rails-html-sanitizer 1.6.1 → 1.6.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +13 -0
- data/lib/rails/html/sanitizer/version.rb +1 -1
- data/lib/rails/html/scrubbers.rb +2 -2
- data/test/sanitizer_test.rb +5 -3
- metadata +6 -6
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: d5507b24d4d93d6efebf2e327d04980dd114cd491732b5c71a7e1a3294c846a9
|
|
4
|
+
data.tar.gz: dd7a5070b04bf6a97b96df01d65fce9d52790e62dc6631b31fb72ecc2a6d16ed
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 912e9d41629bd93de8a14352757add81fde36e394e7907923a88dbebc39da85722fc13a01fa23973421a11e715b41fb78cec3f0379ccf5a97ab0f0ee3ed3dc5a
|
|
7
|
+
data.tar.gz: e03d92f6289ef71e4039a64b89bce79c5d5a9d628632c84b2b54235fbe69384578de92f7b2db114c13d041c4d589672dd09e23758a043e675eb37f961a858f67
|
data/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,16 @@
|
|
|
1
|
+
## v1.6.2 / 2024-12-12
|
|
2
|
+
|
|
3
|
+
* `PermitScrubber` fully supports frozen "allowed tags".
|
|
4
|
+
|
|
5
|
+
v1.6.1 introduced safety checks that may remove unsafe tags from the allowed list, which
|
|
6
|
+
introduced a regression for applications passing a frozen array of allowed tags. Tags and
|
|
7
|
+
attributes are now properly copied when they are passed to the scrubber.
|
|
8
|
+
|
|
9
|
+
Fixes #195.
|
|
10
|
+
|
|
11
|
+
*Mike Dalessio*
|
|
12
|
+
|
|
13
|
+
|
|
1
14
|
## 1.6.1 / 2024-12-02
|
|
2
15
|
|
|
3
16
|
This is a performance and security release which addresses several possible XSS vulnerabilities.
|
data/lib/rails/html/scrubbers.rb
CHANGED
|
@@ -56,11 +56,11 @@ module Rails
|
|
|
56
56
|
end
|
|
57
57
|
|
|
58
58
|
def tags=(tags)
|
|
59
|
-
@tags = validate!(tags, :tags)
|
|
59
|
+
@tags = validate!(tags.dup, :tags)
|
|
60
60
|
end
|
|
61
61
|
|
|
62
62
|
def attributes=(attributes)
|
|
63
|
-
@attributes = validate!(attributes, :attributes)
|
|
63
|
+
@attributes = validate!(attributes.dup, :attributes)
|
|
64
64
|
end
|
|
65
65
|
|
|
66
66
|
def scrub(node)
|
data/test/sanitizer_test.rb
CHANGED
|
@@ -1099,7 +1099,7 @@ module SanitizerTests
|
|
|
1099
1099
|
def test_should_prune_mglyph
|
|
1100
1100
|
# https://hackerone.com/reports/2519936
|
|
1101
1101
|
input = "<math><mtext><table><mglyph><style><img src=: onerror=alert(1)>"
|
|
1102
|
-
tags = %w(math mtext table mglyph style)
|
|
1102
|
+
tags = %w(math mtext table mglyph style).freeze
|
|
1103
1103
|
|
|
1104
1104
|
actual = nil
|
|
1105
1105
|
assert_output(nil, /WARNING: 'mglyph' tags cannot be allowed by the PermitScrubber/) do
|
|
@@ -1119,7 +1119,7 @@ module SanitizerTests
|
|
|
1119
1119
|
def test_should_prune_malignmark
|
|
1120
1120
|
# https://hackerone.com/reports/2519936
|
|
1121
1121
|
input = "<math><mtext><table><malignmark><style><img src=: onerror=alert(1)>"
|
|
1122
|
-
tags = %w(math mtext table malignmark style)
|
|
1122
|
+
tags = %w(math mtext table malignmark style).freeze
|
|
1123
1123
|
|
|
1124
1124
|
actual = nil
|
|
1125
1125
|
assert_output(nil, /WARNING: 'malignmark' tags cannot be allowed by the PermitScrubber/) do
|
|
@@ -1138,7 +1138,9 @@ module SanitizerTests
|
|
|
1138
1138
|
|
|
1139
1139
|
def test_should_prune_noscript
|
|
1140
1140
|
# https://hackerone.com/reports/2509647
|
|
1141
|
-
input
|
|
1141
|
+
input = "<div><noscript><p id='</noscript><script>alert(1)</script>'></noscript>"
|
|
1142
|
+
tags = ["p", "div", "noscript"].freeze
|
|
1143
|
+
|
|
1142
1144
|
actual = nil
|
|
1143
1145
|
assert_output(nil, /WARNING: 'noscript' tags cannot be allowed by the PermitScrubber/) do
|
|
1144
1146
|
actual = safe_list_sanitize(input, tags: tags, attributes: %w(id))
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: rails-html-sanitizer
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.6.
|
|
4
|
+
version: 1.6.2
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Rafael Mendonça França
|
|
@@ -10,7 +10,7 @@ authors:
|
|
|
10
10
|
autorequire:
|
|
11
11
|
bindir: bin
|
|
12
12
|
cert_chain: []
|
|
13
|
-
date: 2024-12-
|
|
13
|
+
date: 2024-12-12 00:00:00.000000000 Z
|
|
14
14
|
dependencies:
|
|
15
15
|
- !ruby/object:Gem::Dependency
|
|
16
16
|
name: loofah
|
|
@@ -118,9 +118,9 @@ licenses:
|
|
|
118
118
|
- MIT
|
|
119
119
|
metadata:
|
|
120
120
|
bug_tracker_uri: https://github.com/rails/rails-html-sanitizer/issues
|
|
121
|
-
changelog_uri: https://github.com/rails/rails-html-sanitizer/blob/v1.6.
|
|
122
|
-
documentation_uri: https://www.rubydoc.info/gems/rails-html-sanitizer/1.6.
|
|
123
|
-
source_code_uri: https://github.com/rails/rails-html-sanitizer/tree/v1.6.
|
|
121
|
+
changelog_uri: https://github.com/rails/rails-html-sanitizer/blob/v1.6.2/CHANGELOG.md
|
|
122
|
+
documentation_uri: https://www.rubydoc.info/gems/rails-html-sanitizer/1.6.2
|
|
123
|
+
source_code_uri: https://github.com/rails/rails-html-sanitizer/tree/v1.6.2
|
|
124
124
|
post_install_message:
|
|
125
125
|
rdoc_options: []
|
|
126
126
|
require_paths:
|
|
@@ -136,7 +136,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
136
136
|
- !ruby/object:Gem::Version
|
|
137
137
|
version: '0'
|
|
138
138
|
requirements: []
|
|
139
|
-
rubygems_version: 3.
|
|
139
|
+
rubygems_version: 3.3.22
|
|
140
140
|
signing_key:
|
|
141
141
|
specification_version: 4
|
|
142
142
|
summary: This gem is responsible to sanitize HTML fragments in Rails applications.
|