Skip to content

1.6.1 / 2024-12-02
Compare
Choose a tag to compare
@flavorjones flavorjones released this 02 Dec 20:52
· 4 commits to main since this release
v1.6.1
5e96b19
This commit was signed with the committer’s verified signature.
flavorjones Mike Dalessio
SSH Key Fingerprint: ZK4x6zxtwkfA7lI3LVqhuy/X7rGgBJeh/112JhcFHRU Learn about vigilant mode.

1.6.1 / 2024-12-02

This is a performance and security release which addresses several possible XSS vulnerabilities.

  • The dependency on Nokogiri is updated to v1.15.7 or >=1.16.8.

    This change addresses CVE-2024-53985 (GHSA-w8gc-x259-rc7x).

    Mike Dalessio

  • Disallowed tags will be pruned when they appear in foreign content (i.e. SVG or MathML content),
    regardless of the prune: option value. Previously, disallowed tags were "stripped" unless the
    gem was configured with the prune: true option.

    The CVEs addressed by this change are:

    Mike Dalessio

  • The tags "noscript", "mglyph", and "malignmark" will not be allowed, even if explicitly added to
    the allowlist. If applications try to allow any of these tags, a warning is emitted and the tags
    are removed from the allow-list.

    The CVEs addressed by this change are:

    Please note that we may restore support for allowing "noscript" in a future release. We do not
    expect to ever allow "mglyph" or "malignmark", though, especially since browser support is minimal
    for these tags.

    Mike Dalessio

  • Improve performance by eliminating needless operations on attributes that are being removed. #188

    Mike Dalessio

Assets 2
Loading