Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bump sanitize from 4.6.0 to 4.6.4 #162

Merged
merged 1 commit into from
Apr 6, 2018

Conversation

dependabot-preview[bot]
Copy link
Contributor

@dependabot-preview dependabot-preview bot commented Mar 21, 2018

Bumps sanitize from 4.6.0 to 4.6.4.

Release notes

Sourced from sanitize's releases.

4.6.4 (2018-03-20)

  • Fixed: A change introduced in 4.6.2 broke certain transformers that relied on being able to mutate the name of an HTML node. That change has been reverted and a test has been added to cover this case. [zetter - Bump mocha from 1.3.0 to 1.5.0 #177]177

4.6.3 (2018-03-19)

  • CVE-2018-3740: Fixed an HTML injection vulnerability that could allow XSS.

    When Sanitize <= 4.6.2 is used in combination with libxml2 >= 2.9.2, a specially crafted HTML fragment can cause libxml2 to generate improperly escaped output, allowing non-whitelisted attributes to be used on whitelisted elements.

    Sanitize now performs additional escaping on affected attributes to prevent this.

    Many thanks to the Shopify Application Security Team for responsibly reporting this issue.

4.6.2 (2018-03-19)

4.6.1 (2018-03-15)

Changelog

Sourced from sanitize's changelog.

4.6.4 (2018-03-20)

  • Fixed: A change introduced in 4.6.2 broke certain transformers that relied on
    being able to mutate the name of an HTML node. That change has been reverted
    and a test has been added to cover this case. [zetter - Bump mocha from 1.3.0 to 1.5.0 #177]177

4.6.3 (2018-03-19)

  • CVE-2018-3740: Fixed an HTML injection vulnerability that could allow
    XSS.

    When Sanitize <= 4.6.2 is used in combination with libxml2 >= 2.9.2, a
    specially crafted HTML fragment can cause libxml2 to generate improperly
    escaped output, allowing non-whitelisted attributes to be used on whitelisted
    elements.

    Sanitize now performs additional escaping on affected attributes to prevent
    this.

    Many thanks to the Shopify Application Security Team for responsibly reporting
    this issue.

4.6.2 (2018-03-19)

4.6.1 (2018-03-15)

Commits
  • acc7e64 chore: Release 4.6.4
  • 71d84a8 Remove optimization to get back the previous behaviour of transformers
  • f5a2686 chore: Add CVE id to history for 4.6.3
  • 5f66eb1 chore: Release 4.6.3
  • 01629a1 fix: Prevent code injection due to improper escaping in libxml2 >= 2.9.2
  • 0eee92e chore: Release 4.6.2
  • caa558a Optimize memory usage
  • 184709b chore: Release 4.6.1
  • 5ab3d0d Merge branch 'flavorjones-flavorjones-frozen-string-support'
  • 823a3f6 support ruby 2.4+ frozen string literals
  • See full diff in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

If you'd like to skip this version, you can just close this PR. If you have any feedback just mention @dependabot in the comments below.

@dependabot-preview dependabot-preview bot force-pushed the dependabot/bundler/sanitize-4.6.4 branch from 8c2460c to 183bd0b Compare March 26, 2018 02:47
@dependabot-preview dependabot-preview bot force-pushed the dependabot/bundler/sanitize-4.6.4 branch from 183bd0b to eaa0730 Compare April 6, 2018 01:50
@dependabot-preview dependabot-preview bot force-pushed the dependabot/bundler/sanitize-4.6.4 branch from eaa0730 to 2c1d766 Compare April 6, 2018 01:53
@afomera afomera merged commit f58050c into master Apr 6, 2018
@afomera afomera deleted the dependabot/bundler/sanitize-4.6.4 branch April 6, 2018 01:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants