rails-html-sanitizer 1.6.1 → 1.6.2

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: ad86488f25943fb1d0050513a08581231534a8552e4de66329270845ff650b12
4
- data.tar.gz: ca70b518cc54e0ec2e224a5c3dbd82d567e39fd2d2ce3538e308f4d8846234b4
3
+ metadata.gz: d5507b24d4d93d6efebf2e327d04980dd114cd491732b5c71a7e1a3294c846a9
4
+ data.tar.gz: dd7a5070b04bf6a97b96df01d65fce9d52790e62dc6631b31fb72ecc2a6d16ed
5
5
  SHA512:
6
- metadata.gz: f6e2db01e0cd52d3bdcae7ceb90a081998111e84f19f4908d73a9b229a0ec87edfc10f05772b057d2c3e6c9cd08df267f82070f16015d9953d3edc85002dcafd
7
- data.tar.gz: 746475ff0522b512e28f7bfd83a7e54be7445a29abcd9b1c8aa16c7b6c39b6f97f5e553ac228b3bad98af8b5f828c4fb6c311f75ddd4b286045ba9a353f0fd8a
6
+ metadata.gz: 912e9d41629bd93de8a14352757add81fde36e394e7907923a88dbebc39da85722fc13a01fa23973421a11e715b41fb78cec3f0379ccf5a97ab0f0ee3ed3dc5a
7
+ data.tar.gz: e03d92f6289ef71e4039a64b89bce79c5d5a9d628632c84b2b54235fbe69384578de92f7b2db114c13d041c4d589672dd09e23758a043e675eb37f961a858f67
data/CHANGELOG.md CHANGED
@@ -1,3 +1,16 @@
1
+ ## v1.6.2 / 2024-12-12
2
+
3
+ * `PermitScrubber` fully supports frozen "allowed tags".
4
+
5
+ v1.6.1 introduced safety checks that may remove unsafe tags from the allowed list, which
6
+ introduced a regression for applications passing a frozen array of allowed tags. Tags and
7
+ attributes are now properly copied when they are passed to the scrubber.
8
+
9
+ Fixes #195.
10
+
11
+ *Mike Dalessio*
12
+
13
+
1
14
  ## 1.6.1 / 2024-12-02
2
15
 
3
16
  This is a performance and security release which addresses several possible XSS vulnerabilities.
@@ -3,7 +3,7 @@
3
3
  module Rails
4
4
  module HTML
5
5
  class Sanitizer
6
- VERSION = "1.6.1"
6
+ VERSION = "1.6.2"
7
7
  end
8
8
  end
9
9
  end
@@ -56,11 +56,11 @@ module Rails
56
56
  end
57
57
 
58
58
  def tags=(tags)
59
- @tags = validate!(tags, :tags)
59
+ @tags = validate!(tags.dup, :tags)
60
60
  end
61
61
 
62
62
  def attributes=(attributes)
63
- @attributes = validate!(attributes, :attributes)
63
+ @attributes = validate!(attributes.dup, :attributes)
64
64
  end
65
65
 
66
66
  def scrub(node)
@@ -1099,7 +1099,7 @@ module SanitizerTests
1099
1099
  def test_should_prune_mglyph
1100
1100
  # https://hackerone.com/reports/2519936
1101
1101
  input = "<math><mtext><table><mglyph><style><img src=: onerror=alert(1)>"
1102
- tags = %w(math mtext table mglyph style)
1102
+ tags = %w(math mtext table mglyph style).freeze
1103
1103
 
1104
1104
  actual = nil
1105
1105
  assert_output(nil, /WARNING: 'mglyph' tags cannot be allowed by the PermitScrubber/) do
@@ -1119,7 +1119,7 @@ module SanitizerTests
1119
1119
  def test_should_prune_malignmark
1120
1120
  # https://hackerone.com/reports/2519936
1121
1121
  input = "<math><mtext><table><malignmark><style><img src=: onerror=alert(1)>"
1122
- tags = %w(math mtext table malignmark style)
1122
+ tags = %w(math mtext table malignmark style).freeze
1123
1123
 
1124
1124
  actual = nil
1125
1125
  assert_output(nil, /WARNING: 'malignmark' tags cannot be allowed by the PermitScrubber/) do
@@ -1138,7 +1138,9 @@ module SanitizerTests
1138
1138
 
1139
1139
  def test_should_prune_noscript
1140
1140
  # https://hackerone.com/reports/2509647
1141
- input, tags = "<div><noscript><p id='</noscript><script>alert(1)</script>'></noscript>", ["p", "div", "noscript"]
1141
+ input = "<div><noscript><p id='</noscript><script>alert(1)</script>'></noscript>"
1142
+ tags = ["p", "div", "noscript"].freeze
1143
+
1142
1144
  actual = nil
1143
1145
  assert_output(nil, /WARNING: 'noscript' tags cannot be allowed by the PermitScrubber/) do
1144
1146
  actual = safe_list_sanitize(input, tags: tags, attributes: %w(id))
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rails-html-sanitizer
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.6.1
4
+ version: 1.6.2
5
5
  platform: ruby
6
6
  authors:
7
7
  - Rafael Mendonça França
@@ -10,7 +10,7 @@ authors:
10
10
  autorequire:
11
11
  bindir: bin
12
12
  cert_chain: []
13
- date: 2024-12-02 00:00:00.000000000 Z
13
+ date: 2024-12-12 00:00:00.000000000 Z
14
14
  dependencies:
15
15
  - !ruby/object:Gem::Dependency
16
16
  name: loofah
@@ -118,9 +118,9 @@ licenses:
118
118
  - MIT
119
119
  metadata:
120
120
  bug_tracker_uri: https://github.com/rails/rails-html-sanitizer/issues
121
- changelog_uri: https://github.com/rails/rails-html-sanitizer/blob/v1.6.1/CHANGELOG.md
122
- documentation_uri: https://www.rubydoc.info/gems/rails-html-sanitizer/1.6.1
123
- source_code_uri: https://github.com/rails/rails-html-sanitizer/tree/v1.6.1
121
+ changelog_uri: https://github.com/rails/rails-html-sanitizer/blob/v1.6.2/CHANGELOG.md
122
+ documentation_uri: https://www.rubydoc.info/gems/rails-html-sanitizer/1.6.2
123
+ source_code_uri: https://github.com/rails/rails-html-sanitizer/tree/v1.6.2
124
124
  post_install_message:
125
125
  rdoc_options: []
126
126
  require_paths:
@@ -136,7 +136,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
136
136
  - !ruby/object:Gem::Version
137
137
  version: '0'
138
138
  requirements: []
139
- rubygems_version: 3.5.22
139
+ rubygems_version: 3.3.22
140
140
  signing_key:
141
141
  specification_version: 4
142
142
  summary: This gem is responsible to sanitize HTML fragments in Rails applications.