File tree Expand file tree Collapse file tree 1 file changed +35
-1
lines changed Expand file tree Collapse file tree 1 file changed +35
-1
lines changed Original file line number Diff line number Diff line change 1- ## next / unreleased
1+ ## 1.6.1 / unreleased
2+
3+ This is a performance and security release which addresses several possible XSS vulnerabilities.
4+
5+ * The dependency on Nokogiri is updated to v1.15.7 or >=1.16.8.
6+
7+ This change addresses CVE-TODO (GHSA-w8gc -x259-rc7x).
8+
9+ * Mike Dalessio*
10+
11+ * Disallowed tags will be pruned when they appear in foreign content (i.e. SVG or MathML content),
12+ regardless of the ` prune: ` option value. Previously, disallowed tags were "stripped" unless the
13+ gem was configured with the ` prune: true ` option.
14+
15+ The CVEs addressed by this change are:
16+
17+ - CVE-TODO (GHSA-638j -pmjw-jq48)
18+ - CVE-TODO (GHSA-2x5m -9ch4-qgrr)
19+
20+ * Mike Dalessio*
21+
22+ * The tags "noscript", "mglyph", and "malignmark" will not be allowed, even if explicitly added to
23+ the allowlist. If applications try to allow any of these tags, a warning is emitted and the tags
24+ are removed from the allow-list.
25+
26+ The CVEs addressed by this change are:
27+
28+ - CVE-TODO (GHSA-cfjx -w229-hgx5)
29+ - CVE-TODO (GHSA-rxv5 -gxqc-xx8g)
30+
31+ Please note that we _ may_ restore support for allowing "noscript" in a future release. We do not
32+ expect to ever allow "mglyph" or "malignmark", though, especially since browser support is minimal
33+ for these tags.
34+
35+ * Mike Dalessio*
236
337* Improve performance by eliminating needless operations on attributes that are being removed. #188
438
You can’t perform that action at this time.
0 commit comments