Am Freitag, dem 17.03.2023 um 04:58 +0530 schrieb Utkarsh Gupta: > On Thu, Mar 16, 2023 at 7:06 PM Utkarsh Gupta > <[email protected]> wrote: > > Please hold off on the update for a while. I have something to add wrt > > ruby-rails-html-sanitizer. I just haven't had the time to write it > > down, I'll get back in another ~7h. > > In order to fix the CVEs of ruby-rails-html-sanitizer (also in > dla-needed), we need to ensure that the newer methods that the library > uses from newer loofah are backported. Some of these methods would've > been backported by you already (as a part of fixing the CVEs in > ruby-loofah) and there might be some remaining.
Well, in short here is what has changed in loofah: - CVE-2022-23514: just programmatical change; shouldn't affect anybody - CVE-2022-23515: data:svg+xml no longer allowed - CVE-2022-23516: there is a behavioral change (see the thread) - that needs probably the most care I'm not quite sure how much code duplication there actually is, or if the issues are fixed by fixing loofah. I would have looked myself, but I haven't been assigned any official hours yet :) > I could do a thorough review of your patches if you'd like? Sure, please do so. > (let me > know) and make sure that we have everything that we might need for > ruby-rails-html-sanitizer, too. I also propose that we release the two > around the same time (after > smoke-testing, ensuring that the two work well with each other). So far it still builds and tests successfully. Please let me know if you see any issues. > I > suppose everyone using rails-html-sanitizer should be using loofah, > too, so it's important we fix both and test them well. :) I agree. Please let me know of your results. Regards, Daniel
