dependabot-common 0.118.3 → 0.118.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d722e5df4607da96bfecc6e9f8fee39ff7ece6b069aaa25652c37fe1899e862b
-  data.tar.gz: '002249968a3815f8ece501ee39825d7b98630d44a2015c3e198346452646cb33'
+  metadata.gz: 845830fad18e1ab13ddd0595967f4b92e669ba13c45f4a682bad0591cb7864d0
+  data.tar.gz: 3ded0bc265a44c5d15492a7dbe51f323d99232ff752c12e261f6e094d6912d28
 SHA512:
-  metadata.gz: 255df4e43643c130fd8e947a49e8c951234e6e66da0fef3c165f4521d176b478c70bff9dd2fa223a26641c4124280681100d8cd3c17ec3839cebf99465a3b7a8
-  data.tar.gz: 5beed00fd52d9f8ed67e50580f9eb509dab6071c8ade88f22002e70d4007cefc88b4a592360b887356cd74d4a76e58db575a970822bbe8db90a132ab577f9b73
+  metadata.gz: ca234ac529c0ae36d5fd0283bf3b4e30d5d6a63e1fb544a7cf60d471065619cd8e45a53095b2af1e7d8ef5df200f667770887210d58f79595812234080f8470a
+  data.tar.gz: c25caa46c1ffd80d407471e6027907a31b63868c3c04476c1f3659b90f754e1c30ff82b6c5e79ca447430b99b4a0bbaa187492b04284670901257957fe6da05c

data/lib/dependabot/pull_request_creator/message_builder.rb

@@ -323,7 +323,7 @@ module Dependabot
         msg += commits_cascade(dep)
         msg += maintainer_changes_cascade(dep)
         msg += break_tag unless msg == ""
-        "\n" + sanitize_links_and_mentions(msg)
+        "\n" + sanitize_links_and_mentions(msg, unsafe: true)
       end
 
       def vulnerabilities_cascade(dep)
@@ -437,7 +437,7 @@ module Dependabot
 
         build_details_tag(
           summary: "Maintainer changes",
-          body: maintainer_changes(dep) + "\n"
+          body: sanitize_links_and_mentions(maintainer_changes(dep)) + "\n"
         )
       end
 
@@ -680,12 +680,12 @@ module Dependabot
         end
       end
 
-      def sanitize_links_and_mentions(text)
+      def sanitize_links_and_mentions(text, unsafe: false)
         return text unless source.provider == "github"
 
         LinkAndMentionSanitizer.
           new(github_redirection_service: github_redirection_service).
-          sanitize_links_and_mentions(text: text)
+          sanitize_links_and_mentions(text: text, unsafe: unsafe)
       end
 
       def sanitize_template_tags(text)

data/lib/dependabot/pull_request_creator/message_builder/link_and_mention_sanitizer.rb

@@ -17,9 +17,8 @@ module Dependabot
         MENTION_REGEX = %r{(?<![A-Za-z0-9`~])@#{GITHUB_USERNAME}/?}.freeze
         # End of string
         EOS_REGEX = /\z/.freeze
-        # We rely on GitHub to do the HTML sanitization
         COMMONMARKER_OPTIONS = %i(
-          UNSAFE GITHUB_PRE_LANG FULL_INFO_STRING
+          GITHUB_PRE_LANG FULL_INFO_STRING
         ).freeze
         COMMONMARKER_EXTENSIONS = %i(
           table tasklist strikethrough autolink tagfilter
@@ -31,14 +30,15 @@ module Dependabot
           @github_redirection_service = github_redirection_service
         end
 
-        def sanitize_links_and_mentions(text:)
+        def sanitize_links_and_mentions(text:, unsafe: false)
           doc = CommonMarker.render_doc(
             text, :LIBERAL_HTML_TAG, COMMONMARKER_EXTENSIONS
           )
 
           sanitize_mentions(doc)
           sanitize_links(doc)
-          doc.to_html(COMMONMARKER_OPTIONS, COMMONMARKER_EXTENSIONS)
+          mode = unsafe ? :UNSAFE : :DEFAULT
+          doc.to_html(([mode] + COMMONMARKER_OPTIONS), COMMONMARKER_EXTENSIONS)
         end
 
         private

data/lib/dependabot/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Dependabot
-  VERSION = "0.118.3"
+  VERSION = "0.118.4"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-common
 version: !ruby/object:Gem::Version
-  version: 0.118.3
+  version: 0.118.4
 platform: ruby
 authors:
 - Dependabot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-06-18 00:00:00.000000000 Z
+date: 2020-06-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-codecommit