Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package rubygem-rails-html-sanitizer for
openSUSE:Factory checked in at 2021-08-25 20:58:13
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/rubygem-rails-html-sanitizer (Old)
and /work/SRC/openSUSE:Factory/.rubygem-rails-html-sanitizer.new.1899
(New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-rails-html-sanitizer"
Wed Aug 25 20:58:13 2021 rev:8 rq:914130 version:1.4.2
Changes:
--------
---
/work/SRC/openSUSE:Factory/rubygem-rails-html-sanitizer/rubygem-rails-html-sanitizer.changes
2019-11-13 13:26:21.311574390 +0100
+++
/work/SRC/openSUSE:Factory/.rubygem-rails-html-sanitizer.new.1899/rubygem-rails-html-sanitizer.changes
2021-08-25 20:59:43.657041508 +0200
@@ -1,0 +2,35 @@
+Wed Aug 25 05:24:58 UTC 2021 - Manuel Schnitzer <[email protected]>
+
+- updated to version 1.4.2
+
+ * Slightly improve performance.
+
+ Assuming elements are more common than comments, make one less method call
per node.
+
+ *Mike Dalessio*
+
+ ## 1.4.1 / 2021-08-18
+
+ * Fix regression in v1.4.0 that did not pass comment nodes to the scrubber.
+
+ Some scrubbers will want to override the default behavior and allow
comments, but v1.4.0 only
+ passed through elements to the scrubber's `keep_node?` method.
+
+ This change once again allows the scrubber to make the decision on comment
nodes, but still skips
+ other non-elements like processing instructions (see #115).
+
+ *Mike Dalessio*
+
+ ## 1.4.0 / 2021-08-18
+
+ * Processing Instructions are no longer allowed by
Rails::Html::PermitScrubber
+
+ Previously, a PI with a name (or "target") matching an allowed tag name
was not scrubbed. There
+ are no known security issues associated with these PIs, but similar to
comments it's preferred to
+ omit these nodes when possible from sanitized output.
+
+ Fixes #115.
+
+ *Mike Dalessio*
+
+-------------------------------------------------------------------
Old:
----
rails-html-sanitizer-1.3.0.gem
New:
----
rails-html-sanitizer-1.4.2.gem
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ rubygem-rails-html-sanitizer.spec ++++++
--- /var/tmp/diff_new_pack.ImHqZG/_old 2021-08-25 20:59:44.185040815 +0200
+++ /var/tmp/diff_new_pack.ImHqZG/_new 2021-08-25 20:59:44.189040809 +0200
@@ -1,7 +1,7 @@
#
# spec file for package rubygem-rails-html-sanitizer
#
-# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2021 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -24,7 +24,7 @@
#
Name: rubygem-rails-html-sanitizer
-Version: 1.3.0
+Version: 1.4.2
Release: 0
%define mod_name rails-html-sanitizer
%define mod_full_name %{mod_name}-%{version}
@@ -37,7 +37,7 @@
BuildRequires: %{rubygem gem2rpm}
BuildRequires: %{ruby}
BuildRequires: ruby-macros >= 5
-Url: https://github.com/rails/rails-html-sanitizer
+URL: https://github.com/rails/rails-html-sanitizer
Source: https://rubygems.org/gems/%{mod_full_name}.gem
Source1: gem2rpm.yml
Summary: HTML sanitization to Rails applications (part of Rails)
++++++ rails-html-sanitizer-1.3.0.gem -> rails-html-sanitizer-1.4.2.gem ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/CHANGELOG.md new/CHANGELOG.md
--- old/CHANGELOG.md 2019-10-06 17:11:17.000000000 +0200
+++ new/CHANGELOG.md 2021-08-24 02:16:06.000000000 +0200
@@ -1,3 +1,35 @@
+## 1.4.2 / 2021-08-23
+
+* Slightly improve performance.
+
+ Assuming elements are more common than comments, make one less method call
per node.
+
+ *Mike Dalessio*
+
+## 1.4.1 / 2021-08-18
+
+* Fix regression in v1.4.0 that did not pass comment nodes to the scrubber.
+
+ Some scrubbers will want to override the default behavior and allow
comments, but v1.4.0 only
+ passed through elements to the scrubber's `keep_node?` method.
+
+ This change once again allows the scrubber to make the decision on comment
nodes, but still skips
+ other non-elements like processing instructions (see #115).
+
+ *Mike Dalessio*
+
+## 1.4.0 / 2021-08-18
+
+* Processing Instructions are no longer allowed by Rails::Html::PermitScrubber
+
+ Previously, a PI with a name (or "target") matching an allowed tag name was
not scrubbed. There
+ are no known security issues associated with these PIs, but similar to
comments it's preferred to
+ omit these nodes when possible from sanitized output.
+
+ Fixes #115.
+
+ *Mike Dalessio*
+
## 1.3.0
* Address deprecations in Loofah 2.3.0.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/README.md new/README.md
--- old/README.md 2019-10-06 17:11:17.000000000 +0200
+++ new/README.md 2021-08-24 02:16:06.000000000 +0200
@@ -81,8 +81,10 @@
#### `Rails::Html::TargetScrubber`
Where `PermitScrubber` picks out tags and attributes to permit in sanitization,
-`Rails::Html::TargetScrubber` targets them for removal.
+`Rails::Html::TargetScrubber` targets them for removal. See
https://github.com/flavorjones/loofah/blob/main/lib/loofah/html5/safelist.rb
for the tag list.
+**Note:** by default, it will scrub anything that is not part of the permitted
tags from
+loofah `HTML5::Scrub.allowed_element?`.
```ruby
scrubber = Rails::Html::TargetScrubber.new
Binary files old/checksums.yaml.gz and new/checksums.yaml.gz differ
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/rails/html/sanitizer/version.rb
new/lib/rails/html/sanitizer/version.rb
--- old/lib/rails/html/sanitizer/version.rb 2019-10-06 17:11:17.000000000
+0200
+++ new/lib/rails/html/sanitizer/version.rb 2021-08-24 02:16:06.000000000
+0200
@@ -1,7 +1,7 @@
module Rails
module Html
class Sanitizer
- VERSION = "1.3.0"
+ VERSION = "1.4.2"
end
end
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/rails/html/scrubbers.rb
new/lib/rails/html/scrubbers.rb
--- old/lib/rails/html/scrubbers.rb 2019-10-06 17:11:17.000000000 +0200
+++ new/lib/rails/html/scrubbers.rb 2021-08-24 02:16:06.000000000 +0200
@@ -68,7 +68,7 @@
end
return CONTINUE if skip_node?(node)
- unless keep_node?(node)
+ unless (node.element? || node.comment?) && keep_node?(node)
return STOP if scrub_node(node) == STOP
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/metadata new/metadata
--- old/metadata 2019-10-06 17:11:17.000000000 +0200
+++ new/metadata 2021-08-24 02:16:06.000000000 +0200
@@ -1,7 +1,7 @@
--- !ruby/object:Gem::Specification
name: rails-html-sanitizer
version: !ruby/object:Gem::Version
- version: 1.3.0
+ version: 1.4.2
platform: ruby
authors:
- Rafael Mendon??a Fran??a
@@ -9,7 +9,7 @@
autorequire:
bindir: bin
cert_chain: []
-date: 2019-10-06 00:00:00.000000000 Z
+date: 2021-08-24 00:00:00.000000000 Z
dependencies:
- !ruby/object:Gem::Dependency
name: loofah
@@ -101,7 +101,11 @@
homepage: https://github.com/rails/rails-html-sanitizer
licenses:
- MIT
-metadata: {}
+metadata:
+ bug_tracker_uri: https://github.com/rails/rails-html-sanitizer/issues
+ changelog_uri:
https://github.com/rails/rails-html-sanitizer/blob/v1.4.2/CHANGELOG.md
+ documentation_uri: https://www.rubydoc.info/gems/rails-html-sanitizer/1.4.2
+ source_code_uri: https://github.com/rails/rails-html-sanitizer/tree/v1.4.2
post_install_message:
rdoc_options: []
require_paths:
@@ -117,10 +121,10 @@
- !ruby/object:Gem::Version
version: '0'
requirements: []
-rubygems_version: 3.0.3
+rubygems_version: 3.2.15
signing_key:
specification_version: 4
summary: This gem is responsible to sanitize HTML fragments in Rails
applications.
test_files:
-- test/scrubbers_test.rb
- test/sanitizer_test.rb
+- test/scrubbers_test.rb
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/test/sanitizer_test.rb new/test/sanitizer_test.rb
--- old/test/sanitizer_test.rb 2019-10-06 17:11:17.000000000 +0200
+++ new/test/sanitizer_test.rb 2021-08-24 02:16:06.000000000 +0200
@@ -93,7 +93,7 @@
end
def test_strip_tags_with_plaintext
- assert_equal "Dont touch me", full_sanitize("Dont touch me")
+ assert_equal "Don't touch me", full_sanitize("Don't touch me")
end
def test_strip_tags_with_tags
@@ -135,7 +135,7 @@
end
def test_strip_links_with_plaintext
- assert_equal "Dont touch me", link_sanitize("Dont touch me")
+ assert_equal "Don't touch me", link_sanitize("Don't touch me")
end
def test_strip_links_with_line_feed_and_uppercase_tag
@@ -271,7 +271,8 @@
def test_scrub_style_if_style_attribute_option_is_passed
input = '<p style="color: #000; background-image:
url(http://www.ragingplatypus.com/i/cam-full.jpg);"></p>'
- assert_equal '<p style="color: #000;"></p>', safe_list_sanitize(input,
attributes: %w(style))
+ actual = safe_list_sanitize(input, attributes: %w(style))
+ assert_includes(['<p style="color: #000;"></p>', '<p
style="color:#000;"></p>'], actual)
end
def test_should_raise_argument_error_if_tags_is_not_enumerable
@@ -413,7 +414,7 @@
end
def test_should_sanitize_div_background_image_unicode_encoded
- raw =
%(background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029)
+ raw =
%(background-image:\u0075\u0072\u006C\u0028\u0027\u006a\u0061\u0076\u0061\u0073\u0063\u0072\u0069\u0070\u0074\u003a\u0061\u006c\u0065\u0072\u0074\u0028\u0031\u0032\u0033\u0034\u0029\u0027\u0029)
assert_equal '', sanitize_css(raw)
end
@@ -520,6 +521,14 @@
assert_equal %{<a
action=\"examp<!--%22%20unsafeattr=foo()>-->le.com\">test</a>}, text
end
+ def test_exclude_node_type_processing_instructions
+ assert_equal("<div>text</div><b>text</b>",
safe_list_sanitize("<div>text</div><?div content><b>text</b>"))
+ end
+
+ def test_exclude_node_type_comment
+ assert_equal("<div>text</div><b>text</b>",
safe_list_sanitize("<div>text</div><!-- comment --><b>text</b>"))
+ end
+
protected
def xpath_sanitize(input, options = {})
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/test/scrubbers_test.rb new/test/scrubbers_test.rb
--- old/test/scrubbers_test.rb 2019-10-06 17:11:17.000000000 +0200
+++ new/test/scrubbers_test.rb 2021-08-24 02:16:06.000000000 +0200
@@ -41,6 +41,16 @@
assert_scrubbed '<tag>hello</tag>', 'hello'
end
+ def test_default_scrub_removes_comments
+ assert_scrubbed('<div>one</div><!-- two --><span>three</span>',
+ '<div>one</div><span>three</span>')
+ end
+
+ def test_default_scrub_removes_processing_instructions
+ assert_scrubbed('<div>one</div><?div two><span>three</span>',
+ '<div>one</div><span>three</span>')
+ end
+
def test_default_attributes_removal_behavior
assert_scrubbed '<p cooler="hello">hello</p>', '<p>hello</p>'
end
@@ -56,6 +66,12 @@
assert_scrubbed html, '<tag>leave me now</tag>'
end
+ def test_leaves_comments_when_supplied_as_tag
+ @scrubber.tags = %w(div comment)
+ assert_scrubbed('<div>one</div><!-- two --><span>three</span>',
+ '<div>one</div><!-- two -->three')
+ end
+
def test_leaves_only_supplied_tags_nested
html = '<tag>leave <em>me <span>now</span></em></tag>'
@scrubber.tags = %w(tag)
