loofah 2.2.1 → 2.2.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +8 -0
- data/lib/loofah.rb +1 -1
- data/lib/loofah/html5/scrub.rb +0 -2
- data/test/integration/test_ad_hoc.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 9445f9115cb9fbe0677be8a93170729ddc04cfaa
|
|
4
|
+
data.tar.gz: b39cfde37a7ee10027da8e29052785b41965299e
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: ffb7c7bdec7a1fb813ccd81d8841779d57304d32e7b34f99d3bdec2407aafd96562d7a15a8758b0abe63dbbb8b1b078b396ab5ce55ed2a168f5f8fff4dce5c50
|
|
7
|
+
data.tar.gz: 3ed294bf7beaeb073c688a46c8bbc2d6ef870afe09e1ca0c09ad144b93f06ef02638757176a53baf86eb3f1311833acf18fe94f47ad8d55d63302fb19c7ec666
|
data/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,13 @@
|
|
|
1
1
|
# Changelog
|
|
2
2
|
|
|
3
|
+
## 2.2.2 / 2018-03-22
|
|
4
|
+
|
|
5
|
+
Make public `Loofah::HTML5::Scrub.force_correct_attribute_escaping!`,
|
|
6
|
+
which was previously a private method. This is so that downstream gems
|
|
7
|
+
(like rails-html-sanitizer) can use this logic directly for their own
|
|
8
|
+
attribute scrubbers should they need to address CVE-2018-8048.
|
|
9
|
+
|
|
10
|
+
|
|
3
11
|
## 2.2.1 / 2018-03-19
|
|
4
12
|
|
|
5
13
|
Addresses CVE-2018-8048. Loofah allowed non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments.
|
data/lib/loofah.rb
CHANGED
data/lib/loofah/html5/scrub.rb
CHANGED
|
@@ -231,7 +231,7 @@ mso-bidi-language:#0400;}
|
|
|
231
231
|
attributes = reparsed.at_css(config[:tag]).attribute_nodes
|
|
232
232
|
|
|
233
233
|
assert_equal [config[:attr]], attributes.collect(&:name)
|
|
234
|
-
if Nokogiri::VersionInfo.
|
|
234
|
+
if Nokogiri::VersionInfo.instance.libxml2?
|
|
235
235
|
if config[:unescaped]
|
|
236
236
|
#
|
|
237
237
|
# this attribute was emitted wrapped in single-quotes, so a double quote is A-OK.
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: loofah
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 2.2.
|
|
4
|
+
version: 2.2.2
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Mike Dalessio
|
|
@@ -9,7 +9,7 @@ authors:
|
|
|
9
9
|
autorequire:
|
|
10
10
|
bindir: bin
|
|
11
11
|
cert_chain: []
|
|
12
|
-
date: 2018-03-
|
|
12
|
+
date: 2018-03-22 00:00:00.000000000 Z
|
|
13
13
|
dependencies:
|
|
14
14
|
- !ruby/object:Gem::Dependency
|
|
15
15
|
name: nokogiri
|