Skip to content

Releases: rgrove/sanitize

v7.0.0

30 Dec 05:02
@rgrove rgrove
v7.0.0
19ee751
This commit was signed with the committer’s verified signature.
rgrove Ryan Grove
SSH Key Fingerprint: thRC0SH42U0BGrkfOqydLps8tamqIti0xPgo3ydFNrk Learn about vigilant mode.
Compare
Choose a tag to compare
v7.0.0 Latest
Latest

Sanitize has no breaking API changes in this release, but the major version number has been incremented because we've dropped support for end-of-life versions of Ruby. As long as you're using Ruby 3.1.0 or later, this should be a painless upgrade!

Added

  • Added over 100 new CSS properties to the relaxed config, representing all properties that are listed with a status of "Working Draft" or better in the latest W3C "All Properties" list.

  • Added the @container CSS at-rule to the relaxed config.

  • Added the -webkit-text-fill-color CSS property to the relaxed config. @radar - #244

Changed

  • Ruby 3.1.0 is now the oldest supported Ruby version.

  • Sanitize now requires Nokogiri 1.16.8 or higher.

Assets 2
Loading
0 Join discussion

v6.1.3

14 Aug 17:17
@rgrove rgrove
v6.1.3
This tag was signed with the committer’s verified signature.
rgrove Ryan Grove
SSH Key Fingerprint: thRC0SH42U0BGrkfOqydLps8tamqIti0xPgo3ydFNrk Learn about vigilant mode.
b0ec1d6
This commit was signed with the committer’s verified signature.
rgrove Ryan Grove
SSH Key Fingerprint: thRC0SH42U0BGrkfOqydLps8tamqIti0xPgo3ydFNrk Learn about vigilant mode.
Compare
Choose a tag to compare
v6.1.3

Bug Fixes

  • The CSS URL protocol allowlist is now enforced on the nonstandard -webkit-image-set CSS function. @ltk - #242
Assets 2
Loading
0 Join discussion

v6.1.2

27 Jul 18:58
@rgrove rgrove
v6.1.2
This tag was signed with the committer’s verified signature.
rgrove Ryan Grove
SSH Key Fingerprint: thRC0SH42U0BGrkfOqydLps8tamqIti0xPgo3ydFNrk Learn about vigilant mode.
a98ac98
This commit was signed with the committer’s verified signature.
rgrove Ryan Grove
SSH Key Fingerprint: thRC0SH42U0BGrkfOqydLps8tamqIti0xPgo3ydFNrk Learn about vigilant mode.
Compare
Choose a tag to compare
v6.1.2

Bug Fixes

Assets 2
Loading
0 Join discussion

v6.1.1

13 Jun 00:12
@rgrove rgrove
v6.1.1
This tag was signed with the committer’s verified signature.
rgrove Ryan Grove
SSH Key Fingerprint: thRC0SH42U0BGrkfOqydLps8tamqIti0xPgo3ydFNrk Learn about vigilant mode.
2bc3d4a
This commit was signed with the committer’s verified signature.
rgrove Ryan Grove
SSH Key Fingerprint: thRC0SH42U0BGrkfOqydLps8tamqIti0xPgo3ydFNrk Learn about vigilant mode.
Compare
Choose a tag to compare
v6.1.1

Bug Fixes

  • Proactively fixed a compatibility issue with libxml >= 2.13.0 (which will be used in an upcoming version of Nokogiri) that caused HTML doctype sanitization to fail. @flavorjones - #238
Assets 2
Loading
0 Join discussion

v6.1.0

14 Sep 21:54
@rgrove rgrove
v6.1.0
7194dca
This commit was signed with the committer’s verified signature.
rgrove Ryan Grove
SSH Key Fingerprint: thRC0SH42U0BGrkfOqydLps8tamqIti0xPgo3ydFNrk Learn about vigilant mode.
Compare
Choose a tag to compare
v6.1.0

Features

  • Added the text-decoration-skip-ink and text-decoration-thickness CSS properties to the relaxed config. @martineriksson - #228
Assets 2
Loading
0 Join discussion

v6.0.2

06 Jul 14:57
@rgrove rgrove
v6.0.2
76ed46e
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v6.0.2

Bug Fixes

  • CVE-2023-36823: Fixed an HTML+CSS sanitization bypass that could allow XSS (cross-site scripting). This issue affects Sanitize versions 3.0.0 through 6.0.1.

    When using Sanitize's relaxed config or a custom config that allows <style> elements and one or more CSS at-rules, carefully crafted input could be used to sneak arbitrary HTML through Sanitize.

    See the following security advisory for additional details: GHSA-f5ww-cq3m-q3g7

    Thanks to @cure53 for finding this issue.

Contributors

cure53
Assets 2
Loading
0 Join discussion

v6.0.1

27 Jan 18:22
@rgrove rgrove
v6.0.1
This tag was signed with the committer’s verified signature.
rgrove Ryan Grove
SSH Key Fingerprint: thRC0SH42U0BGrkfOqydLps8tamqIti0xPgo3ydFNrk Learn about vigilant mode.
a92f21c
This commit was signed with the committer’s verified signature.
rgrove Ryan Grove
SSH Key Fingerprint: thRC0SH42U0BGrkfOqydLps8tamqIti0xPgo3ydFNrk Learn about vigilant mode.
Compare
Choose a tag to compare
v6.0.1

Bug Fixes

  • Sanitize now always removes <noscript> elements and their contents, even when noscript is in the allowlist.

    This fixes a sanitization bypass that could occur when noscript was allowed by a custom allowlist. In this scenario, carefully crafted input could sneak arbitrary HTML through Sanitize, potentially enabling an XSS (cross-site scripting) attack.

    Sanitize's default configs don't allow <noscript> elements and are not vulnerable. This issue only affects users who are using a custom config that adds noscript to the element allowlist.

    The root cause of this issue is that HTML parsing rules treat the contents of a <noscript> element differently depending on whether scripting is enabled in the user agent. Nokogiri doesn't support scripting so it follows the "scripting disabled" rules, but a web browser with scripting enabled will follow the "scripting enabled" rules. This means that Sanitize can't reliably make the contents of a <noscript> element safe for scripting enabled browsers, so the safest thing to do is to remove the element and its contents entirely.

    See the following security advisory for additional details: GHSA-fw3g-2h3j-qmm7

    Thanks to David Klein from TU Braunschweig (@leeN) for reporting this issue.

  • Fixed an edge case in which the contents of an "unescaped text" element (such as <noembed> or <xmp>) were not properly escaped if that element was allowlisted and was also inside an allowlisted <math> or <svg> element.

    The only way to encounter this situation was to ignore multiple warnings in the readme and create a custom config that allowlisted all the elements involved, including <math> or <svg>. If you're using a default config or if you heeded the warnings about MathML and SVG not being supported, you're not affected by this issue.

    Please let this be a reminder that Sanitize cannot safely sanitize MathML or SVG content and does not support this use case. The default configs don't allow MathML or SVG elements, and allowlisting MathML or SVG elements in a custom config may create a security vulnerability in your application.

    Documentation has been updated to add more warnings and to make the existing warnings about this more prominent.

    Thanks to David Klein from TU Braunschweig (@leeN) for reporting this issue.

Contributors

leeN
Assets 2
Loading

v6.0.0

04 Aug 04:30
@rgrove rgrove
v6.0.0
3fb1d86
Compare
Choose a tag to compare
v6.0.0

Potentially Breaking Changes

  • Ruby 2.5.0 is now the oldest officially supported Ruby version.

  • Sanitize now requires Nokogiri 1.12.0 or higher, which includes Nokogumbo. The separate dependency on Nokogumbo has been removed. @lis2 - #211

Assets 2
Loading

v5.2.3

11 Jan 23:43
@rgrove rgrove
v5.2.3
9b8b55b
Compare
Choose a tag to compare
v5.2.3

Bug Fixes

  • Ensure protocol sanitization is applied to data attributes. @ccutrer - #207
Assets 2
Loading

v5.2.2

06 Jan 19:03
@rgrove rgrove
v5.2.2
4ea3d8e
Compare
Choose a tag to compare
v5.2.2

Bug Fixes

  • Fixed a deprecation warning in Ruby 2.7+ when using keyword arguments in a custom transformer. @mscrivo - #206
Assets 2
Loading