From 041c068cec516474d61862faf3910b26c7e10073 Mon Sep 17 00:00:00 2001
From: Ryan Grove <ryan@wonko.com>
Date: Mon, 26 Jun 2023 11:31:55 -0700
Subject: [PATCH 1/3] Escape `</` to prevent a style element from being closed
 prematurely

---
 lib/sanitize/transformers/clean_css.rb |  1 +
 test/test_malicious_css.rb             | 13 +++++++++++++
 2 files changed, 14 insertions(+)

diff --git a/lib/sanitize/transformers/clean_css.rb b/lib/sanitize/transformers/clean_css.rb
index 4203bf6..fc26c61 100644
--- a/lib/sanitize/transformers/clean_css.rb
+++ b/lib/sanitize/transformers/clean_css.rb
@@ -48,6 +48,7 @@ def call(env)
     if css.strip.empty?
       node.unlink
     else
+      css.gsub!('</', '<\/')
       node.children.unlink
       node << Nokogiri::XML::Text.new(css, node.document)
     end
diff --git a/test/test_malicious_css.rb b/test/test_malicious_css.rb
index 52c9539..eecedbd 100644
--- a/test/test_malicious_css.rb
+++ b/test/test_malicious_css.rb
@@ -39,4 +39,17 @@
   it 'should not allow behaviors' do
     _(@s.properties(%[behavior: url(xss.htc);])).must_equal ''
   end
+
+  describe 'sanitization bypass via CSS at-rule in HTML <style> element' do
+    before do
+      @s = Sanitize.new(Sanitize::Config::RELAXED)
+    end
+
+    it 'is not possible to prematurely end a <style> element' do
+      assert_equal(
+        %[<style>@media<\\/style><iframe srcdoc='<script>alert(document.domain)<\\/script>'>{}</style>],
+        @s.fragment(%[<style>@media</sty/**/le><iframe srcdoc='<script>alert(document.domain)</script>'></style>])
+      )
+    end
+  end
 end

From 773d927bc457f5cae21edc059654abc98101413c Mon Sep 17 00:00:00 2001
From: Ryan Grove <ryan@wonko.com>
Date: Mon, 26 Jun 2023 13:43:07 -0700
Subject: [PATCH 2/3] Update history

---
 HISTORY.md | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/HISTORY.md b/HISTORY.md
index 4d14d0c..287aa0b 100644
--- a/HISTORY.md
+++ b/HISTORY.md
@@ -1,5 +1,22 @@
 # Sanitize History
 
+## 6.0.2 (2023-07-06)
+
+### Bug Fixes
+
+* CVE-2023-36823: Fixed an HTML+CSS sanitization bypass that could allow XSS
+  (cross-site scripting). This issue affects Sanitize versions 3.0.0 through
+  6.0.1.
+
+  When using Sanitize's relaxed config or a custom config that allows `<style>`
+  elements and one or more CSS at-rules, carefully crafted input could be used
+  to sneak arbitrary HTML through Sanitize.
+
+  See the following security advisory for additional details:
+  [GHSA-f5ww-cq3m-q3g7](https://github.com/rgrove/sanitize/security/advisories/GHSA-f5ww-cq3m-q3g7)
+
+  Thanks to @cure53 for finding this issue.
+
 ## 6.0.1 (2023-01-27)
 
 ### Bug Fixes

From 3481ac3f1255c6584c67fad2f9e44d809273125d Mon Sep 17 00:00:00 2001
From: Ryan Grove <ryan@wonko.com>
Date: Mon, 3 Jul 2023 11:00:25 -0700
Subject: [PATCH 3/3] Release 6.0.2

---
 lib/sanitize/version.rb | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/lib/sanitize/version.rb b/lib/sanitize/version.rb
index 0847cce..ce1fa6b 100644
--- a/lib/sanitize/version.rb
+++ b/lib/sanitize/version.rb
@@ -1,5 +1,3 @@
-# encoding: utf-8
-
 class Sanitize
-  VERSION = '6.0.1'
+  VERSION = '6.0.2'
 end