Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package ghc-xss-sanitize for
openSUSE:Factory checked in at 2023-04-07 18:16:47
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/ghc-xss-sanitize (Old)
and /work/SRC/openSUSE:Factory/.ghc-xss-sanitize.new.19717 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "ghc-xss-sanitize"
Fri Apr 7 18:16:47 2023 rev:8 rq:1077771 version:0.3.7.2
Changes:
--------
--- /work/SRC/openSUSE:Factory/ghc-xss-sanitize/ghc-xss-sanitize.changes
2023-04-04 21:25:17.690853307 +0200
+++
/work/SRC/openSUSE:Factory/.ghc-xss-sanitize.new.19717/ghc-xss-sanitize.changes
2023-04-07 18:16:50.708724748 +0200
@@ -1,0 +2,8 @@
+Sat Apr 1 17:04:24 UTC 2023 - Peter Simons <psim...@suse.com>
+
+- Update xss-sanitize to version 0.3.7.2.
+ # 0.3.7.2
+
+ Stops Tag Soup from escaping &"<> which breaks HTML entities
+
+-------------------------------------------------------------------
Old:
----
xss-sanitize-0.3.7.1.tar.gz
New:
----
xss-sanitize-0.3.7.2.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ ghc-xss-sanitize.spec ++++++
--- /var/tmp/diff_new_pack.3wdZiX/_old 2023-04-07 18:16:52.424734633 +0200
+++ /var/tmp/diff_new_pack.3wdZiX/_new 2023-04-07 18:16:52.424734633 +0200
@@ -20,7 +20,7 @@
%global pkgver %{pkg_name}-%{version}
%bcond_with tests
Name: ghc-%{pkg_name}
-Version: 0.3.7.1
+Version: 0.3.7.2
Release: 0
Summary: Sanitize untrusted HTML to prevent XSS attacks
License: BSD-2-Clause
++++++ xss-sanitize-0.3.7.1.tar.gz -> xss-sanitize-0.3.7.2.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/xss-sanitize-0.3.7.1/ChangeLog.md
new/xss-sanitize-0.3.7.2/ChangeLog.md
--- old/xss-sanitize-0.3.7.1/ChangeLog.md 2022-11-29 06:33:44.000000000
+0100
+++ new/xss-sanitize-0.3.7.2/ChangeLog.md 2023-04-01 19:01:30.000000000
+0200
@@ -1,3 +1,7 @@
+# 0.3.7.2
+
+Stops Tag Soup from escaping &"<> which breaks HTML entities
+
# 0.3.7.1
add max height and max width as valid style attributes
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/xss-sanitize-0.3.7.1/src/Text/HTML/SanitizeXSS.hs
new/xss-sanitize-0.3.7.2/src/Text/HTML/SanitizeXSS.hs
--- old/xss-sanitize-0.3.7.1/src/Text/HTML/SanitizeXSS.hs 2022-11-29
06:33:44.000000000 +0100
+++ new/xss-sanitize-0.3.7.2/src/Text/HTML/SanitizeXSS.hs 2023-04-01
19:01:30.000000000 +0200
@@ -13,6 +13,8 @@
, filterTags
, safeTags
, safeTagsCustom
+ , clearTags
+ , clearTagsCustom
, balanceTags
-- * Utilities
@@ -57,11 +59,12 @@
-- | Parse the given text to a list of tags, apply the given filtering
-- function, and render back to HTML. You can insert your own custom
-- filtering, but make sure you compose your filtering function with
--- 'safeTags' or 'safeTagsCustom'.
+-- 'safeTags' and 'clearTags' or 'safeTagsCustom' and 'clearTagsCustom'.
filterTags :: ([Tag Text] -> [Tag Text]) -> Text -> Text
filterTags f = renderTagsOptions renderOptions {
- optMinimize = \x -> x `member` voidElems -- <img><img> converts to <img
/>, <a/> converts to <a></a>
- } . f . canonicalizeTags . parseTags
+ optEscape = id -- stops &"<> from being escaped which breaks existing HTML
entities
+ , optMinimize = \x -> x `member` voidElems -- <img><img> converts to <img
/>, <a/> converts to <a></a>
+ } . f . canonicalizeTags . parseTagsOptions (parseOptionsEntities (const
Nothing))
voidElems :: Set T.Text
voidElems = fromAscList $ T.words $ T.pack "area base br col command embed hr
img input keygen link meta param source track wbr"
@@ -108,9 +111,17 @@
| otherwise = safeTagsCustom safeName sanitizeAttr tags
safeTagsCustom n a (t:tags) = t : safeTagsCustom n a tags
+-- | Directly removes tags even if they are not closed properly.
+-- This is importent to clear out both the script and iframe tag
+-- in sequences like "<script><iframe></iframe>".
clearTags :: [Tag Text] -> [Tag Text]
clearTags = clearTagsCustom clearableTagName
+-- | Directly removes tags, like clearTags, but uses a custom
+-- function for determining which tags are safe.
+--
+-- @clearTagsCustom clearableTagName@ is equivalent to
+-- 'clearTags'.
clearTagsCustom :: (Text -> Bool) -> [Tag Text] -> [Tag Text]
clearTagsCustom _ [] = []
clearTagsCustom clearableName (tag@(TagOpen name _) : tags)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/xss-sanitize-0.3.7.1/test/main.hs
new/xss-sanitize-0.3.7.2/test/main.hs
--- old/xss-sanitize-0.3.7.1/test/main.hs 2022-11-29 06:33:44.000000000
+0100
+++ new/xss-sanitize-0.3.7.2/test/main.hs 2023-04-01 19:01:30.000000000
+0200
@@ -27,6 +27,9 @@
main :: IO ()
main = hspec $ do
+ describe "Sanitized HTML is not changed" $ do
+ it "HTML entities should not be escaped" $ do
+ test (filterTags safeTags) "text more text" "text more text"
describe "html sanitizing" $ do
it "big test" $ do
let testHTML = " <a href='http://safe.com'>safe</a><a
href='unsafe://hack.com'>anchor</a> <img src='evil://evil.com' />
<unsafe></foo> <bar /> <br></br> <b>Unbalanced</div><img src='http://safe.com'>"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/xss-sanitize-0.3.7.1/xss-sanitize.cabal
new/xss-sanitize-0.3.7.2/xss-sanitize.cabal
--- old/xss-sanitize-0.3.7.1/xss-sanitize.cabal 2022-11-29 06:33:47.000000000
+0100
+++ new/xss-sanitize-0.3.7.2/xss-sanitize.cabal 2023-04-01 19:01:35.000000000
+0200
@@ -1,11 +1,11 @@
cabal-version: 1.12
--- This file has been generated from package.yaml by hpack version 0.35.0.
+-- This file has been generated from package.yaml by hpack version 0.35.1.
--
-- see: https://github.com/sol/hpack
name: xss-sanitize
-version: 0.3.7.1
+version: 0.3.7.2
synopsis: sanitize untrusted HTML to prevent XSS attacks
description: run untrusted HTML through Text.HTML.SanitizeXSS.sanitizeXSS
to prevent XSS attacks. see README.md
<http://github.com/yesodweb/haskell-xss-sanitize> for more details
category: Web
