This is a performance and security release which addresses several possible XSS vulnerabilities. The dependency on Nokogiri is updated to v1.15.7 or >=1.16.8. This change addresses CVE-2024-53985 (GHSA-w8gc-x259-rc7x). Mike Dalessio Disallowed tags will be pruned when they appear in foreign content (i.e. SVG or MathML content), regardless of the prune: option value. Previously, disallowed tags were "stripped" unless the gem was configured with the prune: true option. The CVEs addressed by this change are: CVE-2024-53986 (GHSA-638j-pmjw-jq48) CVE-2024-53987 (GHSA-2x5m-9ch4-qgrr) Mike Dalessio The tags "noscript", "mglyph", and "malignmark" will not be allowed, even if explicitly added to the allowlist. If applications try to allow any of these tags, a warning is emitted and the tags are removed from the allow-list. The CVEs addressed by this change are: CVE-2024-53988 (GHSA-cfjx-w229-hgx5) CVE-2024-53989 (GHSA-rxv5-gxqc-xx8g) Please note that we may restore support for allowing "noscript" in a future release. We do not expect to ever allow "mglyph" or "malignmark", though, especially since browser support is minimal for these tags. Mike Dalessio
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4eada55398d528b3987518d9236467476f6ea1c2 commit 4eada55398d528b3987518d9236467476f6ea1c2 Author: Hans de Graaff <graaff@gentoo.org> AuthorDate: 2025-01-07 07:32:22 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2025-01-07 07:32:49 +0000 dev-ruby/rails-html-sanitizer: stabilize 1.6.2 for amd64 Bug: https://bugs.gentoo.org/945819 Signed-off-by: Hans de Graaff <graaff@gentoo.org> dev-ruby/rails-html-sanitizer/rails-html-sanitizer-1.6.2.ebuild | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
