabot-preview[bot] commented 4 years ago

Superseded by #351.