dep: [security] bump rails-html-sanitizer from 1.4.2 to 1.4.3
Bumps rails-html-sanitizer from 1.4.2 to 1.4.3. This update includes a security fix.
Vulnerabilities fixed
Rails::Html::Sanitizer vulnerable to Cross-site Scripting Versions of Rails::Html::Sanitizer prior to version 1.4.3 are vulnerable to XSS with certain configurations of Rails::Html::Sanitizer which allows an attacker to inject content when the application developer has overridden the sanitizer's allowed tags to allow both
selectandstyleelements. Code is only impacted if allowed tags are being overridden.This may be done via application configuration:
ruby# In config/application.rbconfig.action_view.sanitized_allowed_tags = ["select", "style"]see https://guides.rubyonrails.org/configuring.html#configuring-action-view
Or it may be done with a
:tagsoption to the Action View helpersanitize:<%= sanitize @comment.body, tags: ["select", "style"] %>see https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitize
It may also be done with Rails::Html::SafeListSanitizer directly:
ruby# class-level optionRails::Html::SafeListSanitizer.allowed_tags = ["select", "style"]or withruby# instance-level optionRails::Html::SafeListSanitizer.new.sanitize(@article.body, tags: ["select", "style"])All users overriding the allowed tags by any of the above mechanisms to include both "select" and "style" are recommended to upgrade immediately. A workaround for this issue can be applied by removing either
selectorstylefrom the overridden allowed tags.Patched versions: 1.4.3 Affected versions: < 1.4.3
Release notes
Sourced from rails-html-sanitizer's releases.
1.4.3 / 2022-06-09
Address a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.
Prevent the combination of
selectandstyleas allowed tags in SafeListSanitizer.Fixes CVE-2022-32209
Mike Dalessio
Changelog
Sourced from rails-html-sanitizer's changelog.
1.4.3 / 2022-06-09
Address a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.
Prevent the combination of
selectandstyleas allowed tags in SafeListSanitizer.Fixes CVE-2022-32209
Mike Dalessio
Commits
-
f83f08cversion bump to v1.4.3 -
924e3abupdate CHANGELOG for v1.4.3 -
9b79253Merge pull request #137 from rails/flavorjones-prevent-select-style-combinati... -
45a5c10fix: modify safelist option if it contains bothselectandstyle -
045774atest: clean up tests by using the helpers -
fe109c9test: ensure we pass with libxml 2.9.14 -
9778c47test: ensure tests pass when nokogiri uses system libxml2 -
9c421f0ci: add coverage for system libxml2 -
984b82eci: include coverage of ruby 3.1 and jruby 9.3 -
18f2f2ctest: finally use the CSS hex encoding originally intended - See full diff in compare view
Dependabot commands
You can trigger Dependabot actions by commenting on this MR
-
@dependabot-bot rebasewill rebase this MR -
@dependabot-bot recreatewill recreate this MR rewriting all the manual changes and resolving conflicts
Allure report
allure-report-publisher generated test report!
rspec:
+------------------------------------------------------------------+
| behaviors summary |
+-------------+--------+--------+---------+-------+-------+--------+
| | passed | failed | skipped | flaky | total | result |
+-------------+--------+--------+---------+-------+-------+--------+
| services | 174 | 0 | 0 | 0 | 174 | ✅ |
| jobs | 14 | 0 | 0 | 0 | 14 | ✅ |
| controllers | 25 | 0 | 0 | 0 | 25 | ✅ |
| models | 3 | 0 | 0 | 0 | 3 | ✅ |
| tasks | 8 | 0 | 0 | 0 | 8 | ✅ |
| system | 10 | 0 | 0 | 0 | 10 | ✅ |
+-------------+--------+--------+---------+-------+-------+--------+
| Total | 234 | 0 | 0 | 0 | 234 | ✅ |
+-------------+--------+--------+---------+-------+-------+--------+