Releases: rgrove/sanitize
v2.1.1
-
CVE-2018-3740: Fixed an HTML injection vulnerability that could allow XSS (backported from Sanitize 4.6.3). @dometto - #188
When Sanitize <= 2.1.0 is used in combination with libxml2 >= 2.9.2, a specially crafted HTML fragment can cause libxml2 to generate improperly escaped output, allowing non-whitelisted attributes to be used on whitelisted elements.
Sanitize now performs additional escaping on affected attributes to prevent this.
Many thanks to the Shopify Application Security Team for responsibly reporting this issue.
v4.6.6
- Improved performance and memory usage by optimizing
Sanitize#transform_node!
@stanhu - #183
v4.6.5
- Improved performance slightly by tweaking the order of built-in transformers. @rafbm - #180
4.6.4 (2018-03-20)
- Fixed: A change introduced in 4.6.2 broke certain transformers that relied on being able to mutate the name of an HTML node. That change has been reverted and a test has been added to cover this case. @zetter - #177
4.6.3 (2018-03-19)
-
CVE-2018-3740: Fixed an HTML injection vulnerability that could allow XSS.
When Sanitize <= 4.6.2 is used in combination with libxml2 >= 2.9.2, a specially crafted HTML fragment can cause libxml2 to generate improperly escaped output, allowing non-whitelisted attributes to be used on whitelisted elements.
Sanitize now performs additional escaping on affected attributes to prevent this.
Many thanks to the Shopify Application Security Team for responsibly reporting this issue.
4.6.2 (2018-03-19)
- Reduced string allocations to optimize memory usage. @janklimo - #175
4.6.1 (2018-03-15)
- Added support for frozen string literals in Ruby 2.4+. @flavorjones - #174
4.6.0 (2018-01-29)
- Loosened the Nokogumbo dependency to allow installing semver-compatible versions greater than or equal to v1.4. @rafbm - #171
4.5.0 (2017-06-04)
-
Added SVG-related CSS properties to the relaxed config. See the diff for the full list of added properties. @louim - #161
-
Fixed: Sanitize now strips null bytes (
\u0000
) before passing input to Nokogumbo, since they can cause recent versions to crash with a failed assertion in the Gumbo parser.
4.4.0 (2016-09-29)
- Added
srcset
to the attribute whitelist forimg
elements in the relaxed config. @ejtttje - #156