Changelog for ruby2.7-rubygem-sanitize-6.1.1-1.6.i586.rpm :

* Fri Jun 21 2024 Dan Čermák - New upstream release 6.1.1, see bundled HISTORY.md
* Tue Nov 14 2023 Dan Čermák - New upstream release 6.1.0, see bundled HISTORY.md
* Tue Jan 25 2022 Stephan Kulow updated to version 6.0.0 see installed HISTORY.md [#]# 6.0.0 (2021-08-03) [#]## Potentially Breaking Changes
* Ruby 2.5.0 is now the oldest officially supported Ruby version.
* Sanitize now requires Nokogiri 1.12.0 or higher, which includes Nokogumbo. The separate dependency on Nokogumbo has been removed. [AATTlis2 - #211][211] [211]:https://github.com/rgrove/sanitize/pull/211
* Wed Jan 20 2021 Stephan Kulow updated to version 5.2.3 see installed HISTORY.md [#]# 5.2.3 (2021-01-11) [#]## Bug Fixes
* Ensure protocol sanitization is applied to data attributes. [AATTccutrer - #207][207] [207]:https://github.com/rgrove/sanitize/pull/207 [#]# 5.2.2 (2021-01-06) [#]## Bug Fixes
* Fixed a deprecation warning in Ruby 2.7+ when using keyword arguments in a custom transformer. [AATTmscrivo - #206][206] [206]:https://github.com/rgrove/sanitize/pull/206
* Sun Jul 12 2020 Matthew Trescott - updated to version 5.2.1 (fixes CVE-2020-4054) see installed HISTORY.md [#]# 5.2.1 (2020-06-16) [#]## Bug Fixes
* Fixed an HTML sanitization bypass that could allow XSS. This issue affects Sanitize versions 3.0.0 through 5.2.0. When HTML was sanitized using the \"relaxed\" config or a custom config that allows certain elements, some content in a `$`\; or\; ``\; element\; may\; not\; have\; beeen\; sanitized\; correctly\; even\; if\; `math`\; and\; `svg`\; were\; not\; in\; the\; allowlist.\; This\; could\; allow\; carefully\; crafted\; input\; to\; sneak\; arbitrary\; HTML\; through\; Sanitize,\; potentially\; enabling\; an\; XSS\; (cross-site\; scripting)\; attack.\; You\; are\; likely\; to\; be\; vulnerable\; to\; this\; issue\; if\; you\; use\; Sanitize\backslash \text{'}s\; relaxed\; config\; or\; a\; custom\; config\; that\; allows\; one\; or\; more\; of\; the\; following\; HTML\; elements:\; -\; `iframe`\; -\; `math`\; -\; `noembed`\; -\; `noframes`\; -\; `noscript`\; -\; `plaintext`\; -\; `script`\; -\; `style`\; -\; `svg`\; -\; `xmp`\; See\; the\; security\; advisory\; for\; more\; details,\; including\; a\; workaround\; if\; you\backslash \text{'}re\; not\; able\; to\; upgrade:\; [GHSA-p4x4-rw2p-8j8m]\; Many\; thanks\; to\; Michał\; Bentkowski\; of\; Securitum\; for\; reporting\; this\; issue\; and\; helping\; to\; verify\; the\; fix.\; [GHSA-p4x4-rw2p-8j8m]:https://github.com/rgrove/sanitize/security/advisories/GHSA-p4x4-rw2p-8j8m\; [\#]\#\; 5.2.0\; (2020-06-06)\; [\#]\#\#\; Changes$
* The term \"whitelist\" has been replaced with \"allowlist\" throughout Sanitize\'s source and documentation. While the etymology of \"whitelist\" may not be explicitly racist in origin or intent, there are inherent racial connotations in the implication that white is good and black (as in \"blacklist\") is not. This is a change I should have made long ago, and I apologize for not making it sooner.
* In transformer input, the `:is_whitelisted` and `:node_whitelist` keys are now deprecated. New `:is_allowlisted` and `:node_allowlist` keys have been added. The old keys will continue to work in order to avoid breaking existing code, but they are no longer documented and may be removed in a future semver major release.
* Mon Feb 10 2020 Stephan Kulow - updated to version 5.1.0 see installed HISTORY.md [#]# 5.1.0 (2019-09-07) [#]## Features
* Added a `:parser_options` config hash, which makes it possible to pass custom parsing options to Nokogumbo. [AATTaustin-wang - #194][194] [#]## Bug Fixes
* Non-characters and non-whitespace control characters are now stripped from HTML input before parsing to comply with the HTML Standard\'s [preprocessing guidelines][html-preprocessing]. Prior to this Sanitize had adhered to [older W3C guidelines][unicode-xml] that have since been withdrawn. [#179][179] [179]:https://github.com/rgrove/sanitize/issues/179 [194]:https://github.com/rgrove/sanitize/pull/194 [html-preprocessing]:https://html.spec.whatwg.org/multipage/parsing.html#preprocessing-the-input-stream [unicode-xml]:https://www.w3.org/TR/unicode-xml/
* Thu Nov 22 2018 Stephan Kulow - updated to version 5.0.0 see installed HISTORY.md [#]# 5.0.0 (2018-10-14) For most users, upgrading from 4.x shouldn\'t require any changes. However, the minimum required Ruby version has changed, and Sanitize 5.x\'s HTML output may differ in some small ways from 4.x\'s output. If this matters to you, please review the changes below carefully. [#]## Potentially Breaking Changes
* Ruby 2.3.0 is now the oldest officially supported Ruby version. Sanitize may work in older 2.x Rubies, but they aren\'t actively tested. Sanitize definitely no longer works in Ruby 1.9.x.
* Upgraded to Nokogumbo 2.x, which fixes various bugs and adds standard-compliant HTML serialization. [AATTstevecheckoway - #189][189]
* Children of the following elements are now removed by default when these elements are removed, rather than being preserved and escaped: - `iframe` - `noembed` - `noframes` - `noscript` - `script` - `style`
* Children of whitelisted `iframe` elements are now always removed. In modern HTML, `iframe` elements should never have children. In HTML 4 and earlier `iframe` elements were allowed to contain fallback content for legacy browsers, but it\'s been almost two decades since that was useful.
* Fixed a bug that caused `:remove_contents` to behave as if it were set to `true` when it was actually an Array. [189]:https://github.com/rgrove/sanitize/pull/189
* Wed Sep 05 2018 cooloAATTsuse.com- updated to version 4.6.6 see installed HISTORY.md [#]# 4.6.6 (2018-07-23)
* Improved performance and memory usage by optimizing `Sanitize#transform_node!` [AATTstanhu - #183][183] [183]:https://github.com/rgrove/sanitize/pull/183
* Thu May 17 2018 factory-autoAATTkulow.org- updated to version 4.6.5 see installed HISTORY.md [#]# 4.6.5 (2018-05-16)
* Improved performance slightly by tweaking the order of built-in transformers. [AATTrafbm - #180][180] [180]:https://github.com/rgrove/sanitize/pull/180
* Wed Mar 21 2018 factory-autoAATTkulow.org- updated to version 4.6.4 see installed HISTORY.md [#]# 4.6.4 (2018-03-20)
* Fixed: A change introduced in 4.6.2 broke certain transformers that relied on being able to mutate the name of an HTML node. That change has been reverted and a test has been added to cover this case. [AATTzetter - #177][177] [177]:https://github.com/rgrove/sanitize/issues/177