Hello community,
here is the log from the commit of package rubygem-rails-html-sanitizer for
openSUSE:Factory checked in at 2018-03-26 16:02:03
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/rubygem-rails-html-sanitizer (Old)
and /work/SRC/openSUSE:Factory/.rubygem-rails-html-sanitizer.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-rails-html-sanitizer"
Mon Mar 26 16:02:03 2018 rev:4 rq:590611 version:1.0.4
Changes:
--------
---
/work/SRC/openSUSE:Factory/rubygem-rails-html-sanitizer/rubygem-rails-html-sanitizer.changes
2016-03-01 09:43:06.000000000 +0100
+++
/work/SRC/openSUSE:Factory/.rubygem-rails-html-sanitizer.new/rubygem-rails-html-sanitizer.changes
2018-03-26 16:02:07.964401130 +0200
@@ -1,0 +2,6 @@
+Fri Mar 23 09:55:41 UTC 2018 - [email protected]
+
+- updated to version 1.0.4
+ * CVE-2018-3741: XSS vulnerability
+
+-------------------------------------------------------------------
Old:
----
rails-html-sanitizer-1.0.3.gem
New:
----
rails-html-sanitizer-1.0.4.gem
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ rubygem-rails-html-sanitizer.spec ++++++
--- /var/tmp/diff_new_pack.Led7TT/_old 2018-03-26 16:02:09.796335467 +0200
+++ /var/tmp/diff_new_pack.Led7TT/_new 2018-03-26 16:02:09.800335324 +0200
@@ -1,7 +1,7 @@
#
# spec file for package rubygem-rails-html-sanitizer
#
-# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -24,7 +24,7 @@
#
Name: rubygem-rails-html-sanitizer
-Version: 1.0.3
+Version: 1.0.4
Release: 0
%define mod_name rails-html-sanitizer
%define mod_full_name %{mod_name}-%{version}
@@ -38,7 +38,7 @@
BuildRequires: %{ruby}
BuildRequires: ruby-macros >= 5
Url: https://github.com/rails/rails-html-sanitizer
-Source: http://rubygems.org/gems/%{mod_full_name}.gem
+Source: https://rubygems.org/gems/%{mod_full_name}.gem
Source1: gem2rpm.yml
Summary: HTML sanitization to Rails applications (part of Rails)
License: MIT
@@ -53,7 +53,7 @@
%install
%gem_install \
- --doc-files="CHANGELOG.md README.md" \
+ --doc-files="CHANGELOG.md MIT-LICENSE README.md" \
-f
%gem_packages
++++++ rails-html-sanitizer-1.0.3.gem -> rails-html-sanitizer-1.0.4.gem ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/MIT-LICENSE new/MIT-LICENSE
--- old/MIT-LICENSE 1970-01-01 01:00:00.000000000 +0100
+++ new/MIT-LICENSE 2018-03-22 20:08:41.000000000 +0100
@@ -0,0 +1,23 @@
+Copyright (c) 2013-2015 Rafael Mendonça França, Kasper Timm Hansen
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/README.md new/README.md
--- old/README.md 2016-01-25 19:28:23.000000000 +0100
+++ new/README.md 2018-03-22 20:08:41.000000000 +0100
@@ -99,17 +99,15 @@
```ruby
class CommentScrubber < Rails::Html::PermitScrubber
- def allowed_node?(node)
- !%w(form script comment blockquote).include?(node.name)
+ def initialize
+ super
+ self.tags = %w( form script comment blockquote )
+ self.attributes = %w( style )
end
def skip_node?(node)
node.text?
end
-
- def scrub_attribute?(name)
- name == "style"
- end
end
```
Binary files old/checksums.yaml.gz and new/checksums.yaml.gz differ
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/rails/html/sanitizer/version.rb
new/lib/rails/html/sanitizer/version.rb
--- old/lib/rails/html/sanitizer/version.rb 2016-01-25 19:28:23.000000000
+0100
+++ new/lib/rails/html/sanitizer/version.rb 2018-03-22 20:08:41.000000000
+0100
@@ -1,7 +1,7 @@
module Rails
module Html
class Sanitizer
- VERSION = "1.0.3"
+ VERSION = "1.0.4"
end
end
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/rails/html/sanitizer.rb
new/lib/rails/html/sanitizer.rb
--- old/lib/rails/html/sanitizer.rb 2016-01-25 19:28:23.000000000 +0100
+++ new/lib/rails/html/sanitizer.rb 2018-03-22 20:08:41.000000000 +0100
@@ -61,7 +61,7 @@
# Sanitizes html and css from an extensive white list (see link further
down).
#
# === Whitespace
- # We can't make any guarentees about whitespace being kept or stripped.
+ # We can't make any guarantees about whitespace being kept or stripped.
# Loofah uses Nokogiri, which wraps either a C or Java parser for the
# respective Ruby implementation.
# Those two parsers determine how whitespace is ultimately handled.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/rails/html/scrubbers.rb
new/lib/rails/html/scrubbers.rb
--- old/lib/rails/html/scrubbers.rb 2016-01-25 19:28:23.000000000 +0100
+++ new/lib/rails/html/scrubbers.rb 2018-03-22 20:08:41.000000000 +0100
@@ -28,8 +28,9 @@
# If not, attributes are removed based on Loofahs
+HTML5::Scrub.scrub_attributes+.
#
# class CommentScrubber < Html::PermitScrubber
- # def allowed_node?(node)
- # !%w(form script comment blockquote).include?(node.name)
+ # def initialize
+ # super
+ # self.tags = %w(form script comment blockquote)
# end
#
# def skip_node?(node)
@@ -152,6 +153,8 @@
end
node.remove_attribute(attr_node.name) if attr_name == 'src' &&
attr_node.value !~ /[^[:space:]]/
+
+ Loofah::HTML5::Scrub.force_correct_attribute_escaping! node
end
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/metadata new/metadata
--- old/metadata 2016-01-25 19:28:23.000000000 +0100
+++ new/metadata 2018-03-22 20:08:41.000000000 +0100
@@ -1,7 +1,7 @@
--- !ruby/object:Gem::Specification
name: rails-html-sanitizer
version: !ruby/object:Gem::Version
- version: 1.0.3
+ version: 1.0.4
platform: ruby
authors:
- Rafael Mendonça França
@@ -9,7 +9,7 @@
autorequire:
bindir: bin
cert_chain: []
-date: 2016-01-25 00:00:00.000000000 Z
+date: 2018-03-22 00:00:00.000000000 Z
dependencies:
- !ruby/object:Gem::Dependency
name: loofah
@@ -17,14 +17,20 @@
requirements:
- - "~>"
- !ruby/object:Gem::Version
- version: '2.0'
+ version: '2.2'
+ - - ">="
+ - !ruby/object:Gem::Version
+ version: 2.2.2
type: :runtime
prerelease: false
version_requirements: !ruby/object:Gem::Requirement
requirements:
- - "~>"
- !ruby/object:Gem::Version
- version: '2.0'
+ version: '2.2'
+ - - ">="
+ - !ruby/object:Gem::Version
+ version: 2.2.2
- !ruby/object:Gem::Dependency
name: bundler
requirement: !ruby/object:Gem::Requirement
@@ -90,6 +96,7 @@
extra_rdoc_files: []
files:
- CHANGELOG.md
+- MIT-LICENSE
- README.md
- lib/rails-html-sanitizer.rb
- lib/rails/html/sanitizer.rb
@@ -117,10 +124,10 @@
version: '0'
requirements: []
rubyforge_project:
-rubygems_version: 2.5.1
+rubygems_version: 2.7.6
signing_key:
specification_version: 4
summary: This gem is responsible to sanitize HTML fragments in Rails
applications.
test_files:
-- test/sanitizer_test.rb
- test/scrubbers_test.rb
+- test/sanitizer_test.rb
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/test/sanitizer_test.rb new/test/sanitizer_test.rb
--- old/test/sanitizer_test.rb 2016-01-25 19:28:23.000000000 +0100
+++ new/test/sanitizer_test.rb 2018-03-22 20:08:41.000000000 +0100
@@ -33,7 +33,7 @@
assert_equal %(<h1>hello </h1>), xpath_sanitize(html, xpaths:
%w(.//script))
end
- def test_remove_xpaths_removes_all_occurences_of_xpath
+ def test_remove_xpaths_removes_all_occurrences_of_xpath
html = %(<section><header><script>code!</script></header><p>hello
<script>code!</script></p></section>)
assert_equal %(<section><header></header><p>hello </p></section>),
xpath_sanitize(html, xpaths: %w(.//script))
end
@@ -58,11 +58,11 @@
end
def test_strip_invalid_html
- assert_equal "", full_sanitize("<<<bad html")
+ assert_equal "<<", full_sanitize("<<<bad html")
end
def test_strip_nested_tags
- expected = "Weia onclick='alert(document.cookie);'/>rdos"
+ expected = "Wei<a onclick='alert(document.cookie);'/>rdos"
input = "Wei<<a>a onclick='alert(document.cookie);'</a>/>rdos"
assert_equal expected, full_sanitize(input)
end
@@ -74,7 +74,7 @@
assert_equal expected, full_sanitize(input)
end
- def test_strip_comments
+ def test_remove_unclosed_tags
assert_equal "This is ", full_sanitize("This is <-- not\n a comment here.")
end
@@ -87,7 +87,9 @@
end
def test_strip_blank_string
- [nil, '', ' '].each { |blank| assert_equal blank, full_sanitize(blank) }
+ assert_nil full_sanitize(nil)
+ assert_equal "", full_sanitize("")
+ assert_equal " ", full_sanitize(" ")
end
def test_strip_tags_with_plaintext
@@ -98,8 +100,8 @@
assert_equal "This is a test.", full_sanitize("<p>This <u>is<u> a <a
href='test.html'><strong>test</strong></a>.</p>")
end
- def test_strip_tags_with_many_open_quotes
- assert_equal "", full_sanitize("<<<bad html>")
+ def test_escape_tags_with_many_open_quotes
+ assert_equal "<<", full_sanitize("<<<bad html>")
end
def test_strip_tags_with_sentence
@@ -123,7 +125,7 @@
end
def test_strip_links_with_tags_in_tags
- expected = "a href='hello'>all <b>day</b> long/a>"
+ expected = "<a href='hello'>all <b>day</b> long</a>"
input = "<<a>a href='hello'>all <b>day</b> long<</A>/a>"
assert_equal expected, link_sanitize(input)
end
@@ -360,7 +362,7 @@
end
def test_should_sanitize_script_tag_with_multiple_open_brackets
- assert_sanitized %(<<SCRIPT>alert("XSS");//<</SCRIPT>), "alert(\"XSS\");//"
+ assert_sanitized %(<<SCRIPT>alert("XSS");//<</SCRIPT>),
"<alert(\"XSS\");//<"
assert_sanitized %(<iframe src=http://ha.ckers.org/scriptlet.html\n<a), ""
end
@@ -383,13 +385,13 @@
def test_should_sanitize_illegal_style_properties
raw = %(display:block; position:absolute; left:0; top:0; width:100%;
height:100%; z-index:1; background-color:black;
background-image:url(http://www.ragingplatypus.com/i/cam-full.jpg);
background-x:center; background-y:center; background-repeat:repeat;)
- expected = %(display: block; width: 100%; height: 100%; background-color:
black; background-x: center; background-y: center;)
+ expected =
%(display:block;width:100%;height:100%;background-color:black;background-x:center;background-y:center;)
assert_equal expected, sanitize_css(raw)
end
def test_should_sanitize_with_trailing_space
raw = "display:block; "
- expected = "display: block;"
+ expected = "display:block;"
assert_equal expected, sanitize_css(raw)
end
@@ -482,6 +484,38 @@
assert_equal %(<a data-foo="foo">foo</a>), white_list_sanitize(text,
attributes: ['data-foo'])
end
+ def test_uri_escaping_of_href_attr_in_a_tag_in_white_list_sanitizer
+ html = %{<a href='examp<!--" unsafeattr=foo()>-->le.com'>test</a>}
+
+ text = white_list_sanitize(html)
+
+ assert_equal %{<a
href="examp<!--%22%20unsafeattr=foo()>-->le.com">test</a>}, text
+ end
+
+ def test_uri_escaping_of_src_attr_in_a_tag_in_white_list_sanitizer
+ html = %{<a src='examp<!--" unsafeattr=foo()>-->le.com'>test</a>}
+
+ text = white_list_sanitize(html)
+
+ assert_equal %{<a
src="examp<!--%22%20unsafeattr=foo()>-->le.com">test</a>}, text
+ end
+
+ def test_uri_escaping_of_name_attr_in_a_tag_in_white_list_sanitizer
+ html = %{<a name='examp<!--" unsafeattr=foo()>-->le.com'>test</a>}
+
+ text = white_list_sanitize(html)
+
+ assert_equal %{<a
name="examp<!--%22%20unsafeattr=foo()>-->le.com">test</a>}, text
+ end
+
+ def test_uri_escaping_of_name_action_in_a_tag_in_white_list_sanitizer
+ html = %{<a action='examp<!--" unsafeattr=foo()>-->le.com'>test</a>}
+
+ text = white_list_sanitize(html, attributes: ['action'])
+
+ assert_equal %{<a
action="examp<!--%22%20unsafeattr=foo()>-->le.com">test</a>}, text
+ end
+
protected
def xpath_sanitize(input, options = {})
