Changelog for ruby2.5-rubygem-sanitize-doc-6.1.1-lp156.2.1.x86_64.rpm :

* Fri Jun 21 2024 Dan Čermák - New upstream release 6.1.1, see bundled HISTORY.md
* Tue Nov 14 2023 Dan Čermák - New upstream release 6.1.0, see bundled HISTORY.md
* Tue Jan 25 2022 Stephan Kulow updated to version 6.0.0 see installed HISTORY.md [#]# 6.0.0 (2021-08-03) [#]## Potentially Breaking Changes
* Ruby 2.5.0 is now the oldest officially supported Ruby version.
* Sanitize now requires Nokogiri 1.12.0 or higher, which includes Nokogumbo. The separate dependency on Nokogumbo has been removed. [AATTlis2 - #211][211] [211]:https://github.com/rgrove/sanitize/pull/211
* Wed Jan 20 2021 Stephan Kulow updated to version 5.2.3 see installed HISTORY.md [#]# 5.2.3 (2021-01-11) [#]## Bug Fixes
* Ensure protocol sanitization is applied to data attributes. [AATTccutrer - #207][207] [207]:https://github.com/rgrove/sanitize/pull/207 [#]# 5.2.2 (2021-01-06) [#]## Bug Fixes
* Fixed a deprecation warning in Ruby 2.7+ when using keyword arguments in a custom transformer. [AATTmscrivo - #206][206] [206]:https://github.com/rgrove/sanitize/pull/206
* Sun Jul 12 2020 Matthew Trescott - updated to version 5.2.1 (fixes CVE-2020-4054) see installed HISTORY.md [#]# 5.2.1 (2020-06-16) [#]## Bug Fixes
* Fixed an HTML sanitization bypass that could allow XSS. This issue affects Sanitize versions 3.0.0 through 5.2.0. When HTML was sanitized using the \"relaxed\" config or a custom config that allows certain elements, some content in a `$`\; or\; ``\; element\; may\; not\; have\; beeen\; sanitized\; correctly\; even\; if\; `math`\; and\; `svg`\; were\; not\; in\; the\; allowlist.\; This\; could\; allow\; carefully\; crafted\; input\; to\; sneak\; arbitrary\; HTML\; through\; Sanitize,\; potentially\; enabling\; an\; XSS\; (cross-site\; scripting)\; attack.\; You\; are\; likely\; to\; be\; vulnerable\; to\; this\; issue\; if\; you\; use\; Sanitize\backslash \text{'}s\; relaxed\; config\; or\; a\; custom\; config\; that\; allows\; one\; or\; more\; of\; the\; following\; HTML\; elements:\; -\; `iframe`\; -\; `math`\; -\; `noembed`\; -\; `noframes`\; -\; `noscript`\; -\; `plaintext`\; -\; `script`\; -\; `style`\; -\; `svg`\; -\; `xmp`\; See\; the\; security\; advisory\; for\; more\; details,\; including\; a\; workaround\; if\; you\backslash \text{'}re\; not\; able\; to\; upgrade:\; [GHSA-p4x4-rw2p-8j8m]\; Many\; thanks\; to\; Michał\; Bentkowski\; of\; Securitum\; for\; reporting\; this\; issue\; and\; helping\; to\; verify\; the\; fix.\; [GHSA-p4x4-rw2p-8j8m]:https://github.com/rgrove/sanitize/security/advisories/GHSA-p4x4-rw2p-8j8m\; [\#]\#\; 5.2.0\; (2020-06-06)\; [\#]\#\#\; Changes$
* The term \"whitelist\" has been replaced with \"allowlist\" throughout Sanitize\'s source and documentation. While the etymology of \"whitelist\" may not be explicitly racist in origin or intent, there are inherent racial connotations in the implication that white is good and black (as in \"blacklist\") is not. This is a change I should have made long ago, and I apologize for not making it sooner.
* In transformer input, the `:is_whitelisted` and `:node_whitelist` keys are now deprecated. New `:is_allowlisted` and `:node_allowlist` keys have been added. The old keys will continue to work in order to avoid breaking existing code, but they are no longer documented and may be removed in a future semver major release.
* Mon Feb 10 2020 Stephan Kulow - updated to version 5.1.0 see installed HISTORY.md [#]# 5.1.0 (2019-09-07) [#]## Features
* Added a `:parser_options` config hash, which makes it possible to pass custom parsing options to Nokogumbo. [AATTaustin-wang - #194][194] [#]## Bug Fixes
* Non-characters and non-whitespace control characters are now stripped from HTML input before parsing to comply with the HTML Standard\'s [preprocessing guidelines][html-preprocessing]. Prior to this Sanitize had adhered to [older W3C guidelines][unicode-xml] that have since been withdrawn. [#179][179] [179]:https://github.com/rgrove/sanitize/issues/179 [194]:https://github.com/rgrove/sanitize/pull/194 [html-preprocessing]:https://html.spec.whatwg.org/multipage/parsing.html#preprocessing-the-input-stream [unicode-xml]:https://www.w3.org/TR/unicode-xml/
* Thu Nov 22 2018 Stephan Kulow - updated to version 5.0.0 see installed HISTORY.md [#]# 5.0.0 (2018-10-14) For most users, upgrading from 4.x shouldn\'t require any changes. However, the minimum required Ruby version has changed, and Sanitize 5.x\'s HTML output may differ in some small ways from 4.x\'s output. If this matters to you, please review the changes below carefully. [#]## Potentially Breaking Changes
* Ruby 2.3.0 is now the oldest officially supported Ruby version. Sanitize may work in older 2.x Rubies, but they aren\'t actively tested. Sanitize definitely no longer works in Ruby 1.9.x.
* Upgraded to Nokogumbo 2.x, which fixes various bugs and adds standard-compliant HTML serialization. [AATTstevecheckoway - #189][189]
* Children of the following elements are now removed by default when these elements are removed, rather than being preserved and escaped: - `iframe` - `noembed` - `noframes` - `noscript` - `script` - `style`
* Children of whitelisted `iframe` elements are now always removed. In modern HTML, `iframe` elements should never have children. In HTML 4 and earlier `iframe` elements were allowed to contain fallback content for legacy browsers, but it\'s been almost two decades since that was useful.
* Fixed a bug that caused `:remove_contents` to behave as if it were set to `true` when it was actually an Array. [189]:https://github.com/rgrove/sanitize/pull/189
* Wed Sep 05 2018 cooloAATTsuse.com- updated to version 4.6.6 see installed HISTORY.md [#]# 4.6.6 (2018-07-23)
* Improved performance and memory usage by optimizing `Sanitize#transform_node!` [AATTstanhu - #183][183] [183]:https://github.com/rgrove/sanitize/pull/183
* Thu May 17 2018 factory-autoAATTkulow.org- updated to version 4.6.5 see installed HISTORY.md [#]# 4.6.5 (2018-05-16)
* Improved performance slightly by tweaking the order of built-in transformers. [AATTrafbm - #180][180] [180]:https://github.com/rgrove/sanitize/pull/180
* Wed Mar 21 2018 factory-autoAATTkulow.org- updated to version 4.6.4 see installed HISTORY.md [#]# 4.6.4 (2018-03-20)
* Fixed: A change introduced in 4.6.2 broke certain transformers that relied on being able to mutate the name of an HTML node. That change has been reverted and a test has been added to cover this case. [AATTzetter - #177][177] [177]:https://github.com/rgrove/sanitize/issues/177
* Tue Mar 20 2018 factory-autoAATTkulow.org- updated to version 4.6.3 see installed HISTORY.md [#]# 4.6.3 (2018-03-19)
* Fixed an HTML injection vulnerability that could allow XSS. When Sanitize <= 4.6.2 is used in combination with libxml2 >= 2.9.2, a specially crafted HTML fragment can cause libxml2 to generate improperly escaped output, allowing non-whitelisted attributes to be used on whitelisted elements. Sanitize now performs additional escaping on affected attributes to prevent this. Many thanks to the Shopify Application Security Team for responsibly reporting this issue. [#]# 4.6.2 (2018-03-19)
* Reduced string allocations to optimize memory usage. [AATTjanklimo - #175][175] [175]:https://github.com/rgrove/sanitize/pull/175 [#]# 4.6.1 (2018-03-15)
* Added support for frozen string literals in Ruby 2.4+. [AATTflavorjones - #174][174] [174]:https://github.com/rgrove/sanitize/pull/174
* Tue Jan 30 2018 cbruckmayerAATTsuse.com- updated to version 4.6.0 [#]# 4.6.0 (2018-01-29)
* Loosened the Nokogumbo dependency to allow installing semver-compatible versions greater than or equal to v1.4. AATTrafbm - #171
* Tue Jun 06 2017 cooloAATTsuse.com- updated to version 4.5.0 see installed HISTORY.md [#]# 4.5.0 (2017-06-04)
* Added SVG-related CSS properties to the relaxed config. See [the diff][161] for the full list of added properties. [AATTlouim - #161][161]
* Fixed: Sanitize now strips null bytes (` Nokogumbo, since they can cause recent versions to crash with a failed assertion in the Gumbo parser. [161]:https://github.com/rgrove/sanitize/pull/161
* Sat Oct 08 2016 cooloAATTsuse.com- updated to version 4.4.0 see installed HISTORY.md [#]# 4.4.0 (2016-09-29)
* Added `srcset` to the attribute whitelist for `img` elements in the relaxed config. [AATTejtttje - #156][156] [156]:https://github.com/rgrove/sanitize/pull/156
* Wed Sep 21 2016 cooloAATTsuse.com- updated to version 4.3.0 see installed HISTORY.md [#]# 4.3.0 (2016-09-20)
* Methods can now be used as transformers. [AATTSkipants - #155][155] [155]:https://github.com/rgrove/sanitize/pull/155
* Tue Aug 23 2016 cooloAATTsuse.com- updated to version 4.2.0 see installed HISTORY.md [#]# 4.2.0 (2016-08-22)
* Added `-webkit-font-smoothing` to the relaxed CSS config. [AATTlouim - #154][154]
* Fixed: Nokogumbo >=1.4.9 changed its behavior in a way that allowed invalid doctypes (like ``) when the `:allow_doctype` config setting was `true`. Invalid doctypes are now coerced to valid ones as they were prior to this Nokogumbo change. [154]:https://github.com/rgrove/sanitize/pull/154
* Mon Jul 18 2016 cooloAATTsuse.com- updated to version 4.1.0 see installed HISTORY.md
* Thu Dec 10 2015 cooloAATTsuse.com- updated to version 4.0.1 see installed HISTORY.md Version 4.0.1 (2015-12-09) - -------------------------
* Unpinned the Nokogumbo dependency. [AATTrubys - #141][141] [141]:https://github.com/rgrove/sanitize/pull/141
* Tue Apr 21 2015 cooloAATTsuse.com- updated to version 4.0.0
* Mon Feb 23 2015 cooloAATTsuse.com- updated to version 3.1.2
* Mon Feb 09 2015 cooloAATTsuse.com- updated to version 3.1.1, see HISTORY.md
* Mon Oct 13 2014 cooloAATTsuse.com- adapt to new rubygem packaging