rails-html-sanitizer 1.6.1 → 1.6.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +13 -0
- data/lib/rails/html/sanitizer/version.rb +1 -1
- data/lib/rails/html/scrubbers.rb +2 -2
- data/test/sanitizer_test.rb +5 -3
- metadata +6 -6
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: d5507b24d4d93d6efebf2e327d04980dd114cd491732b5c71a7e1a3294c846a9
|
4
|
+
data.tar.gz: dd7a5070b04bf6a97b96df01d65fce9d52790e62dc6631b31fb72ecc2a6d16ed
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 912e9d41629bd93de8a14352757add81fde36e394e7907923a88dbebc39da85722fc13a01fa23973421a11e715b41fb78cec3f0379ccf5a97ab0f0ee3ed3dc5a
|
7
|
+
data.tar.gz: e03d92f6289ef71e4039a64b89bce79c5d5a9d628632c84b2b54235fbe69384578de92f7b2db114c13d041c4d589672dd09e23758a043e675eb37f961a858f67
|
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,16 @@
|
|
1
|
+
## v1.6.2 / 2024-12-12
|
2
|
+
|
3
|
+
* `PermitScrubber` fully supports frozen "allowed tags".
|
4
|
+
|
5
|
+
v1.6.1 introduced safety checks that may remove unsafe tags from the allowed list, which
|
6
|
+
introduced a regression for applications passing a frozen array of allowed tags. Tags and
|
7
|
+
attributes are now properly copied when they are passed to the scrubber.
|
8
|
+
|
9
|
+
Fixes #195.
|
10
|
+
|
11
|
+
*Mike Dalessio*
|
12
|
+
|
13
|
+
|
1
14
|
## 1.6.1 / 2024-12-02
|
2
15
|
|
3
16
|
This is a performance and security release which addresses several possible XSS vulnerabilities.
|
data/lib/rails/html/scrubbers.rb
CHANGED
@@ -56,11 +56,11 @@ module Rails
|
|
56
56
|
end
|
57
57
|
|
58
58
|
def tags=(tags)
|
59
|
-
@tags = validate!(tags, :tags)
|
59
|
+
@tags = validate!(tags.dup, :tags)
|
60
60
|
end
|
61
61
|
|
62
62
|
def attributes=(attributes)
|
63
|
-
@attributes = validate!(attributes, :attributes)
|
63
|
+
@attributes = validate!(attributes.dup, :attributes)
|
64
64
|
end
|
65
65
|
|
66
66
|
def scrub(node)
|
data/test/sanitizer_test.rb
CHANGED
@@ -1099,7 +1099,7 @@ module SanitizerTests
|
|
1099
1099
|
def test_should_prune_mglyph
|
1100
1100
|
# https://hackerone.com/reports/2519936
|
1101
1101
|
input = "<math><mtext><table><mglyph><style><img src=: onerror=alert(1)>"
|
1102
|
-
tags = %w(math mtext table mglyph style)
|
1102
|
+
tags = %w(math mtext table mglyph style).freeze
|
1103
1103
|
|
1104
1104
|
actual = nil
|
1105
1105
|
assert_output(nil, /WARNING: 'mglyph' tags cannot be allowed by the PermitScrubber/) do
|
@@ -1119,7 +1119,7 @@ module SanitizerTests
|
|
1119
1119
|
def test_should_prune_malignmark
|
1120
1120
|
# https://hackerone.com/reports/2519936
|
1121
1121
|
input = "<math><mtext><table><malignmark><style><img src=: onerror=alert(1)>"
|
1122
|
-
tags = %w(math mtext table malignmark style)
|
1122
|
+
tags = %w(math mtext table malignmark style).freeze
|
1123
1123
|
|
1124
1124
|
actual = nil
|
1125
1125
|
assert_output(nil, /WARNING: 'malignmark' tags cannot be allowed by the PermitScrubber/) do
|
@@ -1138,7 +1138,9 @@ module SanitizerTests
|
|
1138
1138
|
|
1139
1139
|
def test_should_prune_noscript
|
1140
1140
|
# https://hackerone.com/reports/2509647
|
1141
|
-
input
|
1141
|
+
input = "<div><noscript><p id='</noscript><script>alert(1)</script>'></noscript>"
|
1142
|
+
tags = ["p", "div", "noscript"].freeze
|
1143
|
+
|
1142
1144
|
actual = nil
|
1143
1145
|
assert_output(nil, /WARNING: 'noscript' tags cannot be allowed by the PermitScrubber/) do
|
1144
1146
|
actual = safe_list_sanitize(input, tags: tags, attributes: %w(id))
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: rails-html-sanitizer
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.6.
|
4
|
+
version: 1.6.2
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Rafael Mendonça França
|
@@ -10,7 +10,7 @@ authors:
|
|
10
10
|
autorequire:
|
11
11
|
bindir: bin
|
12
12
|
cert_chain: []
|
13
|
-
date: 2024-12-
|
13
|
+
date: 2024-12-12 00:00:00.000000000 Z
|
14
14
|
dependencies:
|
15
15
|
- !ruby/object:Gem::Dependency
|
16
16
|
name: loofah
|
@@ -118,9 +118,9 @@ licenses:
|
|
118
118
|
- MIT
|
119
119
|
metadata:
|
120
120
|
bug_tracker_uri: https://github.com/rails/rails-html-sanitizer/issues
|
121
|
-
changelog_uri: https://github.com/rails/rails-html-sanitizer/blob/v1.6.
|
122
|
-
documentation_uri: https://www.rubydoc.info/gems/rails-html-sanitizer/1.6.
|
123
|
-
source_code_uri: https://github.com/rails/rails-html-sanitizer/tree/v1.6.
|
121
|
+
changelog_uri: https://github.com/rails/rails-html-sanitizer/blob/v1.6.2/CHANGELOG.md
|
122
|
+
documentation_uri: https://www.rubydoc.info/gems/rails-html-sanitizer/1.6.2
|
123
|
+
source_code_uri: https://github.com/rails/rails-html-sanitizer/tree/v1.6.2
|
124
124
|
post_install_message:
|
125
125
|
rdoc_options: []
|
126
126
|
require_paths:
|
@@ -136,7 +136,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
136
136
|
- !ruby/object:Gem::Version
|
137
137
|
version: '0'
|
138
138
|
requirements: []
|
139
|
-
rubygems_version: 3.
|
139
|
+
rubygems_version: 3.3.22
|
140
140
|
signing_key:
|
141
141
|
specification_version: 4
|
142
142
|
summary: This gem is responsible to sanitize HTML fragments in Rails applications.
|