sanitize 4.6.3 → 4.6.4

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.

This version of sanitize might be problematic. Click here for more details.

Files changed (6) hide show
  1. checksums.yaml +4 -4
  2. data/HISTORY.md +12 -1
  3. data/lib/sanitize.rb +1 -3
  4. data/lib/sanitize/version.rb +1 -1
  5. data/test/test_transformers.rb +18 -0
  6. metadata +1 -1
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 04fe170a57bfd67e2e2f40e19e6add8cd777a9d812f24b66a4350d0cefe9f803
4
- data.tar.gz: fb848fbc8cf1878905378f2795c9ad012d4247a1a5491ec4735994902544840d
3
+ metadata.gz: ac9e4e6beb6025350578007019bf48458a64b82ef26cd11e4547aee35b72625c
4
+ data.tar.gz: 000a0cd02b3a2690589f042f3d27fb0dd8fe34d150cc1ba073793dcfb2eb0a92
5
5
  SHA512:
6
- metadata.gz: dde1af17f562062ea7136d8033df17ed2aeaf39fdc1d037e75118c1ed9718d6ae50f29f9bb1165b0057810fed7a8bcac303e9e0687c3f98dbe514f6cb768cae5
7
- data.tar.gz: 408533cd205ec1570041a6c029bb639978aa1785824a2e69df9d695331f274e7cda4e024934300ba35b8792fb39f4a94bd780dc6365cc2eaade06cdc32d3299e
6
+ metadata.gz: 127b1656fa575c9ba793db8d6026a37b240a884172b18b05bb2776c80b2cda6fc2982938e3a98272b46d5741b05c8c05f3238ebb61e439a9f7ded36615854c4d
7
+ data.tar.gz: adb7c8b6bf29118b82094dd2cb7109dfaa6286ca57b73e98ec457b8eb433e91c76efd987fe2c6d3b6dac1ed554331f7d067240c4a96e7522d7122da5c5b925b1
data/HISTORY.md CHANGED
@@ -1,8 +1,17 @@
1
1
  # Sanitize History
2
2
 
3
+ ## 4.6.4 (2018-03-20)
4
+
5
+ * Fixed: A change introduced in 4.6.2 broke certain transformers that relied on
6
+ being able to mutate the name of an HTML node. That change has been reverted
7
+ and a test has been added to cover this case. [@zetter - #177][177]
8
+
9
+ [177]:https://github.com/rgrove/sanitize/issues/177
10
+
3
11
  ## 4.6.3 (2018-03-19)
4
12
 
5
- * Fixed an HTML injection vulnerability that could allow XSS.
13
+ * [CVE-2018-3740][176]: Fixed an HTML injection vulnerability that could allow
14
+ XSS.
6
15
 
7
16
  When Sanitize <= 4.6.2 is used in combination with libxml2 >= 2.9.2, a
8
17
  specially crafted HTML fragment can cause libxml2 to generate improperly
@@ -15,6 +24,8 @@
15
24
  Many thanks to the Shopify Application Security Team for responsibly reporting
16
25
  this issue.
17
26
 
27
+ [176]:https://github.com/rgrove/sanitize/issues/176
28
+
18
29
  ## 4.6.2 (2018-03-19)
19
30
 
20
31
  * Reduced string allocations to optimize memory usage. [@janklimo - #175][175]
data/lib/sanitize.rb CHANGED
@@ -217,14 +217,12 @@ class Sanitize
217
217
  end
218
218
 
219
219
  def transform_node!(node, node_whitelist)
220
- node_name = node.name.downcase
221
-
222
220
  @transformers.each do |transformer|
223
221
  result = transformer.call(
224
222
  :config => @config,
225
223
  :is_whitelisted => node_whitelist.include?(node),
226
224
  :node => node,
227
- :node_name => node_name,
225
+ :node_name => node.name.downcase,
228
226
  :node_whitelist => node_whitelist
229
227
  )
230
228
 
data/lib/sanitize/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  # encoding: utf-8
2
2
 
3
3
  class Sanitize
4
- VERSION = '4.6.3'
4
+ VERSION = '4.6.4'
5
5
  end
data/test/test_transformers.rb CHANGED
@@ -203,4 +203,22 @@ describe 'Transformers' do
203
203
  .must_equal('')
204
204
  end
205
205
  end
206
+
207
+ describe 'DOM modification transformer' do
208
+ b_to_strong_tag_transformer = lambda do |env|
209
+ node = env[:node]
210
+ node_name = env[:node_name]
211
+
212
+ if node_name == 'b'
213
+ node.name = 'strong'
214
+ end
215
+ end
216
+
217
+ it 'should allow the <b> tag to be changed to a <strong> tag' do
218
+ input = '<b>text</b>'
219
+
220
+ Sanitize.fragment(input, :elements => ['strong'], :transformers => b_to_strong_tag_transformer)
221
+ .must_equal '<strong>text</strong>'
222
+ end
223
+ end
206
224
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: sanitize
3
3
  version: !ruby/object:Gem::Version
4
- version: 4.6.3
4
+ version: 4.6.4
5
5
  platform: ruby
6
6
  authors:
7
7
  - Ryan Grove