This repository has been archived by the owner on Nov 17, 2020. It is now read-only.
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
122: [Security] Bump loofah from 2.2.3 to 2.4.0 r=michaelbaudino a=dependabot-preview[bot] Bumps [loofah](https://github.com/flavorjones/loofah) from 2.2.3 to 2.4.0. **This update includes a security fix.** <details> <summary>Vulnerabilities fixed</summary> *Sourced from [The Ruby Advisory Database](https://github.com/rubysec/ruby-advisory-db/blob/master/gems/loofah/CVE-2019-15587.yml).* > **Loofah XSS Vulnerability** > In the Loofah gem, through v2.3.0, unsanitized JavaScript may occur in > sanitized output when a crafted SVG element is republished. > > Patched versions: >= 2.3.1 > Unaffected versions: none </details> <details> <summary>Release notes</summary> *Sourced from [loofah's releases](https://github.com/flavorjones/loofah/releases).* > ## 2.4.0 / 2019-11-25 > > ### Features > > * Allow CSS property `max-width` [#175](https://github-redirect.dependabot.com/flavorjones/loofah/issues/175) (Thanks, [@​bchaney](https://github.com/bchaney)!) > * Allow CSS sizes expressed in `rem` [#176, [#177](https://github-redirect.dependabot.com/flavorjones/loofah/issues/177)] > * Add `frozen_string_literal: true` magic comment to all `lib` files. [#118](https://github-redirect.dependabot.com/flavorjones/loofah/issues/118) > > ## 2.3.1 / 2019-10-22 > > ### Security > > Address CVE-2019-15587: Unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished. > > This CVE's public notice is at [flavorjones/loofah#171](https://github-redirect.dependabot.com/flavorjones/loofah/issues/171) > > ## 2.3.0 / 2019-09-28 > > ### Features > > * Expand set of allowed protocols to include `tel:` and `line:`. [#104, [#147](https://github-redirect.dependabot.com/flavorjones/loofah/issues/147)] > * Expand set of allowed CSS functions. [related to [#122](https://github-redirect.dependabot.com/flavorjones/loofah/issues/122)] > * Allow greater precision in shorthand CSS values. [#149](https://github-redirect.dependabot.com/flavorjones/loofah/issues/149) (Thanks, [@​danfstucky](https://github.com/danfstucky)!) > * Allow CSS property `list-style` [#162](https://github-redirect.dependabot.com/flavorjones/loofah/issues/162) (Thanks, [@​jaredbeck](https://github.com/jaredbeck)!) > * Allow CSS keywords `thick` and `thin` [#168](https://github-redirect.dependabot.com/flavorjones/loofah/issues/168) (Thanks, [@​georgeclaghorn](https://github.com/georgeclaghorn)!) > * Allow HTML property `contenteditable` [#167](https://github-redirect.dependabot.com/flavorjones/loofah/issues/167) (Thanks, [@​andreynering](https://github.com/andreynering)!) > > > ### Bug fixes > > * CSS hex values are no longer limited to lowercase hex. Previously uppercase hex were scrubbed. [#165](https://github-redirect.dependabot.com/flavorjones/loofah/issues/165) (Thanks, [@​asok](https://github.com/asok)!) > > > ### Deprecations / Name Changes > > The following method and constants are hereby deprecated, and will be completely removed in a future release: > > * Deprecate `Loofah::Helpers::ActionView.white_list_sanitizer`, please use `Loofah::Helpers::ActionView.safe_list_sanitizer` instead. > * Deprecate `Loofah::Helpers::ActionView::WhiteListSanitizer`, please use `Loofah::Helpers::ActionView::SafeListSanitizer` instead. > * Deprecate `Loofah::HTML5::WhiteList`, please use `Loofah::HTML5::SafeList` instead. > > Thanks to [@​JuanitoFatas](https://github.com/JuanitoFatas) for submitting these changes in [#164](https://github-redirect.dependabot.com/flavorjones/loofah/issues/164) and for making the language used in Loofah more inclusive. > > </details> <details> <summary>Changelog</summary> *Sourced from [loofah's changelog](https://github.com/flavorjones/loofah/blob/master/CHANGELOG.md).* > ## 2.4.0 / 2019-11-25 > > ### Features > > * Allow CSS property `max-width` [#175](https://github-redirect.dependabot.com/flavorjones/loofah/issues/175) (Thanks, [@​bchaney](https://github.com/bchaney)!) > * Allow CSS sizes expressed in `rem` [#176, [#177](https://github-redirect.dependabot.com/flavorjones/loofah/issues/177)] > * Add `frozen_string_literal: true` magic comment to all `lib` files. [#118](https://github-redirect.dependabot.com/flavorjones/loofah/issues/118) > > > ## 2.3.1 / 2019-10-22 > > ### Security > > Address CVE-2019-15587: Unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished. > > This CVE's public notice is at [flavorjones/loofah#171](https://github-redirect.dependabot.com/flavorjones/loofah/issues/171) > > > ## 2.3.0 / 2019-09-28 > > ### Features > > * Expand set of allowed protocols to include `tel:` and `line:`. [#104, [#147](https://github-redirect.dependabot.com/flavorjones/loofah/issues/147)] > * Expand set of allowed CSS functions. [related to [#122](https://github-redirect.dependabot.com/flavorjones/loofah/issues/122)] > * Allow greater precision in shorthand CSS values. [#149](https://github-redirect.dependabot.com/flavorjones/loofah/issues/149) (Thanks, [@​danfstucky](https://github.com/danfstucky)!) > * Allow CSS property `list-style` [#162](https://github-redirect.dependabot.com/flavorjones/loofah/issues/162) (Thanks, [@​jaredbeck](https://github.com/jaredbeck)!) > * Allow CSS keywords `thick` and `thin` [#168](https://github-redirect.dependabot.com/flavorjones/loofah/issues/168) (Thanks, [@​georgeclaghorn](https://github.com/georgeclaghorn)!) > * Allow HTML property `contenteditable` [#167](https://github-redirect.dependabot.com/flavorjones/loofah/issues/167) (Thanks, [@​andreynering](https://github.com/andreynering)!) > > > ### Bug fixes > > * CSS hex values are no longer limited to lowercase hex. Previously uppercase hex were scrubbed. [#165](https://github-redirect.dependabot.com/flavorjones/loofah/issues/165) (Thanks, [@​asok](https://github.com/asok)!) > > > ### Deprecations / Name Changes > > The following method and constants are hereby deprecated, and will be completely removed in a future release: > > * Deprecate `Loofah::Helpers::ActionView.white_list_sanitizer`, please use `Loofah::Helpers::ActionView.safe_list_sanitizer` instead. > * Deprecate `Loofah::Helpers::ActionView::WhiteListSanitizer`, please use `Loofah::Helpers::ActionView::SafeListSanitizer` instead. > * Deprecate `Loofah::HTML5::WhiteList`, please use `Loofah::HTML5::SafeList` instead. > > Thanks to [@​JuanitoFatas](https://github.com/JuanitoFatas) for submitting these changes in [#164](https://github-redirect.dependabot.com/flavorjones/loofah/issues/164) and for making the language used in Loofah more inclusive. </details> <details> <summary>Commits</summary> - [`724ac1c`](flavorjones/loofah@724ac1c) version bump to v2.4.0 - [`e808fb6`](flavorjones/loofah@e808fb6) ci: don't turn on frozen strings until after bundle install - [`0eb9976`](flavorjones/loofah@0eb9976) update CHANGELOG - [`0783f5b`](flavorjones/loofah@0783f5b) add magic comment for frozen string literals to all files - [`5ce3a71`](flavorjones/loofah@5ce3a71) add rubocop as dev dep and configure security and frozen string cops - [`82ae384`](flavorjones/loofah@82ae384) test suite should check compatibility with frozen string literals - [`8747065`](flavorjones/loofah@8747065) Merge pull request [#175](https://github-redirect.dependabot.com/flavorjones/loofah/issues/175) from bchaney/allow-css-max-width - [`2767ae3`](flavorjones/loofah@2767ae3) Merge pull request [#177](https://github-redirect.dependabot.com/flavorjones/loofah/issues/177) from flavorjones/176-allow-rem-css-sizes - [`13f734f`](flavorjones/loofah@13f734f) css sanitizer allows "rem" sizes - [`2699b61`](flavorjones/loofah@2699b61) Allow CSS property: max-width - Additional commits viewable in [compare view](flavorjones/loofah@v2.2.3...v2.4.0) </details> <br /> [](https://dependabot.com/compatibility-score.html?dependency-name=loofah&package-manager=bundler&previous-version=2.2.3&new-version=2.4.0) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) Dependabot will **not** automatically merge this PR because it includes a minor update to a production dependency. [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Pull request limits (per update run and/or open at any time) - Automerge options (never/patch/minor, and dev/runtime dependencies) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired) </details> Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
- Loading branch information
