govuk_tech_docs 3.3.0 → 3.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (5) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +6 -0
  3. data/lib/assets/javascripts/_modules/search.js +2 -2
  4. data/lib/govuk_tech_docs/version.rb +1 -1
  5. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 1fe53bb05a63a24a2d7d501d04fa172433d89e8f5fcd48bc4fc9313e97325ad0
4
- data.tar.gz: 4b53d1f86522ae3807c40ba806befd97c5da2b42d92666fde35ac00bc0c89eba
3
+ metadata.gz: e56428dbc592284d70ca0c9880c6c99fd10cd72da62a7008bbc11237e49c486c
4
+ data.tar.gz: b328aa30ba2a6fc8666abf3c9ede2a7a93639604ef0a1705626632479400f117
5
5
  SHA512:
6
- metadata.gz: 1b5bbfc06fe8387ddc6eae181fef27fca01d2afdefa68a7a5833e77d8eeb30e76335dc32fd13ca20501b88a107e8f0dfe3f0a64ba3cd8dcd9cfa1dc73e0c738f
7
- data.tar.gz: 50751bf31f0ab377dca9618e749b9f8cbc029cf7a096085e8fdcea3d7004f42ce5901703bbb2c3cb11768aed369232226d74764a9347f02a5787b8822a9ef90d
6
+ metadata.gz: c7aad01df604f63f875ecd96a9ace7f003e7a34eb6eb71c176e36cb1a11a8bf61af50231561338d8853c2c853e8d0aa5d69388f8ef7e5e83cf3355fc3b7cc9aa
7
+ data.tar.gz: c0f2915a6922e499f4ed1eb39262c7176bc64df8467a0be1ba1579af8cdea0fc6bef3c1415822f1aff6f80c679ed0d9fedce4a4ccd9799932bf0aabb196a4747
data/CHANGELOG.md CHANGED
@@ -2,6 +2,12 @@
2
2
 
3
3
  ## Unreleased
4
4
 
5
+ ## 3.3.1
6
+
7
+ This change solves a potential security issue with HTML snippets. Pages indexed in search results have their entire contents indexed, including any HTML code snippets. These HTML snippets would appear in the search results unsanitised, making it possible to render arbitrary HTML or run arbitrary scripts.
8
+
9
+ You can see more detail about this issue at [#323: Fix XSS vulnerability on search results page](https://github.com/alphagov/tech-docs-gem/pull/323)
10
+
5
11
  ## 3.3.0
6
12
 
7
13
  ### New features
data/lib/assets/javascripts/_modules/search.js CHANGED
@@ -169,8 +169,8 @@
169
169
 
170
170
  this.processContent = function processContent (content, query) {
171
171
  var output
172
- content = '<div>' + content + '</div>'
173
- content = $(content).mark(query)
172
+ var sanitizedContent = $('<div></div>').text(content).html()
173
+ content = $('<div>' + sanitizedContent + '</div>').mark(query)
174
174
 
175
175
  // Split content by sentence.
176
176
  var sentences = content.html().replace(/(\.+|:|!|\?|\r|\n)("*|'*|\)*|}*|]*)/gm, '|').split('|')
data/lib/govuk_tech_docs/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  module GovukTechDocs
2
- VERSION = "3.3.0".freeze
2
+ VERSION = "3.3.1".freeze
3
3
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: govuk_tech_docs
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.3.0
4
+ version: 3.3.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Government Digital Service
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2022-12-22 00:00:00.000000000 Z
11
+ date: 2023-04-11 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: autoprefixer-rails