Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Bump rails-html-sanitizer from 1.4.3 to 1.5.0 (#480)
Bumps [rails-html-sanitizer](https://github.com/rails/rails-html-sanitizer) from 1.4.3 to 1.5.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/rails/rails-html-sanitizer/releases">rails-html-sanitizer's releases</a>.</em></p> <blockquote> <h2>1.5.0 / 2023-01-20</h2> <ul> <li> <p><code>SafeListSanitizer</code>, <code>PermitScrubber</code>, and <code>TargetScrubber</code> now all support pruning of unsafe tags.</p> <p>By default, unsafe tags are still stripped, but this behavior can be changed to prune the element and its children from the document by passing <code>prune: true</code> to any of these classes' constructors.</p> <p><em><a href="https://github.com/seyerian"><code>@seyerian</code></a></em></p> </li> </ul> <h2>1.4.4 / 2022-12-13</h2> <ul> <li> <p>Address inefficient regular expression complexity with certain configurations of Rails::Html::Sanitizer.</p> <p>Fixes CVE-2022-23517. See <a href="https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-5x79-w82f-gw8w">GHSA-5x79-w82f-gw8w</a> for more information.</p> <p><em>Mike Dalessio</em></p> </li> <li> <p>Address improper sanitization of data URIs.</p> <p>Fixes CVE-2022-23518 and <a href="https://github-redirect.dependabot.com/rails/rails-html-sanitizer/issues/135">#135</a>. See <a href="https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-mcvf-2q2m-x72m">GHSA-mcvf-2q2m-x72m</a> for more information.</p> <p><em>Mike Dalessio</em></p> </li> <li> <p>Address possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.</p> <p>Fixes CVE-2022-23520. See <a href="https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-rrfc-7g8p-99q8">GHSA-rrfc-7g8p-99q8</a> for more information.</p> <p><em>Mike Dalessio</em></p> </li> <li> <p>Address possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.</p> <p>Fixes CVE-2022-23519. See <a href="https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-9h9g-93gc-623h">GHSA-9h9g-93gc-623h</a> for more information.</p> <p><em>Mike Dalessio</em></p> </li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/rails/rails-html-sanitizer/blob/master/CHANGELOG.md">rails-html-sanitizer's changelog</a>.</em></p> <blockquote> <h2>1.5.0 / 2023-01-20</h2> <ul> <li> <p><code>SafeListSanitizer</code>, <code>PermitScrubber</code>, and <code>TargetScrubber</code> now all support pruning of unsafe tags.</p> <p>By default, unsafe tags are still stripped, but this behavior can be changed to prune the element and its children from the document by passing <code>prune: true</code> to any of these classes' constructors.</p> <p><em>seyerian</em></p> </li> </ul> <h2>1.4.4 / 2022-12-13</h2> <ul> <li> <p>Address inefficient regular expression complexity with certain configurations of Rails::Html::Sanitizer.</p> <p>Fixes CVE-2022-23517. See <a href="https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-5x79-w82f-gw8w">GHSA-5x79-w82f-gw8w</a> for more information.</p> <p><em>Mike Dalessio</em></p> </li> <li> <p>Address improper sanitization of data URIs.</p> <p>Fixes CVE-2022-23518 and <a href="https://github-redirect.dependabot.com/rails/rails-html-sanitizer/issues/135">#135</a>. See <a href="https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-mcvf-2q2m-x72m">GHSA-mcvf-2q2m-x72m</a> for more information.</p> <p><em>Mike Dalessio</em></p> </li> <li> <p>Address possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.</p> <p>Fixes CVE-2022-23520. See <a href="https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-rrfc-7g8p-99q8">GHSA-rrfc-7g8p-99q8</a> for more information.</p> <p><em>Mike Dalessio</em></p> </li> <li> <p>Address possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.</p> <p>Fixes CVE-2022-23519. See <a href="https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-9h9g-93gc-623h">GHSA-9h9g-93gc-623h</a> for more information.</p> <p><em>Mike Dalessio</em></p> </li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/rails/rails-html-sanitizer/commit/a337ec8a348b15a5ae52c5698cbf38dbc50bf34d"><code>a337ec8</code></a> version bump to v1.5.0</li> <li><a href="https://github.com/rails/rails-html-sanitizer/commit/459f1cdf32adbd6e17d65505e416d168fab212bc"><code>459f1cd</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/rails/rails-html-sanitizer/issues/149">#149</a> from kyoshidajp/update-checkout-v3</li> <li><a href="https://github.com/rails/rails-html-sanitizer/commit/23ac131774ea28aea192576d83d88d9efda64f5d"><code>23ac131</code></a> Bump actions/checkout from 2 to 3</li> <li><a href="https://github.com/rails/rails-html-sanitizer/commit/79bc10bc0cb07624c43a66899f16385b7dab4f76"><code>79bc10b</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/rails/rails-html-sanitizer/issues/147">#147</a> from rails/flavorjones-port-1.4.4-changes</li> <li><a href="https://github.com/rails/rails-html-sanitizer/commit/9ef5975c969949750806cd684ce719ad6d6a08cf"><code>9ef5975</code></a> dev: set version to 1.5.0.dev</li> <li><a href="https://github.com/rails/rails-html-sanitizer/commit/e31343f01c6e2a08c8f35bfd531792a3c1786c92"><code>e31343f</code></a> doc: changelog entry for 1.4.4</li> <li><a href="https://github.com/rails/rails-html-sanitizer/commit/e8cbe25634fc7455b80a5f8569b82e5c93dd580c"><code>e8cbe25</code></a> dep: bump dependency on loofah</li> <li><a href="https://github.com/rails/rails-html-sanitizer/commit/373fc6295918c4b0aad02111e869f4e0c6fc788b"><code>373fc62</code></a> fix: escape CDATA nodes using Loofah's escaping methods</li> <li><a href="https://github.com/rails/rails-html-sanitizer/commit/68ccf7e1dbaa425cc4a8651d5f583e754ef5061c"><code>68ccf7e</code></a> revert 45a5c10</li> <li><a href="https://github.com/rails/rails-html-sanitizer/commit/bb6dfcbaaf9c5c8c4f77555557693c08d4d4ab48"><code>bb6dfcb</code></a> fix: use Loofah's scrub_uri_attribute method</li> <li>Additional commits viewable in <a href="https://github.com/rails/rails-html-sanitizer/compare/v1.4.3...v1.5.0">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=rails-html-sanitizer&package-manager=bundler&previous-version=1.4.3&new-version=1.5.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/magicstone-dev/ecko/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
- Loading branch information