Release notes
*Sourced from [loofah's releases](https://github.com/flavorjones/loofah/releases).*
> ## v2.2.3
> Notably, this release addresses [CVE-2018-16468](https://github-redirect.dependabot.com/flavorjones/loofah/issues/154).
>
> ## v2.2.2
> ## 2.2.2 / 2018-03-22
>
> Make public `Loofah::HTML5::Scrub.force_correct_attribute_escaping!`,
> which was previously a private method. This is so that downstream gems
> (like rails-html-sanitizer) can use this logic directly for their own
> attribute scrubbers should they need to address CVE-2018-8048.
>
> ## v2.2.1
> Notably, this release mitigates [CVE-2018-8048](https://github-redirect.dependabot.com/flavorjones/loofah/issues/144).
Changelog
*Sourced from [loofah's changelog](https://github.com/flavorjones/loofah/blob/master/CHANGELOG.md).*
> ## 2.2.3 / 2018-10-30
>
> ### Security
>
> Address CVE-2018-16468: Unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.
>
> This CVE's public notice is at [#154](https://github-redirect.dependabot.com/flavorjones/loofah/issues/154)
>
>
> ## Meta / 2018-10-27
>
> The mailing list is now on Google Groups [#146](https://github-redirect.dependabot.com/flavorjones/loofah/issues/146):
>
> * Mail: loofah-talk@googlegroups.com
> * Archive: https://groups.google.com/forum/#!forum/loofah-talk
>
> This change was made because librelist no longer appears to be maintained.
>
>
> ## 2.2.2 / 2018-03-22
>
> Make public `Loofah::HTML5::Scrub.force_correct_attribute_escaping!`,
> which was previously a private method. This is so that downstream gems
> (like rails-html-sanitizer) can use this logic directly for their own
> attribute scrubbers should they need to address CVE-2018-8048.
>
>
> ## 2.2.1 / 2018-03-19
>
> ### Security
>
> Addresses CVE-2018-8048. Loofah allowed non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments.
>
> This CVE's public notice is at [#144](https://github-redirect.dependabot.com/flavorjones/loofah/issues/144)
>
>
> ## 2.2.0 / 2018-02-11
>
> ### Features:
>
> * Support HTML5 `` tag. [#133](https://github-redirect.dependabot.com/flavorjones/loofah/issues/133) (Thanks, [@MothOnMars](https://github.com/MothOnMars)!)
> * Recognize HTML5 block elements. [#136](https://github-redirect.dependabot.com/flavorjones/loofah/issues/136) (Thanks, [@MothOnMars](https://github.com/MothOnMars)!)
> * Support SVG `` tag. [#131](https://github-redirect.dependabot.com/flavorjones/loofah/issues/131) (Thanks, [@baopham](https://github.com/baopham)!)
> * Support for whitelisting CSS functions, initially just `calc` and `rgb`. [#122](https://github-redirect.dependabot.com/flavorjones/loofah/issues/122)/[#123](https://github-redirect.dependabot.com/flavorjones/loofah/issues/123)/[#129](https://github-redirect.dependabot.com/flavorjones/loofah/issues/129) (Thanks, [@NikoRoberts](https://github.com/NikoRoberts)!)
> * Whitelist CSS property `list-style-type`. [#68](https://github-redirect.dependabot.com/flavorjones/loofah/issues/68)/[#137](https://github-redirect.dependabot.com/flavorjones/loofah/issues/137)/[#142](https://github-redirect.dependabot.com/flavorjones/loofah/issues/142) (Thanks, [@andela-ysanni](https://github.com/andela-ysanni) and [@NikoRoberts](https://github.com/NikoRoberts)!)
>
> ### Bugfixes:
>
> * Properly handle nested `script` tags. [#127](https://github-redirect.dependabot.com/flavorjones/loofah/issues/127).
>
> ... (truncated)
Commits
- [`cb3dbfa`](https://github.com/flavorjones/loofah/commit/cb3dbfa604195b99b3a811e040584daec7663504) version bump to v2.2.3 and update CHANGELOG
- [`71e4b54`](https://github.com/flavorjones/loofah/commit/71e4b5434fbcb2ad87643f0c9fecfc3a847943c4) remove the svg animate attribute `from` from the allowlist
- [`3556e2b`](https://github.com/flavorjones/loofah/commit/3556e2b44f7401aaccbb10e2abac4e044391267a) add formatting to CHANGELOG
- [`ac7c50d`](https://github.com/flavorjones/loofah/commit/ac7c50de12398c90ffba907bf132af66bcc242be) updated mailing list to a new Google Group
- [`de6b0f3`](https://github.com/flavorjones/loofah/commit/de6b0f33cde92b6028c1ef973e5fc24478890fc9) extract msword html data into an asset file
- [`37af4ee`](https://github.com/flavorjones/loofah/commit/37af4ee08f9e9531e24287c2783a79d331fc9243) version bump to 2.2.2
- [`56e95a6`](https://github.com/flavorjones/loofah/commit/56e95a6696b1e17a242eb8ebbbab64d613c4f1fe) Make public `force_correct_attribute_escaping!`
- [`9452bff`](https://github.com/flavorjones/loofah/commit/9452bff056f82d6ea7cbc9c054c1eb39900ceeea) use VersionInfo.instance
- [`7541374`](https://github.com/flavorjones/loofah/commit/7541374548ee9be53c463a3172cf4d28356ebe1c) version bump to 2.2.1
- [`70bd089`](https://github.com/flavorjones/loofah/commit/70bd089c31eac06f6156893aab0b2665fb9cf320) update Manifest.txt and CHANGELOG.md
- Additional commits viewable in [compare view](https://github.com/flavorjones/loofah/compare/v2.0.3...v2.2.3)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/tom-and-the-toothfairies/pathways/network/alerts).
Bumps loofah from 2.0.3 to 2.2.3.
Release notes
*Sourced from [loofah's releases](https://github.com/flavorjones/loofah/releases).* > ## v2.2.3 > Notably, this release addresses [CVE-2018-16468](https://github-redirect.dependabot.com/flavorjones/loofah/issues/154). > > ## v2.2.2 > ## 2.2.2 / 2018-03-22 > > Make public `Loofah::HTML5::Scrub.force_correct_attribute_escaping!`, > which was previously a private method. This is so that downstream gems > (like rails-html-sanitizer) can use this logic directly for their own > attribute scrubbers should they need to address CVE-2018-8048. > > ## v2.2.1 > Notably, this release mitigates [CVE-2018-8048](https://github-redirect.dependabot.com/flavorjones/loofah/issues/144).Changelog
*Sourced from [loofah's changelog](https://github.com/flavorjones/loofah/blob/master/CHANGELOG.md).* > ## 2.2.3 / 2018-10-30 > > ### Security > > Address CVE-2018-16468: Unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished. > > This CVE's public notice is at [#154](https://github-redirect.dependabot.com/flavorjones/loofah/issues/154) > > > ## Meta / 2018-10-27 > > The mailing list is now on Google Groups [#146](https://github-redirect.dependabot.com/flavorjones/loofah/issues/146): > > * Mail: loofah-talk@googlegroups.com > * Archive: https://groups.google.com/forum/#!forum/loofah-talk > > This change was made because librelist no longer appears to be maintained. > > > ## 2.2.2 / 2018-03-22 > > Make public `Loofah::HTML5::Scrub.force_correct_attribute_escaping!`, > which was previously a private method. This is so that downstream gems > (like rails-html-sanitizer) can use this logic directly for their own > attribute scrubbers should they need to address CVE-2018-8048. > > > ## 2.2.1 / 2018-03-19 > > ### Security > > Addresses CVE-2018-8048. Loofah allowed non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments. > > This CVE's public notice is at [#144](https://github-redirect.dependabot.com/flavorjones/loofah/issues/144) > > > ## 2.2.0 / 2018-02-11 > > ### Features: > > * Support HTML5 `Commits
- [`cb3dbfa`](https://github.com/flavorjones/loofah/commit/cb3dbfa604195b99b3a811e040584daec7663504) version bump to v2.2.3 and update CHANGELOG - [`71e4b54`](https://github.com/flavorjones/loofah/commit/71e4b5434fbcb2ad87643f0c9fecfc3a847943c4) remove the svg animate attribute `from` from the allowlist - [`3556e2b`](https://github.com/flavorjones/loofah/commit/3556e2b44f7401aaccbb10e2abac4e044391267a) add formatting to CHANGELOG - [`ac7c50d`](https://github.com/flavorjones/loofah/commit/ac7c50de12398c90ffba907bf132af66bcc242be) updated mailing list to a new Google Group - [`de6b0f3`](https://github.com/flavorjones/loofah/commit/de6b0f33cde92b6028c1ef973e5fc24478890fc9) extract msword html data into an asset file - [`37af4ee`](https://github.com/flavorjones/loofah/commit/37af4ee08f9e9531e24287c2783a79d331fc9243) version bump to 2.2.2 - [`56e95a6`](https://github.com/flavorjones/loofah/commit/56e95a6696b1e17a242eb8ebbbab64d613c4f1fe) Make public `force_correct_attribute_escaping!` - [`9452bff`](https://github.com/flavorjones/loofah/commit/9452bff056f82d6ea7cbc9c054c1eb39900ceeea) use VersionInfo.instance - [`7541374`](https://github.com/flavorjones/loofah/commit/7541374548ee9be53c463a3172cf4d28356ebe1c) version bump to 2.2.1 - [`70bd089`](https://github.com/flavorjones/loofah/commit/70bd089c31eac06f6156893aab0b2665fb9cf320) update Manifest.txt and CHANGELOG.md - Additional commits viewable in [compare view](https://github.com/flavorjones/loofah/compare/v2.0.3...v2.2.3)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/tom-and-the-toothfairies/pathways/network/alerts).