We use this gem for caching the RSS tag feeds, and we need to update it to fix a vulnerability:
There is a vulnerability in actionpack_page-caching gem < v1.2.1 that allows an attacker to write arbitrary files to a web server, potentially resulting in remote code execution if the attacker can write unescaped ERB to a view.
How to test: Dependabot updated a bunch of gems. We're testing the ones with a major or minor version change, skipping the patch version changes.
Pick a fandom/character/relationship tag, check its RSS feed.
Post a new work with that tag, check that the feed now has the new work.
erubi: This is used for literally every template/view. So if the site loads and looks normal, we're good.
loofah/rails-html-sanitizer: Post a new work and make sure the work summary has all HTML stripped out of it in the subscription email (HTML version of the email). We could test more (like ), but nah.
Also of note: we have plans to stop using this gem altogether. See .