Sourced from rails-html-sanitizer's\r\nreleases.
\r\n\r\n\r\n1.5.0 / 2023-01-20
\r\n\r\n
\r\n- \r\n
\r\n\r\n
SafeListSanitizer
,PermitScrubber
, and\r\nTargetScrubber
now all support pruning of unsafe tags.By default, unsafe tags are still stripped, but this behavior can be\r\nchanged to prune the element\r\nand its children from the document by passing
\r\n\r\nprune: true
\r\nto any of these classes' constructors.1.4.4 / 2022-12-13
\r\n\r\n
\r\n- \r\n
\r\nAddress inefficient regular expression complexity with certain\r\nconfigurations of Rails::Html::Sanitizer.
\r\nFixes CVE-2022-23517. See GHSA-5x79-w82f-gw8w\r\nfor more information.
\r\nMike Dalessio
\r\n- \r\n
\r\nAddress improper sanitization of data URIs.
\r\nFixes CVE-2022-23518 and #135.\r\nSee GHSA-mcvf-2q2m-x72m\r\nfor more information.
\r\nMike Dalessio
\r\n- \r\n
\r\nAddress possible XSS vulnerability with certain configurations of\r\nRails::Html::Sanitizer.
\r\nFixes CVE-2022-23520. See GHSA-rrfc-7g8p-99q8\r\nfor more information.
\r\nMike Dalessio
\r\n- \r\n
\r\nAddress possible XSS vulnerability with certain configurations of\r\nRails::Html::Sanitizer.
\r\nFixes CVE-2022-23519. See GHSA-9h9g-93gc-623h\r\nfor more information.
\r\nMike Dalessio
\r\n
Sourced from rails-html-sanitizer's\r\nchangelog.
\r\n\r\n\r\n1.5.0 / 2023-01-20
\r\n\r\n
\r\n- \r\n
\r\n\r\n
SafeListSanitizer
,PermitScrubber
, and\r\nTargetScrubber
now all support pruning of unsafe tags.By default, unsafe tags are still stripped, but this behavior can be\r\nchanged to prune the element\r\nand its children from the document by passing
\r\nprune: true
\r\nto any of these classes' constructors.seyerian
\r\n1.4.4 / 2022-12-13
\r\n\r\n
\r\n- \r\n
\r\nAddress inefficient regular expression complexity with certain\r\nconfigurations of Rails::Html::Sanitizer.
\r\nFixes CVE-2022-23517. See\r\nGHSA-5x79-w82f-gw8w\r\nfor more information.
\r\nMike Dalessio
\r\n- \r\n
\r\nAddress improper sanitization of data URIs.
\r\nFixes CVE-2022-23518 and #135.\r\nSee\r\nGHSA-mcvf-2q2m-x72m\r\nfor more information.
\r\nMike Dalessio
\r\n- \r\n
\r\nAddress possible XSS vulnerability with certain configurations of\r\nRails::Html::Sanitizer.
\r\nFixes CVE-2022-23520. See\r\nGHSA-rrfc-7g8p-99q8\r\nfor more information.
\r\nMike Dalessio
\r\n- \r\n
\r\nAddress possible XSS vulnerability with certain configurations of\r\nRails::Html::Sanitizer.
\r\nFixes CVE-2022-23519. See\r\nGHSA-9h9g-93gc-623h\r\nfor more information.
\r\nMike Dalessio
\r\n
a337ec8
\r\nversion bump to v1.5.0459f1cd
\r\nMerge pull request #149\r\nfrom kyoshidajp/update-checkout-v323ac131
\r\nBump actions/checkout from 2 to 379bc10b
\r\nMerge pull request #147\r\nfrom rails/flavorjones-port-1.4.4-changes9ef5975
\r\ndev: set version to 1.5.0.deve31343f
\r\ndoc: changelog entry for 1.4.4e8cbe25
\r\ndep: bump dependency on loofah373fc62
\r\nfix: escape CDATA nodes using Loofah's escaping methods68ccf7e
\r\nrevert 45a5c10bb6dfcb
\r\nfix: use Loofah's scrub_uri_attribute methodSourced from loofah's\r\nreleases.
\r\n\r\n\r\n2.20.0 / 2023-04-01
\r\nFeatures
\r\n\r\n
\r\n- Allow SVG attributes
\r\ncolor-profile
,\r\ncursor
,filter
,marker
, and\r\nmask
. [#246]- Allow SVG elements
\r\naltGlyph
,cursor
,\r\nfeImage
,pattern
, andtref
. [#246]- Allow protocols
\r\nfax
andmodem
. [#255]\r\n(Thanks,@cjba7
!)2.19.1 / 2022-12-13
\r\nSecurity
\r\n\r\n
\r\n- Address CVE-2022-23514, inefficient regular expression complexity.\r\nSee GHSA-486f-hjj9-9vhh\r\nfor more information.
\r\n- Address CVE-2022-23515, improper neutralization of data URIs. See GHSA-228g-948r-83gx\r\nfor more information.
\r\n- Address CVE-2022-23516, uncontrolled recursion. See GHSA-3x8r-x6xp-q4vm\r\nfor more information.
\r\n2.19.0 / 2022-09-14
\r\nFeatures
\r\n\r\n
\r\n- Allow SVG 1.0 color keyword names in CSS attributes. These colors\r\nare part of the CSS Color Module\r\nLevel 3 recommendation released 2022-01-18. [#243]
\r\n
Sourced from loofah's\r\nchangelog.
\r\n\r\n\r\n2.20.0 / 2023-04-01
\r\nFeatures
\r\n\r\n
\r\n- Allow SVG attributes
\r\ncolor-profile
,\r\ncursor
,filter
,marker
, and\r\nmask
. [#246]- Allow SVG elements
\r\naltGlyph
,cursor
,\r\nfeImage
,pattern
, andtref
. [#246]- Allow protocols
\r\nfax
andmodem
. [#255]\r\n(Thanks,@cjba7
!)2.19.1 / 2022-12-13
\r\nSecurity
\r\n\r\n
\r\n- Address CVE-2022-23514, inefficient regular expression complexity.\r\nSee GHSA-486f-hjj9-9vhh\r\nfor more information.
\r\n- Address CVE-2022-23515, improper neutralization of data URIs. See GHSA-228g-948r-83gx\r\nfor more information.
\r\n- Address CVE-2022-23516, uncontrolled recursion. See GHSA-3x8r-x6xp-q4vm\r\nfor more information.
\r\n2.19.0 / 2022-09-14
\r\nFeatures
\r\n\r\n
\r\n- Allow SVG 1.0 color keyword names in CSS attributes. These colors\r\nare part of the CSS Color Module\r\nLevel 3 recommendation released 2022-01-18. [#243]
\r\n
3d80a4e
\r\nversion bump to v2.20.0c8211c1
\r\nMerge pull request #260\r\nfrom flavorjones/flavorjones-more-flexible-testing24dbde5
\r\ntest: make the generated tests more flexible6944760
\r\nMerge pull request #259\r\nfrom orien/ruby3.2f5ab30b
\r\nCI: add Ruby 3.2 to the test matrixf8df852
\r\nMerge pull request #257\r\nfrom kyoshidajp/update-checkout-v3254a1c9
\r\nBump actions/checkout from 2 to 301305b6
\r\nMerge pull request #255\r\nfrom cjba7/cjba7-add-fax-to-acceptable-protocolsb0e6f7c
\r\ndoc: update CHANGELOGed2c917
\r\nAdded "fax" and "modem" to acceptable protocols\r\nbased on rfc2806.Sourced from rack's\r\nchangelog.
\r\n\r\n\r\nChangelog
\r\nAll notable changes to this project will be documented in this file.\r\nFor info on how to format all future additions to this file please\r\nreference Keep A\r\nChangelog.
\r\nUnreleased
\r\nSPEC Changes
\r\n\r\n
\r\n- \r\n
rack.input
is now optional. (#1997, [@ioquatix
])Changed
\r\n\r\n
\r\n- \r\n
rack.input
is now optional, and if missing, will raise\r\nan error. Use this to fail on multipart parsing a request without an\r\ninput body. (#2018, [@ioquatix
])- Introduce
\r\nmodule Rack::BadRequest
which is included in\r\nmultipart and query parser errors. (#2019, [@ioquatix
])- MIME type for JavaScript files (
\r\n.js
) changed from\r\napplication/javascript
totext/javascript
(1bd0f15
)- Add
\r\n.mjs
MIME type (#2057, [@axilleas
])[3.0.7] - 2023-03-16
\r\n\r\n
\r\n- Make query parameters without
\r\n=
havenil
\r\nvalues. (#2059, [@jeremyevans
])[3.0.6.1] - 2023-03-13
\r\n\r\n
\r\n- [CVE-2023-27539] Avoid ReDoS in header parsing
\r\n[3.0.6] - 2023-03-13
\r\n\r\n
\r\n- Add
\r\nQueryParser#missing_value
for handling missing\r\nvalues + tests. (#2052, [@ioquatix
])[3.0.5] - 2023-03-13
\r\n\r\n
\r\n- Split form/query parsing into two steps. (#2038,
\r\n@matthewd
)[3.0.4.2] - 2023-03-02
\r\n\r\n
\r\n- [CVE-2023-27530] Introduce multipart_total_part_limit to limit total\r\nparts
\r\n[3.0.4.1] - 2023-01-17
\r\n\r\n
\r\n- [CVE-2022-44571] Fix ReDoS vulnerability in multipart parser
\r\n- [CVE-2022-44570] Fix ReDoS in Rack::Utils.get_byte_ranges
\r\n- [CVE-2022-44572] Forbid control characters in attributes (also\r\nReDoS)
\r\n[3.0.4] - 2023-01-17
\r\n\r\n
\r\n- \r\n
Rack::Request#POST
should consistently raise errors.\r\nCache errors that occur when invokingRack::Request#POST
so\r\nthey can be raised again later. (#2010, [@ioquatix
])- Fix
\r\nRack::Lint
error message for\r\nHTTP_CONTENT_TYPE
andHTTP_CONTENT_LENGTH
. (#2007,@byroot
)- Extend
\r\nRack::MethodOverride
to handle\r\nQueryParser::ParamsTooDeepError
error. (#2006,@byroot
)[3.0.3] - 2022-12-27
\r\n\r\n
... (truncated)
\r\n27addc7
\r\nbump versionee7919e
\r\nAvoid ReDoS problemd6b5b2b
\r\nbump version9aac375
\r\nLimit all multipart parts, not just files2606ac5
\r\nbumping versionf6d4f52
\r\nFix ReDoS in Rack::Utils.get_byte_ranges20bc90c
\r\nbump version3677f17
\r\nUpdate changelogee25ab9
\r\nFix ReDoS vulnerability in multipart parser19e49f0
\r\nForbid control characters in attributes