Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependency sanitize-html to v2 - abandoned #3

Open
wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

Update dependency sanitize-html to v2 - abandoned #3

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link

@renovate renovate bot commented Oct 28, 2020
edited
Loading

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
sanitize-html ^1.22.1 -> ^2.0.0 age adoption passing confidence

Release Notes

apostrophecms/sanitize-html

v2.10.0

Compare Source

  • Fix auto-adding escaped closing tags. In other words, do not add implied closing tags to disallowed tags when disallowedTagMode is set to any variant of escape -- just escape the disallowed tags that are present. This fixes issue #​464. Thanks to Daniel Liebner
  • Add tagAllowed() helper function which takes a tag name and checks it against options.allowedTags and returns true if the tag is allowed and false if it is not.

v2.9.0

Compare Source

v2.8.1

Compare Source

  • If the argument is a number, convert it to a string, for backwards compatibility. Thanks to Alexander Schranz.

v2.8.0

Compare Source

  • Upgrades htmlparser2 to new major version ^8.0.0. Thanks to Kedar Chandrayan for this contribution.

v2.7.3

Compare Source

  • If allowedTags is falsy but not exactly false, then do not assume that all tags are allowed. Rather, allow no tags in this case, to be on the safe side. This matches the existing documentation and fixes issue #​176. Thanks to Kedar Chandrayan for the fix.

v2.7.2

Compare Source

  • Closing tags must agree with opening tags. This fixes issue #​549, in which closing tags not associated with any permitted opening tag could be passed through. No known exploit exists, but it's better not to permit this. Thanks to
    Kedar Chandrayan for the report and the fix.

v2.7.1

Compare Source

  • Protocol-relative URLs are properly supported for script tags. Thanks to paweljq.
  • A denial-of-service vulnerability has been fixed by replacing global regular expression replacement logic for comment removal with a new implementation. Thanks to Nariyoshi Chida of NTT Security Japan for pointing out the issue.

v2.7.0

Compare Source

  • Allows a more sensible set of default attributes on <img /> tags. Thanks to Zade Viggers.

v2.6.1

Compare Source

  • Fixes style filtering to retain !important when used.
  • Fixed trailing text bug on transformTags options that was reported on issue #​506. Thanks to Alex Rantos.

v2.6.0

Compare Source

  • Support for regular expressions in the allowedClasses option. Thanks to Alex Rantos.

v2.5.3

Compare Source

  • Fixed bug introduced by klona 2.0.5, by removing klona entirely.

v2.5.2

Compare Source

  • Nullish HTML input now returns an empty string. Nullish value may be explicit null, undefined or implicit undefined when value is not provided. Thanks to Artem Kostiuk for the contribution.
  • Documented that all text content is escaped. Thanks to Siddharth Singh.

v2.5.1

Compare Source

  • The allowedScriptHostnames and allowedScriptDomains options now implicitly purge the inline content of all script tags, not just those with src attributes. This behavior was already strongly implied by the fact that they purged it in the case where a src attribute was actually present, and is necessary for the feature to provide any real security. Thanks to Grigorii Duca for pointing out the issue.

v2.5.0

Compare Source

  • New allowedScriptHostnames option, it enables you to specify which hostnames are allowed in a script tag.
  • New allowedScriptDomains option, it enables you to specify which domains are allowed in a script tag. Thank you to Yorick Girard for this and the allowedScriptHostnames contribution.
  • Updates whitelist to allowlist.

v2.4.0

Compare Source

  • Added support for class names with wildcards in allowedClasses. Thanks to zhangbenber for the contribution.

v2.3.3

Compare Source

  • Security fix: allowedSchemes and related options did not properly block schemes containing a hyphen, plus sign, period or digit, such as ms-calculator:. Thanks to Lukas Euler for pointing out the issue.
  • Added a security note about the known risks associated with using the parser option, especially decodeEntities: false. See the documentation.

v2.3.2

Compare Source

  • Additional fixes for iframe validation exploits. Prevent exploits based on browsers' tolerance of the use of "" rather than "/" and the presence of whitespace at this point in the URL. Thanks to Ron Masas of Checkmarx for pointing out the issue and writing unit tests.
  • Updates README yarn add syntax. Thanks to Tagir Khadshiev for the contribution.

v2.3.1

Compare Source

  • Uses the standard WHATWG URL parser to stop IDNA (Internationalized Domain Name) attacks on the iframe hostname validator. Thanks to Ron Masas of Checkmarx for pointing out the issue and suggesting the use of the WHATWG parser.

v2.3.0

Compare Source

  • Upgrades htmlparser2 to new major version ^6.0.0. Thanks to Bogdan Chadkin for the contribution.

v2.2.0

Compare Source

  • Adds a note to the README about Typescript support (or the lack-thereof).
  • Adds tel to the default allowedSchemes. Thanks to Arne Herbots for this contribution.

v2.1.2

Compare Source

  • Fixes typos and inconsistencies in the README. Thanks to Eric Lefevre-Ardant for this contribution.

v2.1.1

Compare Source

  • Fixes a bug when using allowedClasses with an '*' wildcard selector. Thanks to Clemens Damke for this contribution.
  • Updates mocha to 7.x to resolve security warnings.

v2.1.0

Compare Source

  • sup added to the default allowed tags list. Thanks to Julian Lam for the contribution.
  • Updates default allowedTags README documentation. Thanks to Marco Arduini for the contribution.

v2.0.0

Compare Source

  • nestingLimit option added.
  • Updates ESLint config package and fixes warnings.
  • Upgrade is-plain-object package with named export. Thanks to Bogdan Chadkin for the contribution.
  • Upgrade postcss package and drop Node 11 and Node 13 support (enforced by postcss).
Backwards compatibility breaks:
  • There is no build. You should no longer directly link to a sanitize-html file directly in the browser as it is using modern Javascript that is not fully supported by all major browsers (depending on your definition). You should now include sanitize-html in your project build for this purpose if you have one.
  • On the server side, Node.js 10 or higher is required.
  • The default allowedTags array was updated significantly. This mostly added HTML tags to be more comprehensive by default. You should review your projects and consider the allowedTags defaults if you are not already overriding them.

v1.27.5

Compare Source

  • Updates README to include ES modules syntax.

v1.27.4

Compare Source

  • Fixes an IE11 regression from using Array.prototype.includes, replacing it with Array.prototype.indexOf.

v1.27.3

Compare Source

  • Fixes a bug when using transformTags with out textFilter. Thanks to Andrzej Porebski for the help with a failing test.

v1.27.2

Compare Source

  • Fixes CHANGELOG links. Thanks to Alex Mayer for the contribution.
  • Replaces srcset with parse-srcset. Thanks to Massimiliano Mirra for the contribution.

v1.27.1

Compare Source

  • Removes the unused chalk dependency.
  • Adds configuration for a Github stale bot.
  • Replace xtend package with native Object.assign.

v1.27.0

Compare Source

  • Adds the allowedIframeDomains option. This works similar to allowedIframeHostnames, where you would set it to an array of web domains. It would then permit any hostname on those domains to be used in iframe src attributes. Thanks to Stanislav Kravchenko for the contribution.

v1.26.0

Compare Source

  • Adds the option element to the default nonTextTagsArray of tags with contents that aren't meant to be displayed visually as text. This can be overridden with the nonTextTags option.

v1.25.0

Compare Source

  • Adds enforceHtmlBoundary option to process code bounded by the html tag, discarding any code outside of those tags.
  • Migrates to the main lodash package from the per method packages since they are deprecated and cause code duplication. Thanks to Merceyz for the contribution.
  • Adds a warning when style and script tags are allowed, as they are inherently vulnerable to being used in XSS attacks. That warning can be disabled by including the option allowVulnerableTags: true so this choice is knowing and explicit.

v1.24.0

Compare Source

  • Fixes a bug where self-closing tags resulted in deletion with disallowedTagsMode: 'escape' set. Thanks to Thiago Negri for the contribution.
  • Adds abbr to the default allowedTags for better accessibility support. Thanks to Will Farrell for the contribution.
  • Adds a mediaChildren property to the frame object in custom filters. This allows you to check for links or other parent tags that contain self-contained media to prevent collapse, regardless of whether there is also text inside. Thanks to axdg for the initial implementation and Marco Arduini for a failing test contribution.

v1.23.0

Compare Source

  • Adds eslint configuration and adds eslint to test script.
  • Sets sideEffects: false on package.json to allow module bundlers like webpack tree-shake this module and all the dependencies from client build. Thanks to Egor Voronov for the contribution.
  • Adds the tagName (HTML element name) as a second parameter passed to textFilter. Thanks to Slava for the contribution.

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate
Copy link
Author

renovate bot commented Mar 24, 2023
edited
Loading

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

@renovate renovate bot changed the title Update dependency sanitize-html to v2 Update dependency sanitize-html to v2 - abandoned Aug 6, 2024
@renovate Renovate
Copy link
Author

renovate bot commented Aug 6, 2024

Autoclosing Skipped

This PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@tiotdev tiotdev

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@tiotdev @renovate-bot