sanitize 4.6.3 → 4.6.4
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of sanitize might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/HISTORY.md +12 -1
- data/lib/sanitize.rb +1 -3
- data/lib/sanitize/version.rb +1 -1
- data/test/test_transformers.rb +18 -0
- metadata +1 -1
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: ac9e4e6beb6025350578007019bf48458a64b82ef26cd11e4547aee35b72625c
|
4
|
+
data.tar.gz: 000a0cd02b3a2690589f042f3d27fb0dd8fe34d150cc1ba073793dcfb2eb0a92
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 127b1656fa575c9ba793db8d6026a37b240a884172b18b05bb2776c80b2cda6fc2982938e3a98272b46d5741b05c8c05f3238ebb61e439a9f7ded36615854c4d
|
7
|
+
data.tar.gz: adb7c8b6bf29118b82094dd2cb7109dfaa6286ca57b73e98ec457b8eb433e91c76efd987fe2c6d3b6dac1ed554331f7d067240c4a96e7522d7122da5c5b925b1
|
data/HISTORY.md
CHANGED
@@ -1,8 +1,17 @@
|
|
1
1
|
# Sanitize History
|
2
2
|
|
3
|
+
## 4.6.4 (2018-03-20)
|
4
|
+
|
5
|
+
* Fixed: A change introduced in 4.6.2 broke certain transformers that relied on
|
6
|
+
being able to mutate the name of an HTML node. That change has been reverted
|
7
|
+
and a test has been added to cover this case. [@zetter - #177][177]
|
8
|
+
|
9
|
+
[177]:https://github.com/rgrove/sanitize/issues/177
|
10
|
+
|
3
11
|
## 4.6.3 (2018-03-19)
|
4
12
|
|
5
|
-
* Fixed an HTML injection vulnerability that could allow
|
13
|
+
* [CVE-2018-3740][176]: Fixed an HTML injection vulnerability that could allow
|
14
|
+
XSS.
|
6
15
|
|
7
16
|
When Sanitize <= 4.6.2 is used in combination with libxml2 >= 2.9.2, a
|
8
17
|
specially crafted HTML fragment can cause libxml2 to generate improperly
|
@@ -15,6 +24,8 @@
|
|
15
24
|
Many thanks to the Shopify Application Security Team for responsibly reporting
|
16
25
|
this issue.
|
17
26
|
|
27
|
+
[176]:https://github.com/rgrove/sanitize/issues/176
|
28
|
+
|
18
29
|
## 4.6.2 (2018-03-19)
|
19
30
|
|
20
31
|
* Reduced string allocations to optimize memory usage. [@janklimo - #175][175]
|
data/lib/sanitize.rb
CHANGED
@@ -217,14 +217,12 @@ class Sanitize
|
|
217
217
|
end
|
218
218
|
|
219
219
|
def transform_node!(node, node_whitelist)
|
220
|
-
node_name = node.name.downcase
|
221
|
-
|
222
220
|
@transformers.each do |transformer|
|
223
221
|
result = transformer.call(
|
224
222
|
:config => @config,
|
225
223
|
:is_whitelisted => node_whitelist.include?(node),
|
226
224
|
:node => node,
|
227
|
-
:node_name =>
|
225
|
+
:node_name => node.name.downcase,
|
228
226
|
:node_whitelist => node_whitelist
|
229
227
|
)
|
230
228
|
|
data/lib/sanitize/version.rb
CHANGED
data/test/test_transformers.rb
CHANGED
@@ -203,4 +203,22 @@ describe 'Transformers' do
|
|
203
203
|
.must_equal('')
|
204
204
|
end
|
205
205
|
end
|
206
|
+
|
207
|
+
describe 'DOM modification transformer' do
|
208
|
+
b_to_strong_tag_transformer = lambda do |env|
|
209
|
+
node = env[:node]
|
210
|
+
node_name = env[:node_name]
|
211
|
+
|
212
|
+
if node_name == 'b'
|
213
|
+
node.name = 'strong'
|
214
|
+
end
|
215
|
+
end
|
216
|
+
|
217
|
+
it 'should allow the <b> tag to be changed to a <strong> tag' do
|
218
|
+
input = '<b>text</b>'
|
219
|
+
|
220
|
+
Sanitize.fragment(input, :elements => ['strong'], :transformers => b_to_strong_tag_transformer)
|
221
|
+
.must_equal '<strong>text</strong>'
|
222
|
+
end
|
223
|
+
end
|
206
224
|
end
|