🚨 [security] Update rails-html-sanitizer 1.6.0 → 1.6.1 (patch)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

↗️ rails-html-sanitizer (indirect, 1.6.0 → 1.6.1) · Repo · Changelog

Security Advisories 🚨

🚨 rails-html-sanitize has XSS vulnerability with certain configurations

Summary

There is a possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer 1.6.0 when used with Rails >= 7.1.0 and Nokogiri < 1.15.7, or 1.16.x < 1.16.8.

• Versions affected: 1.6.0
• Not affected: < 1.6.0
• Fixed versions: 1.6.1

Please note that the fix in v1.6.1 is to update the dependency on Nokogiri to 1.15.7 or >= 1.16.8.

Impact

A possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer may allow an attacker to inject content if HTML5 sanitization is enabled and the application developer has overridden the sanitizer's allowed tags in either of the following ways:

• allow both "math" and "style" elements
• or allow both "svg" and "style" elements

Code is only impacted if Rails is configured to use HTML5 sanitization, please see documentation for config.action_view.sanitizer_vendor and config.action_text.sanitizer_vendor for more information on these configuration options.

Code is only impacted if allowed tags are being overridden. Applications may be doing this in a few different ways:

1. using application configuration to configure Action View sanitizers' allowed tags:

# In config/application.rb
config.action_view.sanitized_allowed_tags = ["math", "style"]
# or
config.action_view.sanitized_allowed_tags = ["svg", "style"]

see https://guides.rubyonrails.org/configuring.html#configuring-action-view

2. using a :tags option to the Action View helper sanitize:

<%= sanitize @comment.body, tags: ["math", "style"] %>
<%# or %>
<%= sanitize @comment.body, tags: ["svg", "style"] %>

see https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitize

3. setting Rails::HTML5::SafeListSanitizer class attribute allowed_tags:

# class-level option
Rails::HTML5::SafeListSanitizer.allowed_tags = ["math", "style"]
# or
Rails::HTML5::SafeListSanitizer.allowed_tags = ["svg", "style"]

(note that this class may also be referenced as Rails::Html::SafeListSanitizer)

4. using a :tags options to the Rails::HTML5::SafeListSanitizer instance method sanitize:

# instance-level option
Rails::HTML5::SafeListSanitizer.new.sanitize(@article.body, tags: ["math", "style"])
# or
Rails::HTML5::SafeListSanitizer.new.sanitize(@article.body, tags: ["svg", "style"])

(note that this class may also be referenced as Rails::Html::SafeListSanitizer)

5. setting ActionText::ContentHelper module attribute allowed_tags:

ActionText::ContentHelper.allowed_tags = ["math", "style"]
# or
ActionText::ContentHelper.allowed_tags = ["svg", "style"]

All users overriding the allowed tags by any of the above mechanisms to include (("math" or "svg") and "style") should either upgrade or use one of the workarounds.

Workarounds

Any one of the following actions will work around this issue:

• Remove "style" from the overridden allowed tags,
• Or, remove "math" and "svg" from the overridden allowed tags,
• Or, downgrade sanitization to HTML4 (see documentation for config.action_view.sanitizer_vendor and config.action_text.sanitizer_vendor for more information)
• Or, independently upgrade Nokogiri to v1.15.7 or >= 1.16.8.

References

• CWE - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.9)
• Original report: https://hackerone.com/reports/2503220

Credit

This vulnerability was responsibly reported by HackerOne user @taise.

🚨 rails-html-sanitizer has XSS vulnerability with certain configurations

Summary

There is a possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer 1.6.0 when used with Rails >= 7.1.0.

• Versions affected: 1.6.0
• Not affected: < 1.6.0
• Fixed versions: 1.6.1

Impact

A possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer may allow an attacker to inject content if HTML5 sanitization is enabled and the application developer has overridden the sanitizer's allowed tags in the following way:

• the "math" and "style" elements are both explicitly allowed

Code is only impacted if Rails is configured to use HTML5 sanitization, please see documentation for config.action_view.sanitizer_vendor and config.action_text.sanitizer_vendor for more information on these configuration options.

The default configuration is to disallow these elements. Code is only impacted if allowed tags are being overridden. Applications may be doing this in a few different ways:

1. using application configuration to configure Action View sanitizers' allowed tags:

# In config/application.rb
config.action_view.sanitized_allowed_tags = ["math", "style"]

see https://guides.rubyonrails.org/configuring.html#configuring-action-view

2. using a :tags option to the Action View helper sanitize:

<%= sanitize @comment.body, tags: ["math", "style"] %>

see https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitize

3. setting Rails::HTML5::SafeListSanitizer class attribute allowed_tags:

# class-level option
Rails::HTML5::SafeListSanitizer.allowed_tags = ["math", "style"]

(note that this class may also be referenced as Rails::Html::SafeListSanitizer)

4. using a :tags options to the Rails::HTML5::SafeListSanitizer instance method sanitize:

# instance-level option
Rails::HTML5::SafeListSanitizer.new.sanitize(@article.body, tags: ["math", "style"])

(note that this class may also be referenced as Rails::Html::SafeListSanitizer)

5. setting ActionText::ContentHelper module attribute allowed_tags:

ActionText::ContentHelper.allowed_tags = ["math", "style"]

All users overriding the allowed tags by any of the above mechanisms to include both "math" and "style" should either upgrade or use one of the workarounds.

Workarounds

Any one of the following actions will work around this issue:

• Remove "math" or "style" from the overridden allowed tags,
• Or, downgrade sanitization to HTML4 (see documentation for config.action_view.sanitizer_vendor and config.action_text.sanitizer_vendor for more information).

References

• CWE - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.9)
• Original report: https://hackerone.com/reports/2519941

Credit

This vulnerability was responsibly reported by So Sakaguchi (mokusou).

🚨 rails-html-sanitizer has XSS vulnerability with certain configurations

Summary

There is a possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer 1.6.0 when used with Rails >= 7.1.0.

• Versions affected: 1.6.0
• Not affected: < 1.6.0
• Fixed versions: 1.6.1

Impact

A possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer may allow an attacker to inject content if HTML5 sanitization is enabled and the application developer has overridden the sanitizer's allowed tags in the following way:

• the "math", "mtext", "table", and "style" elements are allowed
• and either "mglyph" or "malignmark" are allowed

Code is only impacted if Rails is configured to use HTML5 sanitization, please see documentation for config.action_view.sanitizer_vendor and config.action_text.sanitizer_vendor for more information on these configuration options.

The default configuration is to disallow all of these elements except for "table". Code is only impacted if allowed tags are being overridden. Applications may be doing this in a few different ways:

1. using application configuration to configure Action View sanitizers' allowed tags:

# In config/application.rb
config.action_view.sanitized_allowed_tags = ["math", "mtext", "table", "style", "mglyph"]
# or
config.action_view.sanitized_allowed_tags = ["math", "mtext", "table", "style", "malignmark"]

see https://guides.rubyonrails.org/configuring.html#configuring-action-view

2. using a :tags option to the Action View helper sanitize:

<%= sanitize @comment.body, tags: ["math", "mtext", "table", "style", "mglyph"] %>
<%# or %>
<%= sanitize @comment.body, tags: ["math", "mtext", "table", "style", "malignmark"] %>

see https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitize

3. setting Rails::HTML5::SafeListSanitizer class attribute allowed_tags:

# class-level option
Rails::HTML5::SafeListSanitizer.allowed_tags = ["math", "mtext", "table", "style", "mglyph"]
# or
Rails::HTML5::SafeListSanitizer.allowed_tags = ["math", "mtext", "table", "style", "malignmark"]

(note that this class may also be referenced as Rails::Html::SafeListSanitizer)

4. using a :tags options to the Rails::HTML5::SafeListSanitizer instance method sanitize:

# instance-level option
Rails::HTML5::SafeListSanitizer.new.sanitize(@article.body, tags: ["math", "mtext", "table", "style", "mglyph"])
# or
Rails::HTML5::SafeListSanitizer.new.sanitize(@article.body, tags: ["math", "mtext", "table", "style", "malignmark"])

(note that this class may also be referenced as Rails::Html::SafeListSanitizer)

5. setting ActionText::ContentHelper module attribute allowed_tags:

ActionText::ContentHelper.allowed_tags = ["math", "mtext", "table", "style", "mglyph"]
# or
ActionText::ContentHelper.allowed_tags = ["math", "mtext", "table", "style", "malignmark"]

All users overriding the allowed tags by any of the above mechanisms to include ("math" and "mtext" and "table" and "style" and ("mglyph" or "malignmark")) should either upgrade or use one of the workarounds.

Workarounds

Any one of the following actions will work around this issue:

• Remove "mglyph" and "malignmark" from the overridden allowed tags,
• Or, downgrade sanitization to HTML4 (see documentation for config.action_view.sanitizer_vendor and config.action_text.sanitizer_vendor for more information).

References

• CWE - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.9)
• Original report: https://hackerone.com/reports/2519936

Credit

This vulnerability was responsibly reported by So Sakaguchi (mokusou).

🚨 rails-html-sanitizer has XSS vulnerability with certain configurations

Summary

There is a possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer 1.6.0 when used with Rails >= 7.1.0.

• Versions affected: 1.6.0
• Not affected: < 1.6.0
• Fixed versions: 1.6.1

Impact

A possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer may allow an attacker to inject content if HTML5 sanitization is enabled and the application developer has overridden the sanitizer's allowed tags in the following way:

• the "style" element is explicitly allowed
• the "svg" or "math" element is not allowed

Code is only impacted if Rails is configured to use HTML5 sanitization, please see documentation for config.action_view.sanitizer_vendor and config.action_text.sanitizer_vendor for more information on these configuration options.

The default configuration is to disallow all of these elements. Code is only impacted if allowed tags are being overridden. Applications may be doing this in a few different ways:

1. using application configuration to configure Action View sanitizers' allowed tags:

# In config/application.rb
config.action_view.sanitized_allowed_tags = ["style"]

see https://guides.rubyonrails.org/configuring.html#configuring-action-view

2. using a :tags option to the Action View helper sanitize:

<%= sanitize @comment.body, tags: ["style"] %>

see https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitize

3. setting Rails::HTML5::SafeListSanitizer class attribute allowed_tags:

# class-level option
Rails::HTML5::SafeListSanitizer.allowed_tags = ["style"]

(note that this class may also be referenced as Rails::Html::SafeListSanitizer)

4. using a :tags options to the Rails::HTML5::SafeListSanitizer instance method sanitize:

# instance-level option
Rails::HTML5::SafeListSanitizer.new.sanitize(@article.body, tags: ["style"])

(note that this class may also be referenced as Rails::Html::SafeListSanitizer)

5. setting ActionText::ContentHelper module attribute allowed_tags:

ActionText::ContentHelper.allowed_tags = ["style"]

All users overriding the allowed tags by any of the above mechanisms to include "style" and omit "svg" or "math" should either upgrade or use one of the workarounds.

Workarounds

Any one of the following actions will work around this issue:

• Remove "style" from the overridden allowed tags,
• Or, downgrade sanitization to HTML4 (see documentation for config.action_view.sanitizer_vendor and config.action_text.sanitizer_vendor for more information).

References

• CWE - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.9)
• Original report: https://hackerone.com/reports/2519936

Credit

This vulnerability was responsibly reported by So Sakaguchi (mokusou).

🚨 rails-html-sanitizer has XSS vulnerability with certain configurations

Summary

There is a possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer 1.6.0 when used with Rails >= 7.1.0.

• Versions affected: 1.6.0
• Not affected: < 1.6.0
• Fixed versions: 1.6.1

Impact

A possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer may allow an attacker to inject content if HTML5 sanitization is enabled and the application developer has overridden the sanitizer's allowed tags in the following way:

• the "noscript" element is explicitly allowed

Code is only impacted if Rails is configured to use HTML5 sanitization, please see documentation for config.action_view.sanitizer_vendor and config.action_text.sanitizer_vendor for more information on these configuration options.

The default configuration is to disallow all of these elements. Code is only impacted if allowed tags are being overridden. Applications may be doing this in a few different ways:

1. using application configuration to configure Action View sanitizers' allowed tags:

# In config/application.rb
config.action_view.sanitized_allowed_tags = ["noscript"]

see https://guides.rubyonrails.org/configuring.html#configuring-action-view

2. using a :tags option to the Action View helper sanitize:

<%= sanitize @comment.body, tags: ["noscript"] %>

see https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitize

3. setting Rails::HTML5::SafeListSanitizer class attribute allowed_tags:

# class-level option
Rails::HTML5::SafeListSanitizer.allowed_tags = ["noscript"]

(note that this class may also be referenced as Rails::Html::SafeListSanitizer)

4. using a :tags options to the Rails::HTML5::SafeListSanitizer instance method sanitize:

# instance-level option
Rails::HTML5::SafeListSanitizer.new.sanitize(@article.body, tags: ["noscript"])

(note that this class may also be referenced as Rails::Html::SafeListSanitizer)

5. setting ActionText::ContentHelper module attribute allowed_tags:

ActionText::ContentHelper.allowed_tags = ["noscript"]

All users overriding the allowed tags by any of the above mechanisms to include "noscript" should either upgrade or use one of the workarounds.

Workarounds

Any one of the following actions will work around this issue:

• Remove "noscript" from the overridden allowed tags,
• Or, downgrade sanitization to HTML4 (see documentation for config.action_view.sanitizer_vendor and config.action_text.sanitizer_vendor for more information).

References

• CWE - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.9)
• Original report: https://hackerone.com/reports/2509647

Credit

This vulnerability was responsibly reported by HackerOne user @taise.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ loofah (indirect, 2.22.0 → 2.23.1) · Repo · Changelog

Release Notes

2.23.1

2.23.1 / 2024-10-25

Added

• Allow CSS properties min-height and max-height. [#288] @lazyatom

Full Changelog: v2.23.0...v2.23.1

2.23.0

2.23.0 / 2024-10-24

Added

• Allow CSS property min-width. [#287] @lazyatom

New Contributors

• @m-nakamura145 made their first contribution in #280
• @lazyatom made their first contribution in #287

Full Changelog: v2.22.0...v2.23.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ nokogiri (indirect, 1.16.5 → 1.16.8) · Repo · Changelog

Release Notes

1.16.7

v1.16.7 / 2024-07-27

Dependencies

• [CRuby] Vendored libxml2 is updated to v2.12.9, which the upstream release notes state is a security release to address CVE-2024-40896. Nokogiri's maintainers believe this vulnerability does not affect users of Nokogiri, but we advise upgrading at your earliest convenience anyway.

---

sha256 checksums:

78778d35f165b59513be31c0fe232c63a82cf97626ffba695b5f822e5da1d74b  nokogiri-1.16.7-aarch64-linux.gem
c84cdb9e3aa44c35bbb981b20175838c4b2066c26c5cb118f31f177168a42fc3  nokogiri-1.16.7-arm-linux.gem
276dcea1b988a5b22b5acc1ba901d24b8e908c40b71dccd5d54a2ae279480dad  nokogiri-1.16.7-arm64-darwin.gem
044c45ca46abc2b6135a85ab39a546ff2f0434d43142bc59b83e5b1068876a42  nokogiri-1.16.7-java.gem
01ed785392f9cbdfd45e0e5ef6ad6d2c80a6128672589448f18952168bd68e56  nokogiri-1.16.7-x64-mingw-ucrt.gem
d8fd5c675743b85354c9098117bfa9e703c7cacab8c33e5190104ea8218ad1ec  nokogiri-1.16.7-x64-mingw32.gem
dddbf1c1ef99ce9fab98302b14f8bacb703e6f16e89b99f05ecee8a1fca23664  nokogiri-1.16.7-x86-linux.gem
b6517d995b024739cbb81251a26866d40e1ccb151936b5bb0977e7487f4e617c  nokogiri-1.16.7-x86-mingw32.gem
630732b80fc572690eab50c73a1f18988f3ac401ed0b67ca9956ba2b1e2c3faa  nokogiri-1.16.7-x86_64-darwin.gem
9e1e428641d5942af877c60b418c71163560e9feb4a5c4015f3230a8b86a40f6  nokogiri-1.16.7-x86_64-linux.gem
f819cbfdfb0a7b19c9c52c6f2ca63df0e58a6125f4f139707b586b9511d7fe95  nokogiri-1.16.7.gem

1.16.6

v1.16.6 / 2024-06-13

Dependencies

• [CRuby] Vendored libxml2 is updated to v2.12.8, which the release notes state is a bugfix release.

---

sha256 checksums:

7f4c37ee2dd9c97fdfb6278cf3d9dd2078651f241eed320e26902135dbf78183  nokogiri-1.16.6-aarch64-linux.gem
73d7a7ca569308f181a234269e6607c9acb26ecc93ccbb05998d24a9546c0a94  nokogiri-1.16.6-arm-linux.gem
43e8a783697c65413408a4923b5c2ed6bea6632cfdab4da220446b601733fa4b  nokogiri-1.16.6-arm64-darwin.gem
993ec13a1f0fb2261913e62e1f7a662c77108b1a59c903033eac432f74437275  nokogiri-1.16.6-java.gem
285687f16c330a9b61793d9d45913becf7a9aa82b0ce15c48fc1e0d6c6c9972f  nokogiri-1.16.6-x64-mingw-ucrt.gem
dbbefbfabe363daaa90e7c0b15854769e17ee5b8ae243014e0e55c01047eb5cd  nokogiri-1.16.6-x64-mingw32.gem
dedac3ee38b4deed1141747f04dd5ac512ef9165259cec66ec934edaa8a2a848  nokogiri-1.16.6-x86-linux.gem
5080e9512e3ba320aef074c16a23aef737301ac0e3b7a173a299dcaaa40b6a20  nokogiri-1.16.6-x86-mingw32.gem
92fa413d866baf9b609f17558ecfbcf950d5373213babcf4ce11d7eaed4b21cf  nokogiri-1.16.6-x86_64-darwin.gem
769bd2c14ad76dd5a7e14c867741cf2e3b8c25626a34f40aee7b0b998b8de820  nokogiri-1.16.6-x86_64-linux.gem
935fe4dd67d4377f4a05002acb1ffbadbcae265ea8e7869fc40e3a8121f3e1ef  nokogiri-1.16.6.gem

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ racc (indirect, 1.8.0 → 1.8.1) · Repo · Changelog

Release Notes

1.8.1

What's Changed

• Use require_relative in the Racc codebase by @koic in #269
• Fix a typo by @koic in #270
• Provide a 'Changelog' link on rubygems.org/gems/racc by @mark-young-atg in #271
• Fix RDoc main file to "README.rdoc" by @ydah in #274
• Fix file path and line number errors when using +, * and () by @ydah in #273
• Bump up v1.8.1 by @yui-knk in #275

New Contributors

• @koic made their first contribution in #269
• @mark-young-atg made their first contribution in #271

Full Changelog: v1.8.0...v1.8.1

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)