Update rails-html-sanitizer to 1.0.4 or later

Description

We need to update rails-html-sanitizer due to a vulnerability:

Name: rails-html-sanitizer
Version: 1.0.3
Advisory: CVE-2018-3741
Criticality: Unknown
URL: https://groups.google.com/d/msg/rubyonrails-security/tP7W3kLc5u4/uDy2Br7xBgAJ
Title: XSS vulnerability in rails-html-sanitizer
Solution: upgrade to >= 1.0.4

Testing:
To be determined.

Activity

Show:
james_
June 13, 2018, 8:52 AM
redsummernight
June 14, 2018, 11:57 AM

From the gem's README:

Rails Html Sanitizer is only intended to be used with Rails applications. If you need similar functionality in non Rails apps consider using Loofah directly (that's what handles sanitization under the hood).

So if we test the new version of loofah (AO3-5366), that should be enough.

Lady Oscar
June 17, 2018, 6:27 AM

Loofah looks good, so this should be good!

DeployedToBeta

Assignee

james_

Reporter

redsummernight

Roadmap

Misc

Priority

High

Affects versions

Fix versions

Components

BackEnd
Gems

Difficulty

Easy

Milestone

Internal 0.9