Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: rails/rails-html-sanitizer
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: v1.4.3
Choose a base ref
...
head repository: rails/rails-html-sanitizer
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: v1.4.4
Choose a head ref
  • 9 commits
  • 7 files changed
  • 1 contributor

Commits on Nov 16, 2022

  1. tests: handle libxml 2.10.0 incorrectly-opened comment parsing 

    Related, see:

- sparklemotion/nokogiri#2625
- https://gitlab.gnome.org/GNOME/libxml2/-/issues/380
    @flavorjones
    flavorjones committed Nov 16, 2022
    Configuration menu
    Copy the full SHA
    11752a6 View commit details
    Browse the repository at this point in the history

  2. Merge pull request #145 from rails/flavorjones-get-14x-green 

    backport CI fixes to stay green with latest libxml2
    @flavorjones
    flavorjones authored Nov 16, 2022
    Configuration menu
    Copy the full SHA
    3e2a0f3 View commit details
    Browse the repository at this point in the history

Commits on Dec 11, 2022

  1. ci: pin system lib test to 20.04 

    because the 22.04 has a version with 4fd69f3 but not e986d09 from
2.9.14 and that's causing leading `<` to be parsed differently.

i'd fix it better than this, but I think only 2.9.13 has this behavior.
    @flavorjones
    flavorjones committed Dec 11, 2022
    Configuration menu
    Copy the full SHA
    df03f2f View commit details
    Browse the repository at this point in the history

  2. fix: replace slow regex attribute check with Loofah method 

    which uses the Crass parser
    @flavorjones
    flavorjones committed Dec 11, 2022
    Configuration menu
    Copy the full SHA
    f0e3347 View commit details
    Browse the repository at this point in the history

  3. fix: use Loofah's scrub_uri_attribute method 

    which correctly sanitizes data URL mediatypes
    @flavorjones
    flavorjones committed Dec 11, 2022
    Configuration menu
    Copy the full SHA
    d1223a2 View commit details
    Browse the repository at this point in the history

  4. revert 45a5c10 

    to prepare for a better fix
    @flavorjones
    flavorjones committed Dec 11, 2022
    Configuration menu
    Copy the full SHA
    e6d52d3 View commit details
    Browse the repository at this point in the history

  5. fix: escape CDATA nodes using Loofah's escaping methods 

    Also, notably, document the decisions behind this approach in a
decision record.
    @flavorjones
    flavorjones committed Dec 11, 2022
    Configuration menu
    Copy the full SHA
    0713caf View commit details
    Browse the repository at this point in the history

Commits on Dec 12, 2022

  1. dep: bump dependency on loofah 

    v2.19.1 has the new methods we're using:

- Loofah::HTML5::Scrub.cdata_needs_escaping?
- Loofah::HTML5::Scrub.cdata_escape
- Loofah::HTML5::Scrub.scrub_uri_attribute
- Loofah::HTML5::Scrub.scrub_attribute_that_allows_local_ref

avoiding code duplication in this gem.
    @flavorjones
    flavorjones committed Dec 12, 2022
    Configuration menu
    Copy the full SHA
    48ae90a View commit details
    Browse the repository at this point in the history

  2. version bump to v1.4.4

    @flavorjones
    flavorjones committed Dec 12, 2022
    Configuration menu
    Copy the full SHA
    fd63dea View commit details
    Browse the repository at this point in the history
Loading