chore: Release 4.6.3

rgrove · Mar 20, 2018 · 5f66eb1 · 5f66eb1
1 parent 01629a1
commit 5f66eb1
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 1 deletion.
diff --git a/HISTORY.md b/HISTORY.md
@@ -1,5 +1,20 @@
 # Sanitize History
 
+## 4.6.3 (2018-03-19)
+
+* Fixed an HTML injection vulnerability that could allow XSS.
+
+  When Sanitize <= 4.6.2 is used in combination with libxml2 >= 2.9.2, a
+  specially crafted HTML fragment can cause libxml2 to generate improperly
+  escaped output, allowing non-whitelisted attributes to be used on whitelisted
+  elements.
+
+  Sanitize now performs additional escaping on affected attributes to prevent
+  this.
+
+  Many thanks to the Shopify Application Security Team for responsibly reporting
+  this issue.
+
 ## 4.6.2 (2018-03-19)
 
 * Reduced string allocations to optimize memory usage. [@janklimo - #175][175]

diff --git a/lib/sanitize/version.rb b/lib/sanitize/version.rb
@@ -1,5 +1,5 @@
 # encoding: utf-8
 
 class Sanitize
-  VERSION = '4.6.2'
+  VERSION = '4.6.3'
 end