Hi Daniel, On Thu, Mar 16, 2023 at 7:06 PM Utkarsh Gupta <guptautkarsh2...@gmail.com> wrote: > Please hold off on the update for a while. I have something to add wrt > ruby-rails-html-sanitizer. I just haven't had the time to write it > down, I'll get back in another ~7h.
In order to fix the CVEs of ruby-rails-html-sanitizer (also in dla-needed), we need to ensure that the newer methods that the library uses from newer loofah are backported. Some of these methods would've been backported by you already (as a part of fixing the CVEs in ruby-loofah) and there might be some remaining. I could do a thorough review of your patches if you'd like? (let me know) and make sure that we have everything that we might need for ruby-rails-html-sanitizer, too. I also propose that we release the two around the same time (after smoke-testing, ensuring that the two work well with each other). I suppose everyone using rails-html-sanitizer should be using loofah, too, so it's important we fix both and test them well. :) - u