Skip to content

Releases: rails/rails-html-sanitizer

v1.6.2 / 2024-12-12

12 Dec 21:01
9160d49
Compare
Choose a tag to compare

v1.6.2 / 2024-12-12

  • PermitScrubber fully supports frozen "allowed tags".

    v1.6.1 introduced safety checks that may remove unsafe tags from the allowed list, which
    introduced a regression for applications passing a frozen array of allowed tags. Tags and
    attributes are now properly copied when they are passed to the scrubber.

    Fixes #195.

    Mike Dalessio

1.6.1 / 2024-12-02

02 Dec 20:52
5e96b19
Compare
Choose a tag to compare

1.6.1 / 2024-12-02

This is a performance and security release which addresses several possible XSS vulnerabilities.

  • The dependency on Nokogiri is updated to v1.15.7 or >=1.16.8.

    This change addresses CVE-2024-53985 (GHSA-w8gc-x259-rc7x).

    Mike Dalessio

  • Disallowed tags will be pruned when they appear in foreign content (i.e. SVG or MathML content),
    regardless of the prune: option value. Previously, disallowed tags were "stripped" unless the
    gem was configured with the prune: true option.

    The CVEs addressed by this change are:

    Mike Dalessio

  • The tags "noscript", "mglyph", and "malignmark" will not be allowed, even if explicitly added to
    the allowlist. If applications try to allow any of these tags, a warning is emitted and the tags
    are removed from the allow-list.

    The CVEs addressed by this change are:

    Please note that we may restore support for allowing "noscript" in a future release. We do not
    expect to ever allow "mglyph" or "malignmark", though, especially since browser support is minimal
    for these tags.

    Mike Dalessio

  • Improve performance by eliminating needless operations on attributes that are being removed. #188

    Mike Dalessio

1.6.0 / 2023-05-26

26 May 13:22
19fd6cd
Compare
Choose a tag to compare

1.6.0 / 2023-05-26

  • Dependencies have been updated:

    • Loofah ~>2.21 and Nokogiri ~>1.14 for HTML5 parser support
    • As a result, required Ruby version is now >= 2.7.0

    Security updates will continue to be made on the 1.5.x release branch as long as Rails 6.1
    (which supports Ruby 2.5) is still in security support.

    Mike Dalessio

  • HTML5 standards-compliant sanitizers are now available on platforms supported by
    Nokogiri::HTML5. These are available as:

    • Rails::HTML5::FullSanitizer
    • Rails::HTML5::LinkSanitizer
    • Rails::HTML5::SafeListSanitizer

    And a new "vendor" is provided at Rails::HTML5::Sanitizer that can be used in a future version
    of Rails.

    Note that for symmetry Rails::HTML4::Sanitizer is also added, though its behavior is identical
    to the vendor class methods on Rails::HTML::Sanitizer.

    Users may call Rails::HTML::Sanitizer.best_supported_vendor to get back the HTML5 vendor if it's
    supported, else the legacy HTML4 vendor.

    Mike Dalessio

  • Module namespaces have changed, but backwards compatibility is provided by aliases.

    The library defines three additional modules:

    • Rails::HTML for general functionality (replacing Rails::Html)
    • Rails::HTML4 containing sanitizers that parse content as HTML4
    • Rails::HTML5 containing sanitizers that parse content as HTML5

    The following aliases are maintained for backwards compatibility:

    • Rails::Html points to Rails::HTML
    • Rails::HTML::FullSanitizer points to Rails::HTML4::FullSanitizer
    • Rails::HTML::LinkSanitizer points to Rails::HTML4::LinkSanitizer
    • Rails::HTML::SafeListSanitizer points to Rails::HTML4::SafeListSanitizer

    Mike Dalessio

  • LinkSanitizer always returns UTF-8 encoded strings. SafeListSanitizer and FullSanitizer
    already ensured this encoding.

    Mike Dalessio

  • SafeListSanitizer allows time tag and lang attribute by default.

    Mike Dalessio

  • The constant Rails::Html::XPATHS_TO_REMOVE has been removed. It's not necessary with the
    existing sanitizers, and should have been a private constant all along anyway.

    Mike Dalessio

1.5.0 / 2023-01-20

20 Jan 18:54
a337ec8
Compare
Choose a tag to compare

1.5.0 / 2023-01-20

  • SafeListSanitizer, PermitScrubber, and TargetScrubber now all support pruning of unsafe tags.

    By default, unsafe tags are still stripped, but this behavior can be changed to prune the element
    and its children from the document by passing prune: true to any of these classes' constructors.

    @seyerian

1.4.4 / 2022-12-13

13 Dec 13:37
fd63dea
Compare
Choose a tag to compare

1.4.4 / 2022-12-13

1.4.3 / 2022-06-09

09 Jun 22:33
f83f08c
Compare
Choose a tag to compare

1.4.3 / 2022-06-09

  • Address a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.

    Prevent the combination of select and style as allowed tags in SafeListSanitizer.

    Fixes CVE-2022-32209

    Mike Dalessio

1.4.2 / 2021-08-23

24 Aug 00:18
c86fed1
Compare
Choose a tag to compare

1.4.2 / 2021-08-23

  • Slightly improve performance.

    Assuming elements are more common than comments, make one less method call per node.

1.4.1 / 2021-08-18

18 Aug 20:53
b41bc7a
Compare
Choose a tag to compare

1.4.1 / 2021-08-18

  • Fix regression in v1.4.0 that did not pass comment nodes to the scrubber.

    Some scrubbers will want to override the default behavior and allow comments, but v1.4.0 only
    passed through elements to the scrubber's keep_node? method.

    This change once again allows the scrubber to make the decision on comment nodes, but still skips
    other non-elements like processing instructions (see #115).

    Mike Dalessio

1.4.0 / 2021-08-18

18 Aug 17:24
2e9ec19
Compare
Choose a tag to compare

1.4.0 / 2021-08-18

  • Processing Instructions are no longer allowed by Rails::Html::PermitScrubber

    Previously, a PI with a name (or "target") matching an allowed tag name was not scrubbed. There
    are no known security issues associated with these PIs, but similar to comments it's preferred to
    omit these nodes when possible from sanitized output.

    Fixes #115.

    Mike Dalessio

v1.3.0

06 Oct 15:14
Compare
Choose a tag to compare
  • Address deprecations in Loofah 2.3.0.

    Josh Goodall