| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| no-relative-path.patch | autopkgtest should not use relative paths | no | ||||
| Update-tests-to-remove-deprecated-minitest-must_be.patch | Update tests to remove deprecated minitest 'must_be' | Roman Vakulchik <rvakulchik@gmail.com> | no | https://github.com/rgrove/sanitize/commit/a37a51b583fa4a97486d47e32625dae1baf0574c | 2021-08-20 | |
| Forcibly-escape-content-in-unescaped-text-elements-i.patch | Forcibly escape content in "unescaped text" elements inside math or svg namespaces This fixes an edge case in which the contents of an "unescaped text" element (such as `<noembed>` or `<xmp>`) were not properly escaped if that element was allowlisted and was also inside an allowlisted `<math>` or `<svg>` element. The only way to encounter this situation was to ignore multiple warnings in the readme and create a custom config that allowlisted all the elements involved, including `<math>` or `<svg>`. Please let this be a reminder that Sanitize cannot safely sanitize MathML or SVG content and does not support this use case. The default configs don't allow MathML or SVG elements, and allowlisting MathML or SVG elements in a custom config may create a security vulnerability in your application. Documentation has been updated to add more warnings and to make the existing warnings about this more prominent. |
Ryan Grove <ryan@wonko.com> | no | https://github.com/rgrove/sanitize/commit/b4ee521df0d0616340c9648444be488381c238b1 | 2023-01-25 | |
| Always-remove-noscript-elements.patch | Always remove `<noscript>` elements ...even if `noscript` is in the allowlist. A `<noscript>` element's content is parsed differently in browsers depending on whether or not scripting is enabled. Since Nokogiri doesn't support scripting, it always parses `<noscript>` elements as if scripting is disabled. This results in edge cases where it's not possible to reliably sanitize the contents of a `<noscript>` element because Nokogiri can't fully replicate the parsing behavior of a scripting-enabled browser. The safest thing to do is to simply remove all `<noscript>` elements. Fixes GHSA-fw3g-2h3j-qmm7 |
Ryan Grove <ryan@wonko.com> | no | debian | https://github.com/rgrove/sanitize/commit/ec14265e530dc3fe31ce2ef773594d3a97778d22 | 2023-01-26 |
| CVE-2023-36823.patch | [PATCH 1/3] Escape `</` to prevent a style element from being closed prematurely | Ryan Grove <ryan@wonko.com> | no | 2023-06-26 |