summaryrefslogtreecommitdiff
path: root/www/ruby-loofah
AgeCommit message (Collapse)AuthorFilesLines
2019-10-22www/ruby-loofah: update to 2.3.1taca3-9/+10
## 2.3.1 / 2019-10-22 ### Security Address CVE-2019-15587: Unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished. This CVE's public notice is at https://github.com/flavorjones/loofah/issues/171 ## 2.3.0 / unreleased ### Features * Expand set of allowed protocols to include `tel:` and `line:`. [#104, #147] * Expand set of allowed CSS functions. [related to #122] * Allow greater precision in shorthand CSS values. [#149] (Thanks, @danfstucky!) * Allow CSS property `list-style` [#162] (Thanks, @jaredbeck!) * Allow CSS keywords `thick` and `thin` [#168] (Thanks, @georgeclaghorn!) * Allow HTML property `contenteditable` [#167] (Thanks, @andreynering!) ### Bug fixes * CSS hex values are no longer limited to lowercase hex. Previously uppercase hex were scrubbed. [#165] (Thanks, @asok!) ### Deprecations / Name Changes The following method and constants are hereby deprecated, and will be completely removed in a future release: * Deprecate `Loofah::Helpers::ActionView.white_list_sanitizer`, please use `Loofah::Helpers::ActionView.safe_list_sanitizer` instead. * Deprecate `Loofah::Helpers::ActionView::WhiteListSanitizer`, please use `Loofah::Helpers::ActionView::SafeListSanitizer` instead. * Deprecate `Loofah::HTML5::WhiteList`, please use `Loofah::HTML5::SafeList` instead. Thanks to @JuanitoFatas for submitting these changes in #164 and for making the language used in Loofah more inclusive.
2018-11-01www/ruby-loofah: update to 2.2.3taca3-8/+11
## 2.2.3 / 2018-10-30 ### Security Address CVE-2018-16468: Unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished. This CVE's public notice is at https://github.com/flavorjones/loofah/issues/154 ## Meta / 2018-10-27 The mailing list is now on Google Groups [#146](https://github.com/flavorjones/loofah/issues/146): * Mail: loofah-talk@googlegroups.com * Archive: https://groups.google.com/forum/#!forum/loofah-talk This change was made because librelist no longer appears to be maintained.
2018-03-23www/ruby-loofah: update to 2.2.2taca2-7/+7
## 2.2.2 / 2018-03-22 Make public `Loofah::HTML5::Scrub.force_correct_attribute_escaping!`, which was previously a private method. This is so that downstream gems (like rails-html-sanitizer) can use this logic directly for their own attribute scrubbers should they need to address CVE-2018-8048.
2018-03-21www/ruby-loofah: update to 2.2.1taca3-8/+10
## 2.2.1 / 2018-03-19 Addresses CVE-2018-8048. Loofah allowed non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments. This CVE's public notice is at https://github.com/flavorjones/loofah/issues/144
2018-03-17www/ruby-loofah: update to 2.2.0taca3-10/+11
## 2.2.0 / 2018-02-11 Features: * Support HTML5 `<main>` tag. #133 (Thanks, @MothOnMars!) * Recognize HTML5 block elements. #136 (Thanks, @MothOnMars!) * Support SVG `<symbol>` tag. #131 (Thanks, @baopham!) * Support for whitelisting CSS functions, initially just `calc` and `rgb`. #122/#123/#129 (Thanks, @NikoRoberts!) * Whitelist CSS property `list-style-type`. #68/#137/#142 (Thanks, @andela-ysanni and @NikoRoberts!) Bugfixes: * Properly handle nested `script` tags. #127. ## 2.1.1 / 2017-09-24 Bugfixes: * Removed warning for unused variable. #124 (Thanks, @y-yagi!) ## 2.1.0 / 2017-09-24 Notes: * Re-implemented CSS parsing and sanitization using the {crass}[https://github.com/rgrove/crass] library. #91 Features: * Added :noopener HTML scrubber (Thanks, @tastycode!) * Support `data` URIs with the following media types: text/plain, text/css, image/png, image/gif, image/jpeg, image/svg+xml. #101, #120. (Thanks, @mrpasquini!) Bugfixes: * The :unprintable scrubber now scrubs unprintable characters in CDATA nodes (like `<script>`). #124 * Allow negative values in CSS properties. Restores functionality that was reverted in v2.0.3. #91
2017-04-06Import ruby-loofah-2.0.3 as www/ruby-loofahminskim4-0/+66
Loofah is a general library for manipulating and transforming HTML/XML documents and fragments. It's built on top of Nokogiri and libxml2, so it's fast and has a nice API. Loofah excels at HTML sanitization (XSS prevention). It includes some nice HTML sanitizers, which are based on HTML5lib's whitelist, so it most likely won't make your codes less secure.
generated by cgit v1.2.3 (git 2.39.1) at 2025-01-29 15:32:37 +0000