Bumps loofah from 2.1.1 to 2.2.2. This update includes security fixes.
Vulnerabilities fixed
> **Loofah XSS Vulnerability**
> Loofah allows non-whitelisted attributes to be present in sanitized
> output when input with specially-crafted HTML fragments.
>
> Patched versions: [">= 2.2.1"]
> Unaffected versions: []
Release notes
*Sourced from loofah's [releases](https://github.com/flavorjones/loofah/releases).*
> ## v2.2.2
> ## 2.2.2 / 2018-03-22
>
> Make public `Loofah::HTML5::Scrub.force_correct_attribute_escaping!`,
> which was previously a private method. This is so that downstream gems
> (like rails-html-sanitizer) can use this logic directly for their own
> attribute scrubbers should they need to address CVE-2018-8048.
Changelog
*Sourced from loofah's [changelog](https://github.com/flavorjones/loofah/blob/master/CHANGELOG.md).*
> ## 2.2.2 / 2018-03-22
>
> Make public `Loofah::HTML5::Scrub.force_correct_attribute_escaping!`,
> which was previously a private method. This is so that downstream gems
> (like rails-html-sanitizer) can use this logic directly for their own
> attribute scrubbers should they need to address CVE-2018-8048.
>
>
> ## 2.2.1 / 2018-03-19
>
> Addresses CVE-2018-8048. Loofah allowed non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments.
>
> This CVE's public notice is at https://github-redirect.dependabot.com/flavorjones/loofah/issues/144
>
>
> ## 2.2.0 / 2018-02-11
>
> Features:
>
> * Support HTML5 `` tag. [#133](https://github-redirect.dependabot.com/flavorjones/loofah/issues/133) (Thanks, [**MothOnMars**](https://github.com/MothOnMars)!)
> * Recognize HTML5 block elements. [#136](https://github-redirect.dependabot.com/flavorjones/loofah/issues/136) (Thanks, [**MothOnMars**](https://github.com/MothOnMars)!)
> * Support SVG `` tag. [#131](https://github-redirect.dependabot.com/flavorjones/loofah/issues/131) (Thanks, [**baopham**](https://github.com/baopham)!)
> * Support for whitelisting CSS functions, initially just `calc` and `rgb`. #122/#123/#129 (Thanks, [**NikoRoberts**](https://github.com/NikoRoberts)!)
> * Whitelist CSS property `list-style-type`. #68/#137/#142 (Thanks, [**andela**](https://github.com/andela)-ysanni and [**NikoRoberts**](https://github.com/NikoRoberts)!)
>
> Bugfixes:
>
> * Properly handle nested `script` tags. [#127](https://github-redirect.dependabot.com/flavorjones/loofah/issues/127).
Commits
- [`37af4ee`](https://github.com/flavorjones/loofah/commit/37af4ee08f9e9531e24287c2783a79d331fc9243) version bump to 2.2.2
- [`56e95a6`](https://github.com/flavorjones/loofah/commit/56e95a6696b1e17a242eb8ebbbab64d613c4f1fe) Make public `force_correct_attribute_escaping!`
- [`9452bff`](https://github.com/flavorjones/loofah/commit/9452bff056f82d6ea7cbc9c054c1eb39900ceeea) use VersionInfo.instance
- [`7541374`](https://github.com/flavorjones/loofah/commit/7541374548ee9be53c463a3172cf4d28356ebe1c) version bump to 2.2.1
- [`70bd089`](https://github.com/flavorjones/loofah/commit/70bd089c31eac06f6156893aab0b2665fb9cf320) update Manifest.txt and CHANGELOG.md
- [`332ec6a`](https://github.com/flavorjones/loofah/commit/332ec6a7086fbb38cf08a905aed7c8a3ee43e505) Merge branch 'flavorjones-remediate-attribute-escaping'
- [`f739cf8`](https://github.com/flavorjones/loofah/commit/f739cf8eac5851f328b8044281d6653f74eff116) tests and fix for CVE-2018-8048
- [`0c97c74`](https://github.com/flavorjones/loofah/commit/0c97c745aaec27f7bba4edd74be0e7d7cb9b82ad) SECURITY.md to publish vuln reporting process
- [`d64b74d`](https://github.com/flavorjones/loofah/commit/d64b74d13f6c50c18a9a7168cdcc09b9be5b63d9) bump the fake gemspec
- [`08cc110`](https://github.com/flavorjones/loofah/commit/08cc1100ecba81c47184d1b1fe7131f500d2ba15) fix remaining rdoc format in README
- Additional commits viewable in [compare view](https://github.com/flavorjones/loofah/compare/v2.1.1...v2.2.2)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot ignore this [minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use [this|these] label[s]` will set the current labels as the default for future PRs for this repo and language
Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com):
- Update frequency (including time of day and day of week)
- Automerge options (never/patch/minor, and dev/runtime dependencies)
- Out-of-range updates (receive only lockfile updates, if desired)
Finally, you can contact us by mentioning @dependabot.
Bumps loofah from 2.1.1 to 2.2.2. This update includes security fixes.
Vulnerabilities fixed
> **Loofah XSS Vulnerability** > Loofah allows non-whitelisted attributes to be present in sanitized > output when input with specially-crafted HTML fragments. > > Patched versions: [">= 2.2.1"] > Unaffected versions: []Release notes
*Sourced from loofah's [releases](https://github.com/flavorjones/loofah/releases).* > ## v2.2.2 > ## 2.2.2 / 2018-03-22 > > Make public `Loofah::HTML5::Scrub.force_correct_attribute_escaping!`, > which was previously a private method. This is so that downstream gems > (like rails-html-sanitizer) can use this logic directly for their own > attribute scrubbers should they need to address CVE-2018-8048.Changelog
*Sourced from loofah's [changelog](https://github.com/flavorjones/loofah/blob/master/CHANGELOG.md).* > ## 2.2.2 / 2018-03-22 > > Make public `Loofah::HTML5::Scrub.force_correct_attribute_escaping!`, > which was previously a private method. This is so that downstream gems > (like rails-html-sanitizer) can use this logic directly for their own > attribute scrubbers should they need to address CVE-2018-8048. > > > ## 2.2.1 / 2018-03-19 > > Addresses CVE-2018-8048. Loofah allowed non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments. > > This CVE's public notice is at https://github-redirect.dependabot.com/flavorjones/loofah/issues/144 > > > ## 2.2.0 / 2018-02-11 > > Features: > > * Support HTML5 `Commits
- [`37af4ee`](https://github.com/flavorjones/loofah/commit/37af4ee08f9e9531e24287c2783a79d331fc9243) version bump to 2.2.2 - [`56e95a6`](https://github.com/flavorjones/loofah/commit/56e95a6696b1e17a242eb8ebbbab64d613c4f1fe) Make public `force_correct_attribute_escaping!` - [`9452bff`](https://github.com/flavorjones/loofah/commit/9452bff056f82d6ea7cbc9c054c1eb39900ceeea) use VersionInfo.instance - [`7541374`](https://github.com/flavorjones/loofah/commit/7541374548ee9be53c463a3172cf4d28356ebe1c) version bump to 2.2.1 - [`70bd089`](https://github.com/flavorjones/loofah/commit/70bd089c31eac06f6156893aab0b2665fb9cf320) update Manifest.txt and CHANGELOG.md - [`332ec6a`](https://github.com/flavorjones/loofah/commit/332ec6a7086fbb38cf08a905aed7c8a3ee43e505) Merge branch 'flavorjones-remediate-attribute-escaping' - [`f739cf8`](https://github.com/flavorjones/loofah/commit/f739cf8eac5851f328b8044281d6653f74eff116) tests and fix for CVE-2018-8048 - [`0c97c74`](https://github.com/flavorjones/loofah/commit/0c97c745aaec27f7bba4edd74be0e7d7cb9b82ad) SECURITY.md to publish vuln reporting process - [`d64b74d`](https://github.com/flavorjones/loofah/commit/d64b74d13f6c50c18a9a7168cdcc09b9be5b63d9) bump the fake gemspec - [`08cc110`](https://github.com/flavorjones/loofah/commit/08cc1100ecba81c47184d1b1fe7131f500d2ba15) fix remaining rdoc format in README - Additional commits viewable in [compare view](https://github.com/flavorjones/loofah/compare/v2.1.1...v2.2.2)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot ignore this [minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use [this|these] label[s]` will set the current labels as the default for future PRs for this repo and language Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Automerge options (never/patch/minor, and dev/runtime dependencies) - Out-of-range updates (receive only lockfile updates, if desired) Finally, you can contact us by mentioning @dependabot.