Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security] Bump redcarpet from 2.1.1 to 3.4.0 #427

Closed
wants to merge 1 commit into from

Conversation

dependabot-preview[bot]
Copy link
Contributor

@dependabot-preview dependabot-preview bot commented Jan 6, 2019

Bumps redcarpet from 2.1.1 to 3.4.0. This update includes security fixes.

Vulnerabilities fixed

Sourced from The Ruby Advisory Database.

redcarpet Gem for Ruby markdown.c parse_inline() Function XSS
redcarpet Gem for Ruby contains a flaw that allows a cross-site scripting
(XSS) attack. This flaw exists because the parse_inline() function in
markdown.c does not validate input before returning it to users. This may
allow a remote attacker to create a specially crafted request that would
execute arbitrary script code in a user's browser session within the trust
relationship between their browser and the server.

Patched versions: >= 3.2.3
Unaffected versions: none

Release notes

Sourced from redcarpet's releases.

v3.4.0

Redcarpet v3.4.0

This new release ships with a bunch of bug fixes especially regarding anchor generation.

Improvements to anchor generation

The anchor generation now relies on a djb2 hashing algorithm whenever the generated anchor is empty as non alpha-numeric chars. This is specifically interesting for CJK contents as Redcarpet used to generate empty anchors dealing with titles in these locales.

Special thanks to Alexey Kopytko and namusyaka for their work on that !

Also now, the html-escaped entities are removed from anchors generated with the HTML render in order to be consistent with the HTML_TOC render and as it is more expected.

Other improvements

  • Table headers don't require a minimum of three dashes anymore; a single one can be used for each row.
  • The Markdown and rendering options are now exposed through a Hash inside the [**options**](https://github.com/options) instance variable inside your custom render objects.

Bug fixes

  • Multiple single quote pairs are parsed correctly with SmartyPants.
  • Remove periods at the end of URLs when autolinking to make sure
    that links at the end of a sentence get properly generated.
  • Avoid escaping ampersands in href links.

Checkout the CHANGELOG for further information and changes.

Redcarpet 3.3.4

This release simply fixes the bufprintf function to correctly work on Windows MinGW-w64 so strings are properly written to the buffer and also skips non-ASCII chars during anchor generation to avoid generating invalid UTF-8 bytes sequences.

Redcarpet 3.3.1

As of version 3.3.0, the provided redcarpet executable no longer worked since it relies on a new Redcarpet::CLI class that wasn't available because its file wasn't included in the gemspec. This version fixes this.

Redcarpet 3.3.0

Redcarpet v3.3.0

This new release ships with a bunch of bug fixes and improvements especially regarding anchor generation.

Improvements to anchors

The anchor generation algorithm has been improved. It now correctly strips out non-alphanumeric chars from the generated string ; it tries as much as possible to match the behavior of the Active Support's #parameterize method.

Moreover, Redcarpet used to HTML-escape anchors rendered through the HTMl_TOC render. This is no longer the case but if you want this behavior back for any reason, you can now pass the :escape_html option instantiating the object.

Redcarpet's command line interface

The plain old Ruby file that was provided as a bin script now relies on a brand new API that you can use and that uses Ruby's OptionParser.

This allows you to create custom scripts for your needs. You can handle the provided files as you want and add new options or fall-backs (e.g. an option to use Pygments). Read the documentation of the Redcarpet::CLI class for further information.

Undeprecate the RedCloth API compatibility layer

... (truncated)
Changelog

Sourced from redcarpet's changelog.

Version 3.4.0

  • Rely on djb2 hashing generating anchors with non-ASCII chars.

    Fix issue #538.

    Alexey Kopytko, namusyaka

  • Added suppport for HTML 5 details and summary tags.

    Fix issue #578.

    James Edwards-Jones

  • Multiple single quote pairs are parsed correctly with SmartyPants.

    Fix issue #549.

    Jan Jędrychowski

  • Table headers don't require a minimum of three dashes anymore; a
    single one can be used for each row.

  • Remove escaped entities from HTML render table of contents'
    ids to be consistent with the HTML_TOC render.

    Fix issue #529.

  • Remove periods at the end of URLs when autolinking to make sure
    that links at the end of a sentence get properly generated.

    Fix issue #465.

  • Expose the Markdown and rendering options through a Hash inside
    the [**options**](https://github.com/options) instance variable for custom render objects.

  • Avoid escaping ampersands in href links.

    Nolan Evans

Version 3.3.4

  • Fix bufprintf to correctly work on Windows MinGW-w64 so strings
    are properly written to the buffer.

    Kenichi Saita

  • Fix the header anchor normalization by skipping non-ASCII chars
    and not calling tolower because this leads to invalid UTF-8 byte
    sequences in the HTML output. (tolower is not locale-aware)

... (truncated)
Commits
  • ef93be6 Redcarpet v3.4.0
  • fdec6be Reference the original issue for future reference
  • a666af3 Follow up to #591
  • cf2da0b Merge pull request #591 from sanmai/rndr_header_anchor
  • f2d0ad9 rndr_header_anchor: use djb2 hash for non-ascii text
  • 8d8e1ec rndr_header_anchor: do not remove character if nothing was added
  • 820dadb Merge pull request #583 from arbox/fb_correct_version_output
  • 4c4c9f2 Corrected the line ending for the version output.
  • 8f811de Improve the custom render example [ci skip]
  • 0993c2c Add Rubinius under the allowed failures section
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Note: This repo was added to Dependabot recently, so you'll receive a maximum of 5 PRs for your first few update runs. Once an update run creates fewer than 5 PRs we'll remove that limit.

You can always request more updates by clicking Bump now in your Dependabot dashboard.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
  • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

  • Update frequency (including time of day and day of week)
  • Automerge options (never/patch/minor, and dev/runtime dependencies)
  • Pull request limits (per update run and/or open at any time)
  • Out-of-range updates (receive only lockfile updates, if desired)
  • Security updates (receive only security updates, if desired)

Finally, you can contact us by mentioning @dependabot.

@dependabot-preview dependabot-preview bot added dependencies Pull requests that update a dependency file security Pull requests that address a security vulnerability labels Jan 6, 2019
Bumps [redcarpet](https://github.com/vmg/redcarpet) from 2.1.1 to 3.4.0. **This update includes security fixes.**
- [Release notes](https://github.com/vmg/redcarpet/releases)
- [Changelog](https://github.com/vmg/redcarpet/blob/master/CHANGELOG.md)
- [Commits](vmg/redcarpet@v2.1.1...v3.4.0)

Signed-off-by: dependabot[bot] <support@dependabot.com>
@dependabot-preview dependabot-preview bot force-pushed the dependabot/bundler/redcarpet-3.4.0 branch from 92c4148 to 9f8c892 Compare January 8, 2019 13:47
@dependabot-preview
Copy link
Contributor Author

Superseded by #461.

@dependabot-preview dependabot-preview bot deleted the dependabot/bundler/redcarpet-3.4.0 branch July 30, 2019 05:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file security Pull requests that address a security vulnerability
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant