[openstreetmap/openstreetmap-website] Bump sanitize from 5.2.0 to 5.2.1 (#2659)

dependabot[bot] notifications at github.com
Tue Jun 16 22:10:40 UTC 2020


Bumps [sanitize](https://github.com/rgrove/sanitize) from 5.2.0 to 5.2.1.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a href="https://github.com/rgrove/sanitize/releases">sanitize's releases</a>.</em></p>
<blockquote>
<h2>v5.2.1</h2>
<h3>Bug Fixes</h3>
<ul>
<li>
<p>Fixed an HTML sanitization bypass that could allow XSS. This issue affects Sanitize versions 3.0.0 through 5.2.0.</p>
<p>When HTML was sanitized using the &quot;relaxed&quot; config or a custom config that allows certain elements, some content in a <code>&lt;math&gt;</code> or <code>&lt;svg&gt;</code> element may not have beeen sanitized correctly even if <code>math</code> and <code>svg</code> were not in the allowlist. This could allow carefully crafted input to sneak arbitrary HTML through Sanitize, potentially enabling an XSS (cross-site scripting) attack.</p>
<p>You are likely to be vulnerable to this issue if you use Sanitize's relaxed config or a custom config that allows one or more of the following HTML elements:</p>
<ul>
<li><code>iframe</code></li>
<li><code>math</code></li>
<li><code>noembed</code></li>
<li><code>noframes</code></li>
<li><code>noscript</code></li>
<li><code>plaintext</code></li>
<li><code>script</code></li>
<li><code>style</code></li>
<li><code>svg</code></li>
<li><code>xmp</code></li>
</ul>
<p>See the security advisory for more details, including a workaround if you're not able to upgrade: <a href="https://github.com/rgrove/sanitize/security/advisories/GHSA-p4x4-rw2p-8j8m">GHSA-p4x4-rw2p-8j8m</a></p>
<p>Many thanks to Michał Bentkowski of Securitum for reporting this issue and helping to verify the fix.</p>
</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a href="https://github.com/rgrove/sanitize/blob/master/HISTORY.md">sanitize's changelog</a>.</em></p>
<blockquote>
<h2>5.2.1 (2020-06-16)</h2>
<h3>Bug Fixes</h3>
<ul>
<li>
<p>Fixed an HTML sanitization bypass that could allow XSS. This issue affects
Sanitize versions 3.0.0 through 5.2.0.</p>
<p>When HTML was sanitized using the &quot;relaxed&quot; config or a custom config that
allows certain elements, some content in a <code>&lt;math&gt;</code> or <code>&lt;svg&gt;</code> element may not
have beeen sanitized correctly even if <code>math</code> and <code>svg</code> were not in the
allowlist. This could allow carefully crafted input to sneak arbitrary HTML
through Sanitize, potentially enabling an XSS (cross-site scripting) attack.</p>
<p>You are likely to be vulnerable to this issue if you use Sanitize's relaxed
config or a custom config that allows one or more of the following HTML
elements:</p>
<ul>
<li><code>iframe</code></li>
<li><code>math</code></li>
<li><code>noembed</code></li>
<li><code>noframes</code></li>
<li><code>noscript</code></li>
<li><code>plaintext</code></li>
<li><code>script</code></li>
<li><code>style</code></li>
<li><code>svg</code></li>
<li><code>xmp</code></li>
</ul>
<p>See the security advisory for more details, including a workaround if you're
not able to upgrade: <a href="https://github.com/rgrove/sanitize/security/advisories/GHSA-p4x4-rw2p-8j8m">GHSA-p4x4-rw2p-8j8m</a></p>
<p>Many thanks to Michał Bentkowski of Securitum for reporting this issue and
helping to verify the fix.</p>
</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a href="https://github.com/rgrove/sanitize/commit/773d1af976b0e67a966bd3676ebab4f037395699"><code>773d1af</code></a> Release 5.2.1</li>
<li><a href="https://github.com/rgrove/sanitize/commit/a11498de9e283cd457b35ee252983662f7452aa9"><code>a11498d</code></a> Fix sanitization bypass in HTML foreign content</li>
<li><a href="https://github.com/rgrove/sanitize/commit/1d0d688120fb8309b31859319143ef16f92755eb"><code>1d0d688</code></a> Update the &quot;Supported Versions&quot; policy to be more realistic</li>
<li>See full diff in <a href="https://github.com/rgrove/sanitize/compare/v5.2.0...v5.2.1">compare view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=sanitize&package-manager=bundler&previous-version=5.2.0&new-version=5.2.1)](https://help.github.com/articles/configuring-automated-security-fixes)

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/openstreetmap/openstreetmap-website/network/alerts).

</details>
You can view, comment on, or merge this pull request online at:

  https://github.com/openstreetmap/openstreetmap-website/pull/2659

-- Commit Summary --

  * Bump sanitize from 5.2.0 to 5.2.1

-- File Changes --

    M Gemfile.lock (2)

-- Patch Links --

https://github.com/openstreetmap/openstreetmap-website/pull/2659.patch
https://github.com/openstreetmap/openstreetmap-website/pull/2659.diff

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/pull/2659
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20200616/e43656b2/attachment.htm>


More information about the rails-dev mailing list