The full sanitizer was using Loofah's #text method that automatically escapes HTML entities. That behavior caused some problems where strings that were not escaped in the older sanitizer started to be escaped. To fix these problems we used the #text's `encode_special_chars` option as `false` that not just skipped the HTML entities escaping but unescaped already escaped entities. This introduced a security bug because an attacker can pass escaped HTML tags that will not be sanitized and will be returned as unescaped HTML tags. To fix it properly we introduced a new scrubber that will remove all tags and keep just the text nodes of these tags without changing how to escape the string. CVE-2015-7578
dev-ruby/rails-html-sanitizer-1.0.3 is now in the tree. It is not fully backward compatible in its results due to increased security measures, so let's do cleanup after a week to give people who need it a chance to upgrade.
Cleanup done.
GLSA Vote: No