RubyGems - gollum-lib - Versions diffs - 5.2.3 → 5.2.4 - Mend

gollum-lib 5.2.3 → 5.2.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

checksums.yaml +4 -4
data/HISTORY.md +6 -0
data/LATEST_CHANGES.md +2 -3
data/lib/gollum-lib/filter/toc.rb +1 -1
data/lib/gollum-lib/macro/video.rb +4 -2
data/lib/gollum-lib/sanitization.rb +1 -1
data/lib/gollum-lib/version.rb +1 -1
data/lib/gollum-lib/wiki.rb +1 -1
metadata +3 -3

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 76bc9820326afb2ae3a0c8768311f7e757dbe763ce7c5064e05edaf45f48f013
-  data.tar.gz: 1e6fa1ba6853fd44594c5ffad36148d0022c75bc1bfcd2f05fbc8e2c0e960bfd
+  metadata.gz: 89665fc53e8dac8e1787645fde43c827410639049a789503b7e2859ce5fadb5f
+  data.tar.gz: cc9aac74db4af15d4943663ec1b3ab02dd451c77a728db20dcd87b4580736d39
 SHA512:
-  metadata.gz: 630ec62731370539725a760d149cd7940048087ed2a306d8cab9a23de77f137566383c644c177cec5904426fca0b81c210762d61ae64a0570b122fd98ba1fb92
-  data.tar.gz: 86546d058561c867d2eacf5df54ab1d7f834444f13202619688b5cccc972016e9119b421574d5e6bc1b3cb97edd11c7037d6be427a1586605056784564b17f9e
+  metadata.gz: 4a19c6ecd939a79ec62de95e06508e97ef962abdcf945a73da5b5aeed97149cee79b6fce2532aa8ca21e701f9b4251746aa69b2456a5f5276e40b0541814bd22
+  data.tar.gz: '029d5f5f42f759e8827871cc80ccb4d3308f794dd3d7bffe5c0c7286d1acd3fc40f6c644c57ca975c49c63d7085bfb14a5bef0887599db5bafc78978434ea622'

data/HISTORY.md CHANGED Viewed

@@ -1,3 +1,9 @@
+# 5.2.3 / 2023-03-13
+* Bugfix release: update adapter dependencies for Ruby 3.2 support.
 # 5.2.2 / 2023-01-18
 * Bugfix release: set Nokogiri default XHTML conversion options more relaibly. See https://github.com/sparklemotion/nokogiri/issues/2761

data/LATEST_CHANGES.md CHANGED Viewed

@@ -1,4 +1,3 @@
-# 5.2.3 / 2023-03-13
-* Bugfix release: update adapter dependencies for Ruby 3.2 support.
+# 5.2.4 / 2023-03-22
+* Bugfix release: address XSS vulnerability ( @6661620a, @dometto)

data/lib/gollum-lib/filter/toc.rb CHANGED Viewed

@@ -157,7 +157,7 @@ class Gollum::Filter::TOC < Gollum::Filter
     end
     # % -> %25 so anchors work on Firefox. See issue #475
-    @tail.add_child(%Q{<a href="##{name}">#{header.content}</a>})
+    @tail.add_child(%Q{<a href="##{name}">#{CGI.escapeHTML(header.content)}</a>})
   end
   # Increments the number of anchors with the given name

data/lib/gollum-lib/macro/video.rb CHANGED Viewed

@@ -1,8 +1,10 @@
 module Gollum
   class Macro
     class Video < Gollum::Macro
-      def render (fname)
-        "<video width=\"100%\" height=\"100%\" src=\"#{CGI::escapeHTML(fname)}\" controls=\"true\"> HTML5 video is not supported on this Browser.</video>"
+      def render(fname, auto=false)
+        escaped_fname = CGI.escapeHTML(fname)
+        properties = auto ? "autoplay='true' playsinline='true' muted='true' loop='true'" : "controls='true'"
+        "<video width='100%' height='100%' src='#{escaped_fname}' #{properties}>HTML5 video is not supported on this browser.</video>"
       end
     end
   end

data/lib/gollum-lib/sanitization.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 ::Loofah::HTML5::SafeList::ACCEPTABLE_PROTOCOLS.add('apt')
-::Loofah::HTML5::SafeList::ALLOWED_ATTRIBUTES.add('controls')
+::Loofah::HTML5::SafeList::ALLOWED_ATTRIBUTES.merge(%w[controls loop muted playsinline autoplay])
 module Gollum
   class Sanitization

data/lib/gollum-lib/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 module Gollum
   module Lib
-    VERSION = '5.2.3'
+    VERSION = '5.2.4'
   end
 end

data/lib/gollum-lib/wiki.rb CHANGED Viewed

@@ -152,7 +152,7 @@ module Gollum
       @per_page_uploads     = options.fetch :per_page_uploads, false
       @metadata             = options.fetch :metadata, {}
       @filter_chain         = options.fetch :filter_chain,
-                                            [:YAML, :BibTeX, :PlainText, :CriticMarkup, :TOC, :RemoteCode, :Code, :Macro, :Emoji, :Sanitize, :PlantUML, :Tags, :PandocBib, :Render]
+                                            [:YAML, :BibTeX, :PlainText, :CriticMarkup, :TOC, :Sanitize, :RemoteCode, :Code, :Macro, :Emoji, :PlantUML, :Tags, :PandocBib, :Render]
       @filter_chain.delete(:Emoji) unless options.fetch :emoji, false
       @filter_chain.delete(:PandocBib) unless ::Gollum::MarkupRegisterUtils.using_pandoc?
       @filter_chain.delete(:CriticMarkup) unless options.fetch :critic_markup, false

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: gollum-lib
 version: !ruby/object:Gem::Version
-  version: 5.2.3
+  version: 5.2.4
 platform: ruby
 authors:
 - Tom Preston-Werner
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-03-13 00:00:00.000000000 Z
+date: 2023-03-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: gollum-rugged_adapter
@@ -470,7 +470,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.6
+rubygems_version: 3.2.3
 signing_key:
 specification_version: 4
 summary: A simple, Git-powered wiki.