loofah 2.2.1 → 2.2.2

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.

This version of loofah might be problematic. Click here for more details.

Files changed (6) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +8 -0
  3. data/lib/loofah.rb +1 -1
  4. data/lib/loofah/html5/scrub.rb +0 -2
  5. data/test/integration/test_ad_hoc.rb +1 -1
  6. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 55986c6edc7d96bf6301f01ed6c8474a0e0eedc3
4
- data.tar.gz: e1e5ef44e194bd9333cfc92f9d182bedaac5799c
3
+ metadata.gz: 9445f9115cb9fbe0677be8a93170729ddc04cfaa
4
+ data.tar.gz: b39cfde37a7ee10027da8e29052785b41965299e
5
5
  SHA512:
6
- metadata.gz: 7d45dbc3cb1e275e81f127e92107ba540da3f8294d486e927325cd9a8cb8c742ba1f34c14101b46437242b3778911c3f7392bf822b2dbeccd835410f52ca757f
7
- data.tar.gz: 70318ae204e34718bbdf818c6be1d302e5377eec163ff1380556e219443d1d0c42887f5e6e69b4d2ef8876e6cbbaa4f2f7f84d73fe71e13bbe1b2d10b199e072
6
+ metadata.gz: ffb7c7bdec7a1fb813ccd81d8841779d57304d32e7b34f99d3bdec2407aafd96562d7a15a8758b0abe63dbbb8b1b078b396ab5ce55ed2a168f5f8fff4dce5c50
7
+ data.tar.gz: 3ed294bf7beaeb073c688a46c8bbc2d6ef870afe09e1ca0c09ad144b93f06ef02638757176a53baf86eb3f1311833acf18fe94f47ad8d55d63302fb19c7ec666
data/CHANGELOG.md CHANGED
@@ -1,5 +1,13 @@
1
1
  # Changelog
2
2
 
3
+ ## 2.2.2 / 2018-03-22
4
+
5
+ Make public `Loofah::HTML5::Scrub.force_correct_attribute_escaping!`,
6
+ which was previously a private method. This is so that downstream gems
7
+ (like rails-html-sanitizer) can use this logic directly for their own
8
+ attribute scrubbers should they need to address CVE-2018-8048.
9
+
10
+
3
11
  ## 2.2.1 / 2018-03-19
4
12
 
5
13
  Addresses CVE-2018-8048. Loofah allowed non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments.
data/lib/loofah.rb CHANGED
@@ -28,7 +28,7 @@ require 'loofah/html/document_fragment'
28
28
  #
29
29
  module Loofah
30
30
  # The version of Loofah you are using
31
- VERSION = '2.2.1'
31
+ VERSION = '2.2.2'
32
32
 
33
33
  class << self
34
34
  # Shortcut for Loofah::HTML::Document.parse
data/lib/loofah/html5/scrub.rb CHANGED
@@ -101,8 +101,6 @@ module Loofah
101
101
  Crass::Parser.stringify sanitized_tree
102
102
  end
103
103
 
104
- private
105
-
106
104
  #
107
105
  # libxml2 >= 2.9.2 fails to escape comments within some attributes.
108
106
  #
data/test/integration/test_ad_hoc.rb CHANGED
@@ -231,7 +231,7 @@ mso-bidi-language:#0400;}
231
231
  attributes = reparsed.at_css(config[:tag]).attribute_nodes
232
232
 
233
233
  assert_equal [config[:attr]], attributes.collect(&:name)
234
- if Nokogiri::VersionInfo.new.libxml2?
234
+ if Nokogiri::VersionInfo.instance.libxml2?
235
235
  if config[:unescaped]
236
236
  #
237
237
  # this attribute was emitted wrapped in single-quotes, so a double quote is A-OK.
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: loofah
3
3
  version: !ruby/object:Gem::Version
4
- version: 2.2.1
4
+ version: 2.2.2
5
5
  platform: ruby
6
6
  authors:
7
7
  - Mike Dalessio
@@ -9,7 +9,7 @@ authors:
9
9
  autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
- date: 2018-03-19 00:00:00.000000000 Z
12
+ date: 2018-03-22 00:00:00.000000000 Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: nokogiri