Bump rails-html-sanitizer from 1.4.2 to 1.4.3#19
Closed
![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?v=4)
Bumps [rails-html-sanitizer](https://github.com/rails/rails-html-sanitizer) from 1.4.2 to 1.4.3. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/rails/rails-html-sanitizer/releases">rails-html-sanitizer's releases</a>.</em></p> <blockquote> <h2>1.4.3 / 2022-06-09</h2> <ul> <li> <p>Address a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.</p> <p>Prevent the combination of <code>select</code> and <code>style</code> as allowed tags in SafeListSanitizer.</p> <p>Fixes CVE-2022-32209</p> <p><em>Mike Dalessio</em></p> </li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/rails/rails-html-sanitizer/blob/master/CHANGELOG.md">rails-html-sanitizer's changelog</a>.</em></p> <blockquote> <h2>1.4.3 / 2022-06-09</h2> <ul> <li> <p>Address a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.</p> <p>Prevent the combination of <code>select</code> and <code>style</code> as allowed tags in SafeListSanitizer.</p> <p>Fixes CVE-2022-32209</p> <p><em>Mike Dalessio</em></p> </li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/rails/rails-html-sanitizer/commit/f83f08c81a3a33ce0fb1c379933c416ae80672fa"><code>f83f08c</code></a> version bump to v1.4.3</li> <li><a href="https://github.com/rails/rails-html-sanitizer/commit/924e3ab05ca56e53ebcb994e4a63977e56f06d2f"><code>924e3ab</code></a> update CHANGELOG for v1.4.3</li> <li><a href="https://github.com/rails/rails-html-sanitizer/commit/9b79253eb888a74e425c7da073c46014b8290d58"><code>9b79253</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/rails/rails-html-sanitizer/issues/137">#137</a> from rails/flavorjones-prevent-select-style-combinati...</li> <li><a href="https://github.com/rails/rails-html-sanitizer/commit/45a5c10fed3d9aa141594c80afa06d748fa0967d"><code>45a5c10</code></a> fix: modify safelist option if it contains both <code>select</code> and <code>style</code></li> <li><a href="https://github.com/rails/rails-html-sanitizer/commit/045774aec722d2f6bae99e8b3143b3e893e5eb29"><code>045774a</code></a> test: clean up tests by using the helpers</li> <li><a href="https://github.com/rails/rails-html-sanitizer/commit/fe109c9fd4bfc5fbe954edb9e39410ae416b8f4f"><code>fe109c9</code></a> test: ensure we pass with libxml 2.9.14</li> <li><a href="https://github.com/rails/rails-html-sanitizer/commit/9778c471211af9c9bdd6185c71b4594711ab49c9"><code>9778c47</code></a> test: ensure tests pass when nokogiri uses system libxml2</li> <li><a href="https://github.com/rails/rails-html-sanitizer/commit/9c421f0c932f6dd97f59ed96f57eef21193736c4"><code>9c421f0</code></a> ci: add coverage for system libxml2</li> <li><a href="https://github.com/rails/rails-html-sanitizer/commit/984b82e07b81a427e1c6473d40fe3c81faeab5bc"><code>984b82e</code></a> ci: include coverage of ruby 3.1 and jruby 9.3</li> <li><a href="https://github.com/rails/rails-html-sanitizer/commit/18f2f2c17e86d149bbf0f6d0aa5000fcbf1e9105"><code>18f2f2c</code></a> test: finally use the CSS hex encoding originally intended</li> <li>See full diff in <a href="https://github.com/rails/rails-html-sanitizer/compare/v1.4.2...v1.4.3">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/sas2job/magic_ball_tg_bot/network/alerts). </details>
AI Analysis
This issue appears to be discussing a feature request or bug report related to the repository. Based on the content, it seems to be resolved. The issue was opened by dependabot[bot] and has received 1 comments.
Add a comment
Comment form would go here