RubyGems - rails-html-sanitizer - Versions diffs - 1.6.0.rc2 → 1.6.0 - Mend

rails-html-sanitizer 1.6.0.rc2 → 1.6.0

Files changed (5) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +11 -1
data/README.md +54 -45
data/lib/rails/html/sanitizer/version.rb +1 -1
metadata +7 -7

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3ce8562c96b3e842ebf50227e682c3fa948ebf8474786f100dbf78adff7f98d0
-  data.tar.gz: 7ca7beb76be35dea0dd926819212445e885a2b205ca0b2e45628f58d734a1a9f
+  metadata.gz: 365db7c11fc174c5da0a4a670fec92033cf277b71e7bb089534b2ad1bd48b314
+  data.tar.gz: b33e592de2e0081f1493d9fc29e8db1a26b2f727c20aa7d111332438bfbf2f1d
 SHA512:
-  metadata.gz: 30d9b9288698da75f713811e8b507edda0645eb4a485b0466847a4b8246aa854cd12e4dae238e61b09e371c950ee8516595b39207d4b10323bf81cf74b0a5114
-  data.tar.gz: 81698f017c423bac3434e7129b70c4ecba80b27a4f8c6d86294d548aeeb9238d98cd65c15f06bcf62c6ee104e8b3beca782c8e9b338302590c33b65ab9ed8121
+  metadata.gz: bafc9210e52f68f6ea033c1deb70d2d227a85a661f9c4fe988da876a73e29b7c86e0910d9705616ed536978d4c6cdf9e5a23b211e720c1f4c86d7b5ce04c03bf
+  data.tar.gz: acb3ed50bf5ebd95824bffc8efb4be8745c32e3d5bd5d157edc14648f4f00e07f308ce5ecb2889ae417d7cd999871f4860ac79ecb0864a25220683ae2edd5473

data/CHANGELOG.md CHANGED Viewed

@@ -1,4 +1,14 @@
-## 1.6.0.rc2 / 2023-05-24
+## 1.6.0 / 2023-05-26
+* Dependencies have been updated:
+  - Loofah `~>2.21` and Nokogiri `~>1.14` for HTML5 parser support
+  - As a result, required Ruby version is now `>= 2.7.0`
+  Security updates will continue to be made on the `1.5.x` release branch as long as Rails 6.1
+  (which supports Ruby 2.5) is still in security support.
+  *Mike Dalessio*
 * HTML5 standards-compliant sanitizers are now available on platforms supported by
   Nokogiri::HTML5. These are available as:

data/README.md CHANGED Viewed

@@ -7,51 +7,6 @@ Rails HTML Sanitizer is only intended to be used with Rails applications. If you
 ## Usage
-### A note on HTML entities
-__Rails HTML sanitizers are intended to be used by the view layer, at page-render time. They are *not* intended to sanitize persisted strings that will be sanitized *again* at page-render time.__
-Proper HTML sanitization will replace some characters with HTML entities. For example, text containing a `<` character will be updated to contain `&lt;` to ensure that the markup is well-formed.
-This is important to keep in mind because __HTML entities will render improperly if they are sanitized twice.__
-#### A concrete example showing the problem that can arise
-Imagine the user is asked to enter their employer's name, which will appear on their public profile page. Then imagine they enter `JPMorgan Chase & Co.`.
-If you sanitize this before persisting it in the database, the stored string will be `JPMorgan Chase &amp; Co.`
-When the page is rendered, if this string is sanitized a second time by the view layer, the HTML will contain `JPMorgan Chase &amp;amp; Co.` which will render as "JPMorgan Chase &amp;amp; Co.".
-Another problem that can arise is rendering the sanitized string in a non-HTML context (for example, if it ends up being part of an SMS message). In this case, it may contain inappropriate HTML entities.
-#### Suggested alternatives
-You might simply choose to persist the untrusted string as-is (the raw input), and then ensure that the string will be properly sanitized by the view layer.
-That raw string, if rendered in an non-HTML context (like SMS), must also be sanitized by a method appropriate for that context. You may wish to look into using [Loofah](https://github.com/flavorjones/loofah) or [Sanitize](https://github.com/rgrove/sanitize) to customize how this sanitization works, including omitting HTML entities in the final string.
-If you really want to sanitize the string that's stored in your database, you may wish to look into  [Loofah::ActiveRecord](https://github.com/flavorjones/loofah-activerecord) rather than use the Rails HTML sanitizers.
-### A note on module names
-In versions < 1.6, the only module defined by this library was `Rails::Html`. Starting in 1.6, we define three additional modules:
-- `Rails::HTML` for general functionality (replacing `Rails::Html`)
-- `Rails::HTML4` containing sanitizers that parse content as HTML4
-- `Rails::HTML5` containing sanitizers that parse content as HTML5 (if supported)
-The following aliases are maintained for backwards compatibility:
-- `Rails::Html` points to `Rails::HTML`
-- `Rails::HTML::FullSanitizer` points to `Rails::HTML4::FullSanitizer`
-- `Rails::HTML::LinkSanitizer` points to `Rails::HTML4::LinkSanitizer`
-- `Rails::HTML::SafeListSanitizer` points to `Rails::HTML4::SafeListSanitizer`
 ### Sanitizers
 All sanitizers respond to `sanitize`, and are available in variants that use either HTML4 or HTML5 parsing, under the `Rails::HTML4` and `Rails::HTML5` namespaces, respectively.
@@ -219,6 +174,51 @@ Using the `CommentScrubber` from above, you can use this in a Rails view like so
 <%= sanitize @comment, scrubber: CommentScrubber.new %>
 ```
+### A note on HTML entities
+__Rails HTML sanitizers are intended to be used by the view layer, at page-render time. They are *not* intended to sanitize persisted strings that will be sanitized *again* at page-render time.__
+Proper HTML sanitization will replace some characters with HTML entities. For example, text containing a `<` character will be updated to contain `&lt;` to ensure that the markup is well-formed.
+This is important to keep in mind because __HTML entities will render improperly if they are sanitized twice.__
+#### A concrete example showing the problem that can arise
+Imagine the user is asked to enter their employer's name, which will appear on their public profile page. Then imagine they enter `JPMorgan Chase & Co.`.
+If you sanitize this before persisting it in the database, the stored string will be `JPMorgan Chase &amp; Co.`
+When the page is rendered, if this string is sanitized a second time by the view layer, the HTML will contain `JPMorgan Chase &amp;amp; Co.` which will render as "JPMorgan Chase &amp;amp; Co.".
+Another problem that can arise is rendering the sanitized string in a non-HTML context (for example, if it ends up being part of an SMS message). In this case, it may contain inappropriate HTML entities.
+#### Suggested alternatives
+You might simply choose to persist the untrusted string as-is (the raw input), and then ensure that the string will be properly sanitized by the view layer.
+That raw string, if rendered in an non-HTML context (like SMS), must also be sanitized by a method appropriate for that context. You may wish to look into using [Loofah](https://github.com/flavorjones/loofah) or [Sanitize](https://github.com/rgrove/sanitize) to customize how this sanitization works, including omitting HTML entities in the final string.
+If you really want to sanitize the string that's stored in your database, you may wish to look into  [Loofah::ActiveRecord](https://github.com/flavorjones/loofah-activerecord) rather than use the Rails HTML sanitizers.
+### A note on module names
+In versions < 1.6, the only module defined by this library was `Rails::Html`. Starting in 1.6, we define three additional modules:
+- `Rails::HTML` for general functionality (replacing `Rails::Html`)
+- `Rails::HTML4` containing sanitizers that parse content as HTML4
+- `Rails::HTML5` containing sanitizers that parse content as HTML5 (if supported)
+The following aliases are maintained for backwards compatibility:
+- `Rails::Html` points to `Rails::HTML`
+- `Rails::HTML::FullSanitizer` points to `Rails::HTML4::FullSanitizer`
+- `Rails::HTML::LinkSanitizer` points to `Rails::HTML4::LinkSanitizer`
+- `Rails::HTML::SafeListSanitizer` points to `Rails::HTML4::SafeListSanitizer`
 ## Installation
 Add this line to your application's Gemfile:
@@ -234,6 +234,15 @@ Or install it yourself as:
     $ gem install rails-html-sanitizer
+## Support matrix
+| branch | ruby support | actively maintained | security support                       |
+|--------|--------------|---------------------|----------------------------------------|
+| 1.6.x  | >= 2.7       | yes                 | yes                                    |
+| 1.5.x  | >= 2.5       | no                  | while Rails 6.1 is in security support |
+| 1.4.x  | >= 1.8.7     | no                  | no                                     |
 ## Read more
 Loofah is what underlies the sanitizers and scrubbers of rails-html-sanitizer.

data/lib/rails/html/sanitizer/version.rb CHANGED Viewed

@@ -3,7 +3,7 @@
 module Rails
   module HTML
     class Sanitizer
-      VERSION = "1.6.0.rc2"
+      VERSION = "1.6.0"
     end
   end
 end

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rails-html-sanitizer
 version: !ruby/object:Gem::Version
-  version: 1.6.0.rc2
+  version: 1.6.0
 platform: ruby
 authors:
 - Rafael Mendonça França
@@ -10,7 +10,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-05-24 00:00:00.000000000 Z
+date: 2023-05-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: loofah
@@ -64,9 +64,9 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/rails/rails-html-sanitizer/issues
-  changelog_uri: https://github.com/rails/rails-html-sanitizer/blob/v1.6.0.rc2/CHANGELOG.md
-  documentation_uri: https://www.rubydoc.info/gems/rails-html-sanitizer/1.6.0.rc2
-  source_code_uri: https://github.com/rails/rails-html-sanitizer/tree/v1.6.0.rc2
+  changelog_uri: https://github.com/rails/rails-html-sanitizer/blob/v1.6.0/CHANGELOG.md
+  documentation_uri: https://www.rubydoc.info/gems/rails-html-sanitizer/1.6.0
+  source_code_uri: https://github.com/rails/rails-html-sanitizer/tree/v1.6.0
 post_install_message:
 rdoc_options: []
 require_paths:
@@ -78,9 +78,9 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: 2.7.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">"
+  - - ">="
     - !ruby/object:Gem::Version
-      version: 1.3.1
+      version: '0'
 requirements: []
 rubygems_version: 3.4.10
 signing_key: