Update sanitize to 4.6.3 or later
Description
We need to update sanitize due to a vulnerability:
Name: sanitize
Version: 4.5.0
Advisory: CVE-2018-3740
Criticality: Unknown
URL: https://github.com/rgrove/sanitize/issues/176
Title: HTML injection/XSS in Sanitize
Solution: upgrade to >= 4.6.3
Testing:
As an admin, check that you can add a screencast URL to an FAQ question and ensure it is not enclosed in paragraph tags
Check that you can add a video embed in a work, but not in a work summary
Check that you can use CSS classes in a work content, but not a work summary
Make sure you can import a work and it looks as expected
Make sure that if you post a work using the HTML editor without using paragraph tags, they get added
Activity
--As an admin, added a screencast URL to an FAQ question. Link appears correctly and link text is not enclosed in paragraph tags
--Added a video embed in a work; it worked properly. Tried to add a video embed in a work summary; the HTML code was stripped out.
--Apparently you can use CSS classes in a work summary, but you also can on Beta, so that's OK
--Was able to import a work and it looks no more mangled than on Beta
--Entered text into the HTML editor with blank lines between paragraphs but no paragraph tags; paragraph tags were added appropriately.
