loofah 2.25.0 → 2.25.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +4 -0
- data/SECURITY.md +1 -1
- data/lib/loofah/html5/scrub.rb +8 -5
- data/lib/loofah/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: d07f9d310067f14d41ee4661fd3cd831de5af3d1c60bbfc949ba57219636ee9f
|
|
4
|
+
data.tar.gz: 0ea8df2bfb5396bcbcbec9b1ba3c7d1d0e852739be595efc4e27826226246eac
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 0562da17634578281969ad6ebab59608ca78048d46a0ef298a5f767e32a0c66d11d74c1edd89a9710c80b2a27cc745af434890f8a79f055748e213642084f0c2
|
|
7
|
+
data.tar.gz: a39abf331334da243c9b608ab0a41fe5c08c0a41622433c86a3013a8aaaa204458afc7b99fe7d9042471f467433c6f4101f8f09adaddfb80fe091bf2541b6917
|
data/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,9 @@
|
|
|
1
1
|
# Changelog
|
|
2
2
|
|
|
3
|
+
## 2.25.1 / 2026-03-17
|
|
4
|
+
|
|
5
|
+
* Ensure `Loofah::HTML5::Scrub.allowed_uri?` recognizes unescaped whitespace entities and rejects schemas containing them. See [GHSA-46fp-8f5p-pf2m](https://github.com/flavorjones/loofah/security/advisories/GHSA-46fp-8f5p-pf2m). #302 @flavorjones
|
|
6
|
+
|
|
3
7
|
## 2.25.0 / 2025-12-15
|
|
4
8
|
|
|
5
9
|
* Extract `Loofah::HTML5::Scrub.allowed_uri?` which operates on a string. Previously this logic was coupled to the parsed tree in `.scrub_uri_attribute`. #300 @flavorjones
|
data/SECURITY.md
CHANGED
|
@@ -2,7 +2,7 @@
|
|
|
2
2
|
|
|
3
3
|
The Loofah core contributors take security very seriously and investigate all reported vulnerabilities.
|
|
4
4
|
|
|
5
|
-
If you would like to report a vulnerablity or have a security concern regarding Loofah, please [report it via
|
|
5
|
+
If you would like to report a vulnerablity or have a security concern regarding Loofah, please [report it via Github](https://github.com/flavorjones/loofah/security).
|
|
6
6
|
|
|
7
7
|
Your report will be acknowledged within 24 hours, and you'll receive a more detailed response within 72 hours indicating next steps in handling your report.
|
|
8
8
|
|
data/lib/loofah/html5/scrub.rb
CHANGED
|
@@ -145,15 +145,18 @@ module Loofah
|
|
|
145
145
|
# This method can be used to validate URI attribute values without
|
|
146
146
|
# requiring a Nokogiri DOM node.
|
|
147
147
|
def allowed_uri?(uri_string)
|
|
148
|
-
#
|
|
149
|
-
|
|
150
|
-
|
|
151
|
-
|
|
148
|
+
# Replace control characters both before and after unescaping.
|
|
149
|
+
uri_string = CGI.unescapeHTML(uri_string.gsub(CONTROL_CHARACTERS, ""))
|
|
150
|
+
.gsub(CONTROL_CHARACTERS, "")
|
|
151
|
+
.gsub(":", ":")
|
|
152
|
+
.downcase
|
|
153
|
+
if URI_PROTOCOL_REGEX.match?(uri_string)
|
|
154
|
+
protocol = uri_string.split(SafeList::PROTOCOL_SEPARATOR)[0]
|
|
152
155
|
return false unless SafeList::ALLOWED_PROTOCOLS.include?(protocol)
|
|
153
156
|
|
|
154
157
|
if protocol == "data"
|
|
155
158
|
# permit only allowed data mediatypes
|
|
156
|
-
mediatype =
|
|
159
|
+
mediatype = uri_string.split(SafeList::PROTOCOL_SEPARATOR)[1]
|
|
157
160
|
mediatype, _ = mediatype.split(/[;,]/)[0..1] if mediatype
|
|
158
161
|
return false if mediatype && !SafeList::ALLOWED_URI_DATA_MEDIATYPES.include?(mediatype)
|
|
159
162
|
end
|
data/lib/loofah/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: loofah
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 2.25.
|
|
4
|
+
version: 2.25.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Mike Dalessio
|
|
@@ -96,7 +96,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
96
96
|
- !ruby/object:Gem::Version
|
|
97
97
|
version: '0'
|
|
98
98
|
requirements: []
|
|
99
|
-
rubygems_version:
|
|
99
|
+
rubygems_version: 4.0.3
|
|
100
100
|
specification_version: 4
|
|
101
101
|
summary: Loofah is a general library for manipulating and transforming HTML/XML documents
|
|
102
102
|
and fragments, built on top of Nokogiri.
|