RubyGems - govuk_tech_docs - Versions diffs - 3.3.0 → 3.3.1 - Mend

govuk_tech_docs 3.3.0 → 3.3.1

Files changed (5) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1fe53bb05a63a24a2d7d501d04fa172433d89e8f5fcd48bc4fc9313e97325ad0
-  data.tar.gz: 4b53d1f86522ae3807c40ba806befd97c5da2b42d92666fde35ac00bc0c89eba
+  metadata.gz: e56428dbc592284d70ca0c9880c6c99fd10cd72da62a7008bbc11237e49c486c
+  data.tar.gz: b328aa30ba2a6fc8666abf3c9ede2a7a93639604ef0a1705626632479400f117
 SHA512:
-  metadata.gz: 1b5bbfc06fe8387ddc6eae181fef27fca01d2afdefa68a7a5833e77d8eeb30e76335dc32fd13ca20501b88a107e8f0dfe3f0a64ba3cd8dcd9cfa1dc73e0c738f
-  data.tar.gz: 50751bf31f0ab377dca9618e749b9f8cbc029cf7a096085e8fdcea3d7004f42ce5901703bbb2c3cb11768aed369232226d74764a9347f02a5787b8822a9ef90d
+  metadata.gz: c7aad01df604f63f875ecd96a9ace7f003e7a34eb6eb71c176e36cb1a11a8bf61af50231561338d8853c2c853e8d0aa5d69388f8ef7e5e83cf3355fc3b7cc9aa
+  data.tar.gz: c0f2915a6922e499f4ed1eb39262c7176bc64df8467a0be1ba1579af8cdea0fc6bef3c1415822f1aff6f80c679ed0d9fedce4a4ccd9799932bf0aabb196a4747

data/CHANGELOG.md CHANGED Viewed

@@ -2,6 +2,12 @@
 ## Unreleased
+## 3.3.1
+This change solves a potential security issue with HTML snippets. Pages indexed in search results have their entire contents indexed, including any HTML code snippets. These HTML snippets would appear in the search results unsanitised, making it possible to render arbitrary HTML or run arbitrary scripts.
+You can see more detail about this issue at [#323: Fix XSS vulnerability on search results page](https://github.com/alphagov/tech-docs-gem/pull/323)
 ## 3.3.0
 ### New features

data/lib/assets/javascripts/_modules/search.js CHANGED Viewed

@@ -169,8 +169,8 @@
     this.processContent = function processContent (content, query) {
       var output
-      content = '<div>' + content + '</div>'
-      content = $(content).mark(query)
+      var sanitizedContent = $('<div></div>').text(content).html()
+      content = $('<div>' + sanitizedContent + '</div>').mark(query)
       // Split content by sentence.
       var sentences = content.html().replace(/(\.+|:|!|\?|\r|\n)("*|'*|\)*|}*|]*)/gm, '|').split('|')

data/lib/govuk_tech_docs/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module GovukTechDocs
-  VERSION = "3.3.0".freeze
+  VERSION = "3.3.1".freeze
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: govuk_tech_docs
 version: !ruby/object:Gem::Version
-  version: 3.3.0
+  version: 3.3.1
 platform: ruby
 authors:
 - Government Digital Service
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2022-12-22 00:00:00.000000000 Z
+date: 2023-04-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: autoprefixer-rails