RubyGems - loofah - Versions diffs - 2.5.0 → 2.6.0 - Mend

loofah 2.5.0 → 2.6.0

Potentially problematic release.

This version of loofah might be problematic. Click here for more details.

Files changed (7) hide show

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 052a847ba3f873261fa917f028171997ba40b96a5afc4339d98dbfd252905a91
-  data.tar.gz: 1e348bd51955411df0ed0b170460b30fa150594b8c7a60a40c80de0d485f9e94
+  metadata.gz: '0378734abbcf1f374d8d501038180ff4d9492e4282ffe4d6134322dd213fc80b'
+  data.tar.gz: 54955254f4179bf55adfc5bdaf3464c8a8f921f6e8e7fc92d9d2588b4fea02b1
 SHA512:
-  metadata.gz: 013d4c78bbaedf2b845d33b4bca6c6e483a36b8b774931dea2071e080657e34e2725ee4dffa48db6eb389898640b8b475009ac70efc5e0b319646ae5b7822a85
-  data.tar.gz: 26742f775c503fbe56255e46963887ae769182574bc6cd7070168c50e92a5ddefa83208ff8930346f6ce7bad74624913221b84f5f3abbc60254c1530595c858e
+  metadata.gz: e80d9e87682cbfd18b6f86a10f9928c3b94fb7f123792d8284344cf65a878a1ee8258b408dac8df87791ca5beda99858dfbac6515334d87bc2d98b45cdf17802
+  data.tar.gz: da7fd4181e8f829837f0d1458e856b8ace6ed94fa13cdc227bc9432baaff0ec514f894b04b9d00157c6edddcff6a714284bc42a1c878a2ddb90d08b68931dba9

data/CHANGELOG.md CHANGED

@@ -1,30 +1,37 @@
 # Changelog
+## 2.6.0 / 2020-06-16
+### Features
+* Allow CSS `border-style` keywords. [[#188](https://github.com/flavorjones/loofah/issues/188)] (Thanks, [@tarcisiozf](https://github.com/tarcisiozf)!)
 ## 2.5.0 / 2020-04-05
 ### Features
-* Allow more CSS length units: "ch", "vw", "vh", "Q", "lh", "vmin", "vmax". [#178] (Thanks, @JuanitoFatas!)
+* Allow more CSS length units: "ch", "vw", "vh", "Q", "lh", "vmin", "vmax". [[#178](https://github.com/flavorjones/loofah/issues/178)] (Thanks, [@JuanitoFatas](https://github.com/JuanitoFatas)!)
 ### Fixes
-* Remove comments from `Loofah::HTML::Document`s that exist outside the `html` element. [#80]
+* Remove comments from `Loofah::HTML::Document`s that exist outside the `html` element. [[#80](https://github.com/flavorjones/loofah/issues/80)]
 ### Other changes
-* Gem metadata being set [#181] (Thanks, @JuanitoFatas!)
-* Test files removed from gem file [#180,#166,#159] (Thanks, @JuanitoFatas and @greysteil!)
+* Gem metadata being set [[#181](https://github.com/flavorjones/loofah/issues/181)] (Thanks, [@JuanitoFatas](https://github.com/JuanitoFatas)!)
+* Test files removed from gem file [[#180](https://github.com/flavorjones/loofah/issues/180),[#166](https://github.com/flavorjones/loofah/issues/166),[#159](https://github.com/flavorjones/loofah/issues/159)] (Thanks, [@JuanitoFatas](https://github.com/JuanitoFatas) and [@greysteil](https://github.com/greysteil)!)
 ## 2.4.0 / 2019-11-25
 ### Features
-* Allow CSS property `max-width` [#175] (Thanks, @bchaney!)
-* Allow CSS sizes expressed in `rem` [#176, #177]
-* Add `frozen_string_literal: true` magic comment to all `lib` files. [#118]
+* Allow CSS property `max-width` [[#175](https://github.com/flavorjones/loofah/issues/175)] (Thanks, [@bchaney](https://github.com/bchaney)!)
+* Allow CSS sizes expressed in `rem` [[#176](https://github.com/flavorjones/loofah/issues/176), [#177](https://github.com/flavorjones/loofah/issues/177)]
+* Add `frozen_string_literal: true` magic comment to all `lib` files. [[#118](https://github.com/flavorjones/loofah/issues/118)]
 ## 2.3.1 / 2019-10-22
@@ -33,24 +40,24 @@
 Address CVE-2019-15587: Unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.
-This CVE's public notice is at https://github.com/flavorjones/loofah/issues/171
+This CVE's public notice is at [#171](https://github.com/flavorjones/loofah/issues/171)
 ## 2.3.0 / 2019-09-28
 ### Features
-* Expand set of allowed protocols to include `tel:` and `line:`. [#104, #147]
-* Expand set of allowed CSS functions. [related to #122]
-* Allow greater precision in shorthand CSS values. [#149] (Thanks, @danfstucky!)
-* Allow CSS property `list-style` [#162] (Thanks, @jaredbeck!)
-* Allow CSS keywords `thick` and `thin` [#168] (Thanks, @georgeclaghorn!)
-* Allow HTML property `contenteditable` [#167] (Thanks, @andreynering!)
+* Expand set of allowed protocols to include `tel:` and `line:`. [[#104](https://github.com/flavorjones/loofah/issues/104), [#147](https://github.com/flavorjones/loofah/issues/147)]
+* Expand set of allowed CSS functions. [related to [#122](https://github.com/flavorjones/loofah/issues/122)]
+* Allow greater precision in shorthand CSS values. [[#149](https://github.com/flavorjones/loofah/issues/149)] (Thanks, [@danfstucky](https://github.com/danfstucky)!)
+* Allow CSS property `list-style` [[#162](https://github.com/flavorjones/loofah/issues/162)] (Thanks, [@jaredbeck](https://github.com/jaredbeck)!)
+* Allow CSS keywords `thick` and `thin` [[#168](https://github.com/flavorjones/loofah/issues/168)] (Thanks, [@georgeclaghorn](https://github.com/georgeclaghorn)!)
+* Allow HTML property `contenteditable` [[#167](https://github.com/flavorjones/loofah/issues/167)] (Thanks, [@andreynering](https://github.com/andreynering)!)
 ### Bug fixes
-* CSS hex values are no longer limited to lowercase hex. Previously uppercase hex were scrubbed. [#165] (Thanks, @asok!)
+* CSS hex values are no longer limited to lowercase hex. Previously uppercase hex were scrubbed. [[#165](https://github.com/flavorjones/loofah/issues/165)] (Thanks, [@asok](https://github.com/asok)!)
 ### Deprecations / Name Changes
@@ -61,7 +68,7 @@ The following method and constants are hereby deprecated, and will be completely
 * Deprecate `Loofah::Helpers::ActionView::WhiteListSanitizer`, please use `Loofah::Helpers::ActionView::SafeListSanitizer` instead.
 * Deprecate `Loofah::HTML5::WhiteList`, please use `Loofah::HTML5::SafeList` instead.
-Thanks to @JuanitoFatas for submitting these changes in #164 and for making the language used in Loofah more inclusive.
+Thanks to [@JuanitoFatas](https://github.com/JuanitoFatas) for submitting these changes in [#164](https://github.com/flavorjones/loofah/issues/164) and for making the language used in Loofah more inclusive.
 ## 2.2.3 / 2018-10-30
@@ -70,7 +77,7 @@ Thanks to @JuanitoFatas for submitting these changes in #164 and for making the
 Address CVE-2018-16468: Unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.
-This CVE's public notice is at https://github.com/flavorjones/loofah/issues/154
+This CVE's public notice is at [#154](https://github.com/flavorjones/loofah/issues/154)
 ## Meta / 2018-10-27
@@ -97,76 +104,76 @@ attribute scrubbers should they need to address CVE-2018-8048.
 Addresses CVE-2018-8048. Loofah allowed non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments.
-This CVE's public notice is at https://github.com/flavorjones/loofah/issues/144
+This CVE's public notice is at [#144](https://github.com/flavorjones/loofah/issues/144)
 ## 2.2.0 / 2018-02-11
 ### Features:
-* Support HTML5 `<main>` tag. #133 (Thanks, @MothOnMars!)
-* Recognize HTML5 block elements. #136 (Thanks, @MothOnMars!)
-* Support SVG `<symbol>` tag. #131 (Thanks, @baopham!)
-* Support for whitelisting CSS functions, initially just `calc` and `rgb`. #122/#123/#129 (Thanks, @NikoRoberts!)
-* Whitelist CSS property `list-style-type`. #68/#137/#142 (Thanks, @andela-ysanni and @NikoRoberts!)
+* Support HTML5 `<main>` tag. [#133](https://github.com/flavorjones/loofah/issues/133) (Thanks, [@MothOnMars](https://github.com/MothOnMars)!)
+* Recognize HTML5 block elements. [#136](https://github.com/flavorjones/loofah/issues/136) (Thanks, [@MothOnMars](https://github.com/MothOnMars)!)
+* Support SVG `<symbol>` tag. [#131](https://github.com/flavorjones/loofah/issues/131) (Thanks, [@baopham](https://github.com/baopham)!)
+* Support for whitelisting CSS functions, initially just `calc` and `rgb`. [#122](https://github.com/flavorjones/loofah/issues/122)/[#123](https://github.com/flavorjones/loofah/issues/123)/[#129](https://github.com/flavorjones/loofah/issues/129) (Thanks, [@NikoRoberts](https://github.com/NikoRoberts)!)
+* Whitelist CSS property `list-style-type`. [#68](https://github.com/flavorjones/loofah/issues/68)/[#137](https://github.com/flavorjones/loofah/issues/137)/[#142](https://github.com/flavorjones/loofah/issues/142) (Thanks, [@andela-ysanni](https://github.com/andela-ysanni) and [@NikoRoberts](https://github.com/NikoRoberts)!)
 ### Bugfixes:
-* Properly handle nested `script` tags. #127.
+* Properly handle nested `script` tags. [#127](https://github.com/flavorjones/loofah/issues/127).
 ## 2.1.1 / 2017-09-24
 ### Bugfixes:
-* Removed warning for unused variable. #124 (Thanks, @y-yagi!)
+* Removed warning for unused variable. [#124](https://github.com/flavorjones/loofah/issues/124) (Thanks, [@y-yagi](https://github.com/y-yagi)!)
 ## 2.1.0 / 2017-09-24
 ### Notes:
-* Re-implemented CSS parsing and sanitization using the [crass](https://github.com/rgrove/crass) library. #91
+* Re-implemented CSS parsing and sanitization using the [crass](https://github.com/rgrove/crass) library. [#91](https://github.com/flavorjones/loofah/issues/91)
 ### Features:
-* Added :noopener HTML scrubber (Thanks, @tastycode!)
-* Support `data` URIs with the following media types: text/plain, text/css, image/png, image/gif, image/jpeg, image/svg+xml. #101, #120. (Thanks, @mrpasquini!)
+* Added :noopener HTML scrubber (Thanks, [@tastycode](https://github.com/tastycode)!)
+* Support `data` URIs with the following media types: text/plain, text/css, image/png, image/gif, image/jpeg, image/svg+xml. [#101](https://github.com/flavorjones/loofah/issues/101), [#120](https://github.com/flavorjones/loofah/issues/120). (Thanks, [@mrpasquini](https://github.com/mrpasquini)!)
 ### Bugfixes:
-* The :unprintable scrubber now scrubs unprintable characters in CDATA nodes (like `<script>`). #124
-* Allow negative values in CSS properties. Restores functionality that was reverted in v2.0.3. #91
+* The :unprintable scrubber now scrubs unprintable characters in CDATA nodes (like `<script>`). [#124](https://github.com/flavorjones/loofah/issues/124)
+* Allow negative values in CSS properties. Restores functionality that was reverted in v2.0.3. [#91](https://github.com/flavorjones/loofah/issues/91)
 ## 2.0.3 / 2015-08-17
 ### Bug fixes:
-* Revert support for negative values in CSS properties due to slow performance. #90 (Related to #85.)
+* Revert support for negative values in CSS properties due to slow performance. [#90](https://github.com/flavorjones/loofah/issues/90) (Related to [#85](https://github.com/flavorjones/loofah/issues/85).)
 ## 2.0.2 / 2015-05-05
 ### Bug fixes:
-* Fix error with `#to_text` when Loofah::Helpers hadn't been required. #75
-* Allow multi-word data attributes. #84 (Thanks, @jstorimer!)
-* Allow negative values in CSS properties. #85 (Thanks, @siddhartham!)
+* Fix error with `#to_text` when Loofah::Helpers hadn't been required. [#75](https://github.com/flavorjones/loofah/issues/75)
+* Allow multi-word data attributes. [#84](https://github.com/flavorjones/loofah/issues/84) (Thanks, [@jstorimer](https://github.com/jstorimer)!)
+* Allow negative values in CSS properties. [#85](https://github.com/flavorjones/loofah/issues/85) (Thanks, [@siddhartham](https://github.com/siddhartham)!)
 ## 2.0.1 / 2014-08-21
 ### Bug fixes:
-* Load RR correctly when running test files directly. (Thanks, @ktdreyer!)
+* Load RR correctly when running test files directly. (Thanks, [@ktdreyer](https://github.com/ktdreyer)!)
 ### Notes:
-* Extracted HTML5::Scrub#scrub_css_attribute to accommodate the Rails integration work. (Thanks, @kaspth!)
+* Extracted HTML5::Scrub#scrub_css_attribute to accommodate the Rails integration work. (Thanks, [@kaspth](https://github.com/kaspth)!)
 ## 2.0.0 / 2014-05-09
@@ -182,19 +189,19 @@ This CVE's public notice is at https://github.com/flavorjones/loofah/issues/144
   * tags: `article`, `aside`, `bdi`, `bdo`, `canvas`, `command`, `datalist`, `details`, `figcaption`, `figure`, `footer`, `header`, `mark`, `meter`, `nav`, `output`, `section`, `summary`, `time`
   * attributes: `data-*` (Thanks, Rafael Franca!)
   * URI attributes: `poster` and `preload`
-* Addition of the `:unprintable` scrubber to remove unprintable characters from text nodes. #65 (Thanks, Matt Swanson!)
-* `Loofah.fragment` accepts an optional encoding argument, compatible with `Nokogiri::HTML::DocumentFragment.parse`. #62 (Thanks, Ben Atkins!)
+* Addition of the `:unprintable` scrubber to remove unprintable characters from text nodes. [#65](https://github.com/flavorjones/loofah/issues/65) (Thanks, Matt Swanson!)
+* `Loofah.fragment` accepts an optional encoding argument, compatible with `Nokogiri::HTML::DocumentFragment.parse`. [#62](https://github.com/flavorjones/loofah/issues/62) (Thanks, Ben Atkins!)
 * HTML5 sanitizers now remove attributes without values. (Thanks, Kasper Timm Hansen!)
 ### Bug fixes:
 * HTML5 sanitizers' CSS keyword check now actually works (broken in v2.0). Additional regression tests added. (Thanks, Kasper Timm Hansen!)
-* HTML5 sanitizers now allow negative arguments to CSS. #64 (Thanks, Jon Calhoun!)
+* HTML5 sanitizers now allow negative arguments to CSS. [#64](https://github.com/flavorjones/loofah/issues/64) (Thanks, Jon Calhoun!)
 ## 1.2.1 (2012-04-14)
-* Declaring encoding in html5/scrub.rb. Without this, use of the ruby -KU option would cause havoc. (#32)
+* Declaring encoding in html5/scrub.rb. Without this, use of the ruby -KU option would cause havoc. ([#32](https://github.com/flavorjones/loofah/issues/32))
 ## 1.2.0 (2011-08-08)
@@ -212,7 +219,7 @@ This CVE's public notice is at https://github.com/flavorjones/loofah/issues/144
 * Additional HTML5lib whitelist elements (from html5lib 1524:80b5efe26230).
   Up to date with HTML5lib ruby code as of 1723:7ee6a0331856.
 * Whitelists (which are not part of the public API) are now Sets (were previously Arrays).
-* Don't explode when encountering UTF-8 URIs. (#25, #29)
+* Don't explode when encountering UTF-8 URIs. ([#25](https://github.com/flavorjones/loofah/issues/25), [#29](https://github.com/flavorjones/loofah/issues/29))
 ## 1.0.0 (2010-10-26)
@@ -230,7 +237,7 @@ This CVE's public notice is at https://github.com/flavorjones/loofah/issues/144
 * New methods Loofah::HTML::Document#to_text and
   Loofah::HTML::DocumentFragment#to_text do the right thing with
   whitespace. Note that these methods are significantly slower than
-  #text. GH #12
+  #text. GH [#12](https://github.com/flavorjones/loofah/issues/12)
 * Loofah::Elements::BLOCK_LEVEL contains a canonical list of HTML4 block-level4 elements.
 * Loofah::HTML::Document#text and Loofah::HTML::DocumentFragment#text
   will return unescaped HTML entities by passing :encode_special_chars => false.
@@ -244,7 +251,7 @@ This CVE's public notice is at https://github.com/flavorjones/loofah/issues/144
 ### Bug fixes:
-* Loofah::XssFoliate was not properly escaping HTML entities when implicitly scrubbing a string attribute. GH #17
+* Loofah::XssFoliate was not properly escaping HTML entities when implicitly scrubbing a string attribute. GH [#17](https://github.com/flavorjones/loofah/issues/17)
 ## 0.4.3 (2010-01-29)
@@ -272,7 +279,7 @@ This CVE's public notice is at https://github.com/flavorjones/loofah/issues/144
 ### Bug fixes:
-* Supporting Rails apps that aren't loading ActiveRecord. GH #10
+* Supporting Rails apps that aren't loading ActiveRecord. GH [#10](https://github.com/flavorjones/loofah/issues/10)
 ### Miscellaneous:
@@ -333,13 +340,13 @@ This CVE's public notice is at https://github.com/flavorjones/loofah/issues/144
 ### Enhancements:
 * when loaded in a Rails app, automatically extend ActiveRecord::Base
-  with html_fragment and html_document. GH #6 (Thanks Josh Nichols!)
+  with html_fragment and html_document. GH [#6](https://github.com/flavorjones/loofah/issues/6) (Thanks Josh Nichols!)
 ### Bugfixes:
 * ActiveRecord scrubbing should generate strings instead of Document or
-  DocumentFragment objects. GH #5
-* init.rb fixed to support installation as a Rails plugin. GH #6
+  DocumentFragment objects. GH [#5](https://github.com/flavorjones/loofah/issues/5)
+* init.rb fixed to support installation as a Rails plugin. GH [#6](https://github.com/flavorjones/loofah/issues/6)
   (Thanks Josh Nichols!)

data/Gemfile CHANGED

@@ -15,9 +15,10 @@ gem "hoe-gemspec", "~>1.0", :group => [:development, :test]
 gem "hoe-debugging", "~>2.0", :group => [:development, :test]
 gem "hoe-bundler", "~>1.5", :group => [:development, :test]
 gem "hoe-git", "~>1.6", :group => [:development, :test]
+gem "hoe-markdown", "~>1.2", :group => [:development, :test]
 gem "concourse", ">=0.26.0", :group => [:development, :test]
 gem "rubocop", ">=0.76.0", :group => [:development, :test]
 gem "rdoc", ">=4.0", "<7", :group => [:development, :test]
-gem "hoe", "~>3.20", :group => [:development, :test]
+gem "hoe", "~>3.22", :group => [:development, :test]
 # vim: syntax=ruby

data/Rakefile CHANGED

@@ -6,19 +6,18 @@ Hoe.plugin :git
 Hoe.plugin :gemspec
 Hoe.plugin :bundler
 Hoe.plugin :debugging
+Hoe.plugin :markdown
 Hoe.spec "loofah" do
   developer "Mike Dalessio", "mike.dalessio@gmail.com"
   developer "Bryan Helmkamp", "bryan@brynary.com"
-  self.history_file = "CHANGELOG.md"
-  self.readme_file = "README.md"
   self.license "MIT"
   self.urls = {
     "home" => "https://github.com/flavorjones/loofah",
     "bugs" => "https://github.com/flavorjones/loofah/issues",
     "doco" => "https://www.rubydoc.info/gems/loofah/",
-    "clog" => "https://github.com/flavorjones/loofah/master/CHANGELOG.md",
+    "clog" => "https://github.com/flavorjones/loofah/blob/master/CHANGELOG.md",
     "code" => "https://github.com/flavorjones/loofah",
   }
@@ -33,6 +32,7 @@ Hoe.spec "loofah" do
   extra_dev_deps << ["hoe-debugging", "~> 2.0"]
   extra_dev_deps << ["hoe-bundler", "~> 1.5"]
   extra_dev_deps << ["hoe-git", "~> 1.6"]
+  extra_dev_deps << ["hoe-markdown", "~> 1.2"]
   extra_dev_deps << ["concourse", ">=0.26.0"]
   extra_dev_deps << ["rubocop", ">=0.76.0"]
 end

data/lib/loofah.rb CHANGED

@@ -29,7 +29,7 @@ require "loofah/html/document_fragment"
 #
 module Loofah
   # The version of Loofah you are using
-  VERSION = "2.5.0"
+  VERSION = "2.6.0"
   class << self
     # Shortcut for Loofah::HTML::Document.parse

data/lib/loofah/html5/safelist.rb CHANGED

@@ -614,9 +614,13 @@ module Loofah
                                           "collapse",
                                           "dashed",
                                           "dotted",
+                                          "double",
                                           "fuchsia",
                                           "gray",
                                           "green",
+                                          "groove",
+                                          "hidden",
+                                          "inset",
                                           "italic",
                                           "left",
                                           "lime",
@@ -627,9 +631,11 @@ module Loofah
                                           "normal",
                                           "nowrap",
                                           "olive",
+                                          "outset",
                                           "pointer",
                                           "purple",
                                           "red",
+                                          "ridge",
                                           "right",
                                           "silver",
                                           "solid",

metadata CHANGED

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: loofah
 version: !ruby/object:Gem::Version
-  version: 2.5.0
+  version: 2.6.0
 platform: ruby
 authors:
 - Mike Dalessio
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-04-05 00:00:00.000000000 Z
+date: 2020-06-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: nokogiri
@@ -151,6 +151,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.6'
+- !ruby/object:Gem::Dependency
+  name: hoe-markdown
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.2'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.2'
 - !ruby/object:Gem::Dependency
   name: concourse
   requirement: !ruby/object:Gem::Requirement
@@ -263,7 +277,7 @@ metadata:
   homepage_uri: https://github.com/flavorjones/loofah
   bug_tracker_uri: https://github.com/flavorjones/loofah/issues
   documentation_uri: https://www.rubydoc.info/gems/loofah/
-  changelog_uri: https://github.com/flavorjones/loofah/master/CHANGELOG.md
+  changelog_uri: https://github.com/flavorjones/loofah/blob/master/CHANGELOG.md
   source_code_uri: https://github.com/flavorjones/loofah
 post_install_message:
 rdoc_options: