Update loofah to 2.2.1 or later

Description

We need to update loofah due to a vulnerability:

Name: loofah
Version: 2.0.3
Advisory: CVE-2018-8048
Criticality: Unknown
URL: https://github.com/flavorjones/loofah/issues/144
Title: Loofah XSS Vulnerability
Solution: upgrade to >= 2.2.1

Testing:

  • Do a work search with < and > symbols and make sure they display correctly in the summary on the results page

  • Do the same with a bookmark search

  • Post a new chapter of a work and make sure the chapter summary has all HTML stripped out of it in the subscription email (HTML version of the email)

  • Post a new work and make sure the work summary has all HTML stripped out of it in the subscription email (HTML version of the email)

  • Log in as a tag wrangler and post a comment on a tag that uses HTML. Then go to the Tag Wrangling discussion page at https://test.archiveofourown.org/tag_wranglings/discuss (if it loads on staging... it doesn't appear to want to for me) and make sure that when you hover over a table cell that links to a comment, the title that appears contains the full text of your comment, minus the HTML

  • Submit an abuse report that uses HTML, and make sure that when you are emailed a copy of the report, the plain text email does not include HTML

Activity

Show:
james_
June 13, 2018, 8:52 AM
Sarken
June 13, 2018, 7:25 PM

Work search summary:

  • You searched for: kudos count: < 5

  • You searched for: hits: > 20000

Bookmark search summary:

  • You searched for: <3

    • Note: If I follow Edit Your Search, what I see in the field is &lt;3, but that is also true on production when using this field (the "Any field on bookmark" field)

  • You searched for: Date bookmarked: > 1 year ago

Subscription emails:

  • TBD, waiting on email

Wrangling comments:

  • I left a comment, but the page with all wrangling comments doesn't load, as mentioned in the issue description. It gives a 502

Abuse email:

  • In the text email, my bold tags were replaced by asterisks, which is consistent with production

Sarken
June 14, 2018, 6:51 AM

Subscription emails came and there is no HTML in the chapter or work summaries. Looks good!

Lady Oscar
June 17, 2018, 6:04 AM

Looks good!

DeployedToBeta

Assignee

james_

Reporter

Sarken

Roadmap

Misc

Priority

High

Affects versions

Fix versions

Components

BackEnd
Gems

Difficulty

Easy

Milestone

Internal 0.9