🚨 [security] Update rails-html-sanitizer 1.6.0 → 1.6.1 (patch) #499
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
🚨 Your current dependencies have known security vulnerabilities 🚨
This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!
Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.
What changed?
Security Advisories 🚨
🚨 rails-html-sanitize has XSS vulnerability with certain configurations
🚨 rails-html-sanitizer has XSS vulnerability with certain configurations
🚨 rails-html-sanitizer has XSS vulnerability with certain configurations
🚨 rails-html-sanitizer has XSS vulnerability with certain configurations
🚨 rails-html-sanitizer has XSS vulnerability with certain configurations
Commits
See the full diff on Github. The new version differs by 51 commits:
version bump to v1.6.1
doc: update CHANGELOG with assigned CVEs
Combine the noscript/mglyph prevention blocks
Merge branch 'h1-2509647-noscript' into flavorjones-2024-security-fixes
Merge branch 'h1-2519936-mglyph-foster-parenting' into flavorjones-2024-security-fixes
Merge branch 'h1-2519936-foreign-ns-confusion' into flavorjones-2024-security-fixes
Merge branch 'h1-2503220-nokogiri-serialization' into flavorjones-2024-security-fixes
doc: update CHANGELOG
fix: disallow 'noscript' from safe lists
fix: disallow 'mglyph' and 'malignmark' from safe lists
dep: bump Nokogiri dependency to address the foreign style issue
Merge pull request #194 from rails/flavorjones-bundle-update-20241130
dev: bundle update
doc: update CHANGELOG for #188
fix: Namespace confusion when disallowing 'svg' or 'math'
test: Nokogiri's HTML5 "foreign style serialization" issue
Merge pull request #193 from rails/dependabot/bundler/rexml-3.3.9
build(deps-dev): bump rexml from 3.3.6 to 3.3.9
Merge pull request #191 from seanpdoyle/patch-1
Update README.md
Merge pull request #189 from rails/dependabot/bundler/rexml-3.3.6
build(deps-dev): bump rexml from 3.3.5 to 3.3.6
Merge pull request #188 from rails/flavorjones-minimize-operations
Do not scrub removed attributes
Do not scrub attributes on a removed node
Merge pull request #187 from rails/flavorjones-20240813-bundle-update
dep(dev): bundle update
Merge pull request #185 from rails/flavorjones-dep-update-nokogiri
dep: update nokogiri in Gemfile.lock
Merge pull request #184 from rails/dependabot/bundler/rexml-3.2.8
build(deps-dev): bump rexml from 3.2.6 to 3.2.8
Merge pull request #182 from trevorrjohn/main
Small simplification
Merge pull request #180 from dogweather/patch-1
Update sanitizer.rb: add <mark> to safe list
Merge pull request #179 from rails/flavorjones-dep-bundle-update-20240409
dep: bundle update
Merge pull request #178 from rails/dependabot/bundler/rack-3.0.9.1
build(deps-dev): bump rack from 3.0.8 to 3.0.9.1
Merge pull request #177 from jweir/ruby-version-cleanup
Remove checks for Ruby versions no longer supported
Merge pull request #176 from m-nakamura145/update-checkout-action
Update latest checkout action version
Merge pull request #173 from rails/flavorjones-gemfile-lock
Merge pull request #174 from rails/flavorjones-202401-rubocop-update
track Gemfile.lock
Merge pull request #175 from akhilgkrishnan/bump-versions-in-workflow
Bump action/checkout and ruby version in workflow
style: update rubocop config to match latest rails config
Merge pull request #172 from m-nakamura145/update-ci-matrix
Add Ruby 3.3 to CI matrix
Commits
See the full diff on Github. The new version differs by 4 commits:
version bump to v1.16.8
fix: escape foreign style tag content when serializing HTML5 (v1.16.x) (#3349)
doc: update CHANGELOG
fix: escape foreign style tag content when serializing HTML5
Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with
@depfu rebase
.All Depfu comment commands