CVS commit: pkgsrc/www/ruby-rails-html-sanitizer

["Takahiro Kambe" <taca%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   taca
Date:           Wed Dec 11 14:42:38 UTC 2024

Modified Files:
        pkgsrc/www/ruby-rails-html-sanitizer: Makefile distinfo

Log Message:
www/ruby-rails-html-sanitizer: update to 1.6.1

1.6.1 (2024-12-02)

This is a performance and security release which addresses several possible
XSS vulnerabilities.

* The dependency on Nokogiri is updated to v1.15.7 or >=1.16.8.

  This change addresses CVE-2024-53985 (GHSA-w8gc-x259-rc7x).

  Mike Dalessio

* Disallowed tags will be pruned when they appear in foreign content
  (i.e. SVG or MathML content), regardless of the prune: option
  value. Previously, disallowed tags were "stripped" unless the gem was
  configured with the prune: true option.

  The CVEs addressed by this change are:

        - CVE-2024-53986 (GHSA-638j-pmjw-jq48)
        - CVE-2024-53987 (GHSA-2x5m-9ch4-qgrr)

  Mike Dalessio

* The tags "noscript", "mglyph", and "malignmark" will not be allowed, even
  if explicitly added to the allowlist. If applications try to allow any of
  these tags, a warning is emitted and the tags are removed from the
  allow-list.

  The CVEs addressed by this change are:

        - CVE-2024-53988 (GHSA-cfjx-w229-hgx5)
        - CVE-2024-53989 (GHSA-rxv5-gxqc-xx8g)

  Please note that we may restore support for allowing "noscript" in a
  future release. We do not expect to ever allow "mglyph" or "malignmark",
  though, especially since browser support is minimal for these tags.

  Mike Dalessio

* Improve performance by eliminating needless operations on attributes that
  are being removed. #188

  Mike Dalessio


To generate a diff of this commit:
cvs rdiff -u -r1.8 -r1.9 pkgsrc/www/ruby-rails-html-sanitizer/Makefile
cvs rdiff -u -r1.10 -r1.11 pkgsrc/www/ruby-rails-html-sanitizer/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/www/ruby-rails-html-sanitizer/Makefile
diff -u pkgsrc/www/ruby-rails-html-sanitizer/Makefile:1.8 pkgsrc/www/ruby-rails-html-sanitizer/Makefile:1.9
--- pkgsrc/www/ruby-rails-html-sanitizer/Makefile:1.8   Sun May 28 01:51:44 2023
+++ pkgsrc/www/ruby-rails-html-sanitizer/Makefile       Wed Dec 11 14:42:38 2024
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.8 2023/05/28 01:51:44 taca Exp $
+# $NetBSD: Makefile,v 1.9 2024/12/11 14:42:38 taca Exp $
 
-DISTNAME=      rails-html-sanitizer-1.6.0
+DISTNAME=      rails-html-sanitizer-1.6.1
 CATEGORIES=    www
 
 MAINTAINER=    minskim%NetBSD.org@localhost

Index: pkgsrc/www/ruby-rails-html-sanitizer/distinfo
diff -u pkgsrc/www/ruby-rails-html-sanitizer/distinfo:1.10 pkgsrc/www/ruby-rails-html-sanitizer/distinfo:1.11
--- pkgsrc/www/ruby-rails-html-sanitizer/distinfo:1.10  Sun May 28 01:51:44 2023
+++ pkgsrc/www/ruby-rails-html-sanitizer/distinfo       Wed Dec 11 14:42:38 2024
@@ -1,5 +1,5 @@
-$NetBSD: distinfo,v 1.10 2023/05/28 01:51:44 taca Exp $
+$NetBSD: distinfo,v 1.11 2024/12/11 14:42:38 taca Exp $
 
-BLAKE2s (rails-html-sanitizer-1.6.0.gem) = 136b4a5dc933f2d4d5e5e5fefb1365cc93c055af7dbe7a2c030423eac3a08ffb
-SHA512 (rails-html-sanitizer-1.6.0.gem) = 265c093872b43794be02a8b1d2574be8270762b46c2b0d930159d3b41e06b897ed8b6edf3b219e0e71591fa5f7d38107ed8d332cebd3dfe4c37c6d06b7b5fa12
-Size (rails-html-sanitizer-1.6.0.gem) = 23552 bytes
+BLAKE2s (rails-html-sanitizer-1.6.1.gem) = 753d6d24643056e06c60b8e2048d8458a02c047c35ff09b066d514614e89f75e
+SHA512 (rails-html-sanitizer-1.6.1.gem) = 97b7fb6fc2a420173ff4619e6b58df6d283df77f115d4ebd15e29ba0ab412734565e975bf27c0b46477615eeae3a17ba539f7ea60fa162cb4133acd55db292d5
+Size (rails-html-sanitizer-1.6.1.gem) = 25600 bytes