head	1.7;
access;
symbols
	pkgsrc-2025Q2:1.7.0.8
	pkgsrc-2025Q2-base:1.7
	pkgsrc-2025Q1:1.7.0.6
	pkgsrc-2025Q1-base:1.7
	pkgsrc-2024Q4:1.7.0.4
	pkgsrc-2024Q4-base:1.7
	pkgsrc-2024Q3:1.7.0.2
	pkgsrc-2024Q3-base:1.7
	pkgsrc-2024Q2:1.5.0.2
	pkgsrc-2024Q2-base:1.5
	pkgsrc-2024Q1:1.4.0.6
	pkgsrc-2024Q1-base:1.4
	pkgsrc-2023Q4:1.4.0.4
	pkgsrc-2023Q4-base:1.4
	pkgsrc-2023Q3:1.4.0.2
	pkgsrc-2023Q3-base:1.4
	pkgsrc-2023Q2:1.2.0.4
	pkgsrc-2023Q2-base:1.2
	pkgsrc-2023Q1:1.2.0.2
	pkgsrc-2023Q1-base:1.2
	pkgsrc-2022Q4:1.1.0.4
	pkgsrc-2022Q4-base:1.1
	pkgsrc-2022Q3:1.1.0.2
	pkgsrc-2022Q3-base:1.1;
locks; strict;
comment	@# @;


1.7
date	2024.09.22.06.49.07;	author taca;	state Exp;
branches;
next	1.6;
commitid	VKNHuMu9IBAeMLqF;

1.6
date	2024.07.28.13.41.02;	author taca;	state Exp;
branches;
next	1.5;
commitid	BGQ68L9yx1Y9RBjF;

1.5
date	2024.06.15.16.32.25;	author taca;	state Exp;
branches;
next	1.4;
commitid	zn4OW1DVoofEb6eF;

1.4
date	2023.09.18.17.37.33;	author taca;	state Exp;
branches;
next	1.3;
commitid	bsynwUieW5L4ghFE;

1.3
date	2023.07.09.02.56.28;	author taca;	state Exp;
branches;
next	1.2;
commitid	6h6oKuwcLw5dF4wE;

1.2
date	2023.02.04.13.33.10;	author taca;	state Exp;
branches
	1.2.4.1;
next	1.1;
commitid	e09r3ja9C8fCadcE;

1.1
date	2022.08.30.15.37.23;	author taca;	state Exp;
branches;
next	;
commitid	GhebMjMNGxH7WURD;

1.2.4.1
date	2023.08.13.09.03.45;	author bsiegert;	state Exp;
branches;
next	;
commitid	qaqawUSGHuUzzBAE;


desc
@@


1.7
log
@textproc/ruby-sanitize: update to 6.1.3

6.1.2 (2024-07-27)

Bug Fixes

* The CSS URL protocol allowlist is now properly enforced in CSS Images
  Module Level 4 image and image-set functions. @@ltk - #240

6.1.3 (2024-08-14)

Bug Fixes

* The CSS URL protocol allowlist is now enforced on the nonstandard
  -webkit-image-set CSS function. @@ltk - #242
@
text
@# $NetBSD: Makefile,v 1.6 2024/07/28 13:41:02 taca Exp $

DISTNAME=	sanitize-6.1.3
CATEGORIES=	textproc

MAINTAINER=	pkgsrc-users@@NetBSD.org
HOMEPAGE=	https://github.com/rgrove/sanitize/
COMMENT=	Allowlist-based HTML and CSS sanitizer
LICENSE=	mit

DEPENDS+=	${RUBY_PKGPREFIX}-crass>=1.0.2<1.1:../../www/ruby-crass
DEPENDS+=	${RUBY_PKGPREFIX}-nokogiri>=1.12.0:../../textproc/ruby-nokogiri

USE_LANGUAGES=	# empty

.include "../../lang/ruby/gem.mk"
.include "../../mk/bsd.pkg.mk"
@


1.6
log
@textproc/ruby-sanitize: update to 6.1.2

6.1.2 (2024-07-27)

Bug Fixes

* The CSS URL protocol allowlist is now properly enforced in CSS Images
  Module Level 4 image and image-set functions. @@ltk - #240
@
text
@d1 1
a1 1
# $NetBSD: Makefile,v 1.5 2024/06/15 16:32:25 taca Exp $
d3 1
a3 1
DISTNAME=	sanitize-6.1.2
@


1.5
log
@textproc/ruby-sanitize: update to 6.1.1

6.1.1 (2024-06-13)

* Proactively fixed a compatibility issue with libxml >= 2.13.0 (which will
  be used in an upcoming version of Nokogiri) that caused HTML doctype
  sanitization to fail.  @@flavorjones - #238
@
text
@d1 1
a1 1
# $NetBSD: Makefile,v 1.4 2023/09/18 17:37:33 taca Exp $
d3 1
a3 1
DISTNAME=	sanitize-6.1.1
@


1.4
log
@textproc/ruby-sanitize: update to 6.1.0

6.1.0 (2023-09-14)

Features

* Added the text-decoration-skip-ink and text-decoration-thickness CSS
  properties to the relaxed config.  @@martineriksson - #228
@
text
@d1 1
a1 1
# $NetBSD: Makefile,v 1.3 2023/07/09 02:56:28 taca Exp $
d3 1
a3 1
DISTNAME=	sanitize-6.1.0
@


1.3
log
@textproc/ruby-sanitize: update to 6.0.2

6.0.2 (2023-07-06)

Bug Fixes

* CVE-2023-36823: Fixed an HTML+CSS sanitization bypass that could allow XSS
  (cross-site scripting). This issue affects Sanitize versions 3.0.0 through
  6.0.1.

  When using Sanitize's relaxed config or a custom config that allows
  <style> elements and one or more CSS at-rules, carefully crafted input
  could be used to sneak arbitrary HTML through Sanitize.

  See the following security advisory for additional details:
  GHSA-f5ww-cq3m-q3g7

  Thanks to @@cure53 for finding this issue.
@
text
@d1 1
a1 1
# $NetBSD: Makefile,v 1.2 2023/02/04 13:33:10 taca Exp $
d3 1
a3 1
DISTNAME=	sanitize-6.0.2
@


1.2
log
@textproc/ruby-sanitize: update to 6.0.1

6.0.1 (2023-01-27)

Bug Fixes

* Sanitize now always removes <noscript> elements and their contents, even
  when noscript is in the allowlist.

  This fixes a sanitization bypass that could occur when noscript was
  allowed by a custom allowlist.  In this scenario, carefully crafted input
  could sneak arbitrary HTML through Sanitize, potentially enabling an XSS
  (cross-site scripting) attack.

  Sanitize's default configs don't allow <noscript> elements and are not
  vulnerable.  This issue only affects users who are using a custom config
  that adds noscript to the element allowlist.

  The root cause of this issue is that HTML parsing rules treat the contents
  of a <noscript> element differently depending on whether scripting is
  enabled in the user agent.  Nokogiri doesn't support scripting so it
  follows the "scripting disabled" rules, but a web browser with scripting
  enabled will follow the "scripting enabled" rules.  This means that
  Sanitize can't reliably make the contents of a <noscript> element safe for
  scripting enabled browsers, so the safest thing to do is to remove the
  element and its contents entirely.

  See the following security advisory for additional details:
  GHSA-fw3g-2h3j-qmm7

  Thanks to David Klein from TU Braunschweig (@@leeN) for reporting this
  issue.

* Fixed an edge case in which the contents of an "unescaped text" element
  (such as <noembed> or <xmp>) were not properly escaped if that element was
  allowlisted and was also inside an allowlisted <math> or <svg> element.

  The only way to encounter this situation was to ignore multiple warnings
  in the readme and create a custom config that allowlisted all the elements
  involved, including <math> or <svg>.  If you're using a default config or
  if you heeded the warnings about MathML and SVG not being supported,
  you're not affected by this issue.

  Please let this be a reminder that Sanitize cannot safely sanitize MathML
  or SVG content and does not support this use case.  The default configs
  don't allow MathML or SVG elements, and allowlisting MathML or SVG
  elements in a custom config may create a security vulnerability in your
  application.

  Documentation has been updated to add more warnings and to make the
  existing warnings about this more prominent.

  Thanks to David Klein from TU Braunschweig (@@leeN) for reporting this
  issue.
@
text
@d1 1
a1 1
# $NetBSD: Makefile,v 1.1 2022/08/30 15:37:23 taca Exp $
d3 1
a3 1
DISTNAME=	sanitize-6.0.1
@


1.2.4.1
log
@Pullup ticket #6781 - requested by taca
textproc/ruby-sanitize: security fix (CVE-2023-36823)

Revisions pulled up:
- textproc/ruby-sanitize/Makefile                               1.3
- textproc/ruby-sanitize/distinfo                               1.3

---
   Module Name:	pkgsrc
   Committed By:	taca
   Date:		Sun Jul  9 02:56:28 UTC 2023

   Modified Files:
   	pkgsrc/textproc/ruby-sanitize: Makefile distinfo

   Log Message:
   textproc/ruby-sanitize: update to 6.0.2

   6.0.2 (2023-07-06)

   Bug Fixes

   * CVE-2023-36823: Fixed an HTML+CSS sanitization bypass that could allow XSS
     (cross-site scripting). This issue affects Sanitize versions 3.0.0 through
     6.0.1.

     When using Sanitize's relaxed config or a custom config that allows
     <style> elements and one or more CSS at-rules, carefully crafted input
     could be used to sneak arbitrary HTML through Sanitize.

     See the following security advisory for additional details:
     GHSA-f5ww-cq3m-q3g7

     Thanks to @@cure53 for finding this issue.
@
text
@d1 1
a1 1
# $NetBSD$
d3 1
a3 1
DISTNAME=	sanitize-6.0.2
@


1.1
log
@textproc/ruby-sanitize: add package version 6.0.0

It is required for forthcoming redmine50 package.

Sanitize is an allowlist-based HTML and CSS sanitizer.  It removes all HTML
and/or CSS from a string except the elements, attributes, and properties you
choose to allow.
@
text
@d1 1
a1 1
# $NetBSD$
d3 1
a3 1
DISTNAME=	sanitize-6.0.0
@