We're updating the issue view to help you get more done. 

Update loofah to 2.2.3 or later

Description

We need to update loofah due to a vulnerability:

Name: loofah
Version: 2.2.2
Advisory: CVE‌-2018-16468
Criticality: Unknown
URL: https://github.com/flavorjones/loofah/issues/154
Title: Loofah XSS Vulnerability
Solution: upgrade to >= 2.2.3

Testing:

  • Do a work search with < and > symbols and make sure they display correctly in the summary on the results page

  • Do the same with a bookmark search

  • Post a new chapter of a work and make sure the chapter summary has all HTML stripped out of it in the subscription email (HTML version of the email)

  • Post a new work and make sure the work summary has all HTML stripped out of it in the subscription email (HTML version of the email)

  • Log in as a tag wrangler and post a comment on a tag that uses HTML. Then go to the Tag Wrangling discussion page at https://test.archiveofourown.org/tag_wranglings/discuss (if it loads on staging... it doesn't appear to want to for me) and make sure that when you hover over a table cell that links to a comment, the title that appears contains the full text of your comment, minus the HTML

  • Submit an abuse report that uses HTML, and make sure that when you are emailed a copy of the report, the plain text email does not include HTML

Environment

None

Status

Assignee

redsummernight

Reporter

Sarken

Roadmap

Misc

Priority

High

Affects versions

0.9.224

Fix versions

Components

BackEnd

Difficulty

Easy

Required Access Level

None

Epic Link

Milestone

Internal 0.9