loofah 2.2.1 → 2.2.2
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of loofah might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +8 -0
- data/lib/loofah.rb +1 -1
- data/lib/loofah/html5/scrub.rb +0 -2
- data/test/integration/test_ad_hoc.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 9445f9115cb9fbe0677be8a93170729ddc04cfaa
|
4
|
+
data.tar.gz: b39cfde37a7ee10027da8e29052785b41965299e
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: ffb7c7bdec7a1fb813ccd81d8841779d57304d32e7b34f99d3bdec2407aafd96562d7a15a8758b0abe63dbbb8b1b078b396ab5ce55ed2a168f5f8fff4dce5c50
|
7
|
+
data.tar.gz: 3ed294bf7beaeb073c688a46c8bbc2d6ef870afe09e1ca0c09ad144b93f06ef02638757176a53baf86eb3f1311833acf18fe94f47ad8d55d63302fb19c7ec666
|
data/CHANGELOG.md
CHANGED
@@ -1,5 +1,13 @@
|
|
1
1
|
# Changelog
|
2
2
|
|
3
|
+
## 2.2.2 / 2018-03-22
|
4
|
+
|
5
|
+
Make public `Loofah::HTML5::Scrub.force_correct_attribute_escaping!`,
|
6
|
+
which was previously a private method. This is so that downstream gems
|
7
|
+
(like rails-html-sanitizer) can use this logic directly for their own
|
8
|
+
attribute scrubbers should they need to address CVE-2018-8048.
|
9
|
+
|
10
|
+
|
3
11
|
## 2.2.1 / 2018-03-19
|
4
12
|
|
5
13
|
Addresses CVE-2018-8048. Loofah allowed non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments.
|
data/lib/loofah.rb
CHANGED
data/lib/loofah/html5/scrub.rb
CHANGED
@@ -231,7 +231,7 @@ mso-bidi-language:#0400;}
|
|
231
231
|
attributes = reparsed.at_css(config[:tag]).attribute_nodes
|
232
232
|
|
233
233
|
assert_equal [config[:attr]], attributes.collect(&:name)
|
234
|
-
if Nokogiri::VersionInfo.
|
234
|
+
if Nokogiri::VersionInfo.instance.libxml2?
|
235
235
|
if config[:unescaped]
|
236
236
|
#
|
237
237
|
# this attribute was emitted wrapped in single-quotes, so a double quote is A-OK.
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: loofah
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 2.2.
|
4
|
+
version: 2.2.2
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Mike Dalessio
|
@@ -9,7 +9,7 @@ authors:
|
|
9
9
|
autorequire:
|
10
10
|
bindir: bin
|
11
11
|
cert_chain: []
|
12
|
-
date: 2018-03-
|
12
|
+
date: 2018-03-22 00:00:00.000000000 Z
|
13
13
|
dependencies:
|
14
14
|
- !ruby/object:Gem::Dependency
|
15
15
|
name: nokogiri
|