Update sanitize to 4.6.3 or later

Description

We need to update sanitize due to a vulnerability:

Name: sanitize
Version: 4.5.0
Advisory: CVE-2018-3740
Criticality: Unknown
URL: https://github.com/rgrove/sanitize/issues/176
Title: HTML injection/XSS in Sanitize
Solution: upgrade to >= 4.6.3

Testing:

  • As an admin, check that you can add a screencast URL to an FAQ question and ensure it is not enclosed in paragraph tags

  • Check that you can add a video embed in a work, but not in a work summary

  • Check that you can use CSS classes in a work content, but not a work summary

  • Make sure you can import a work and it looks as expected

  • Make sure that if you post a work using the HTML editor without using paragraph tags, they get added

Activity

Show:
james_
June 13, 2018, 8:53 AM
Lady Oscar
June 18, 2018, 2:09 AM

--As an admin, added a screencast URL to an FAQ question. Link appears correctly and link text is not enclosed in paragraph tags
--Added a video embed in a work; it worked properly. Tried to add a video embed in a work summary; the HTML code was stripped out.

Lady Oscar
June 20, 2018, 6:02 AM

--Apparently you can use CSS classes in a work summary, but you also can on Beta, so that's OK
--Was able to import a work and it looks no more mangled than on Beta
--Entered text into the HTML editor with blank lines between paragraphs but no paragraph tags; paragraph tags were added appropriately.

DeployedToBeta

Assignee

james_

Reporter

redsummernight

Roadmap

Misc

Priority

High

Affects versions

Fix versions

Components

BackEnd
Gems

Difficulty

Easy

Milestone

Internal 0.9