Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package ghc-xss-sanitize for
openSUSE:Factory checked in at 2021-10-12 21:49:03
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/ghc-xss-sanitize (Old)
and /work/SRC/openSUSE:Factory/.ghc-xss-sanitize.new.2443 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "ghc-xss-sanitize"
Tue Oct 12 21:49:03 2021 rev:4 rq:921711 version:0.3.7
Changes:
--------
--- /work/SRC/openSUSE:Factory/ghc-xss-sanitize/ghc-xss-sanitize.changes
2020-12-22 11:49:35.378013988 +0100
+++
/work/SRC/openSUSE:Factory/.ghc-xss-sanitize.new.2443/ghc-xss-sanitize.changes
2021-10-12 21:50:19.055954545 +0200
@@ -1,0 +2,8 @@
+Mon Sep 20 07:11:01 UTC 2021 - psim...@suse.com
+
+- Update xss-sanitize to version 0.3.7.
+ # 0.3.7
+
+ clear the contents of style and script tags instead of escaping them
+
+-------------------------------------------------------------------
Old:
----
xss-sanitize-0.3.6.tar.gz
New:
----
xss-sanitize-0.3.7.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ ghc-xss-sanitize.spec ++++++
--- /var/tmp/diff_new_pack.8JbF4Y/_old 2021-10-12 21:50:19.635955375 +0200
+++ /var/tmp/diff_new_pack.8JbF4Y/_new 2021-10-12 21:50:19.635955375 +0200
@@ -1,7 +1,7 @@
#
# spec file for package ghc-xss-sanitize
#
-# Copyright (c) 2020 SUSE LLC
+# Copyright (c) 2021 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -19,7 +19,7 @@
%global pkg_name xss-sanitize
%bcond_with tests
Name: ghc-%{pkg_name}
-Version: 0.3.6
+Version: 0.3.7
Release: 0
Summary: Sanitize untrusted HTML to prevent XSS attacks
License: BSD-2-Clause
++++++ xss-sanitize-0.3.6.tar.gz -> xss-sanitize-0.3.7.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/xss-sanitize-0.3.6/ChangeLog.md
new/xss-sanitize-0.3.7/ChangeLog.md
--- old/xss-sanitize-0.3.6/ChangeLog.md 2018-06-28 11:28:26.000000000 +0200
+++ new/xss-sanitize-0.3.7/ChangeLog.md 2021-09-18 18:42:36.000000000 +0200
@@ -1,3 +1,7 @@
+# 0.3.7
+
+clear the contents of style and script tags instead of escaping them
+
# 0.3.5.6
expose safeTagName
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/xss-sanitize-0.3.6/README.md
new/xss-sanitize-0.3.7/README.md
--- old/xss-sanitize-0.3.6/README.md 2018-06-28 18:03:48.000000000 +0200
+++ new/xss-sanitize-0.3.7/README.md 2021-09-18 18:49:58.000000000 +0200
@@ -1,7 +1,6 @@
# Summary
-[](https://travis-ci.org/yesodweb/haskell-xss-sanitize)
-[](https://ci.appveyor.com/project/snoyberg/haskell-xss-sanitize/branch/master)
+[](https://github.com/yesodweb/haskell-xss-sanitize/actions/workflows/tests.yml)
xss-sanitize allows you to accept html from untrusted sources by first
filtering it through a white list.
The white list filtering is fairly comprehensive, including support for css in
style attributes, but there are limitations enumerated below.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/xss-sanitize-0.3.6/src/Text/HTML/SanitizeXSS.hs
new/xss-sanitize-0.3.7/src/Text/HTML/SanitizeXSS.hs
--- old/xss-sanitize-0.3.6/src/Text/HTML/SanitizeXSS.hs 2018-07-02
07:52:20.000000000 +0200
+++ new/xss-sanitize-0.3.7/src/Text/HTML/SanitizeXSS.hs 2021-09-18
18:42:36.000000000 +0200
@@ -43,12 +43,12 @@
-- | alias of sanitize function
sanitizeXSS :: Text -> Text
-sanitizeXSS = filterTags safeTags
+sanitizeXSS = filterTags (safeTags . clearTags)
-- | Sanitize HTML to prevent XSS attacks and also make sure the tags are
balanced.
-- This is equivalent to @filterTags (balanceTags . safeTags)@.
sanitizeBalance :: Text -> Text
-sanitizeBalance = filterTags (balanceTags . safeTags)
+sanitizeBalance = filterTags (balanceTags . safeTags . clearTags)
-- | Filter which makes sure the tags are balanced. Use with 'filterTags' and
'safeTags' to create a custom filter.
balanceTags :: [Tag Text] -> [Tag Text]
@@ -108,6 +108,26 @@
| otherwise = safeTagsCustom safeName sanitizeAttr tags
safeTagsCustom n a (t:tags) = t : safeTagsCustom n a tags
+clearTags :: [Tag Text] -> [Tag Text]
+clearTags = clearTagsCustom clearableTagName
+
+clearTagsCustom :: (Text -> Bool) -> [Tag Text] -> [Tag Text]
+clearTagsCustom _ [] = []
+clearTagsCustom clearableName (tag@(TagOpen name _) : tags)
+ | clearableName name = tag : go 0 tags
+ | otherwise = tag : clearTagsCustom clearableName tags
+ where
+ go d (t@(TagOpen n _) : ts)
+ | n /= name = go d ts
+ | otherwise = go (d + 1) ts
+ go d (t@(TagClose n) : ts)
+ | n /= name = go d ts
+ | d == 0 = t : clearTagsCustom clearableName ts
+ | otherwise = go (d - 1) ts
+ go d (t : ts) = go d ts
+ go d [] = []
+clearTagsCustom clearableName (t : tags) = t : clearTagsCustom clearableName
tags
+
safeTagName :: Text -> Bool
safeTagName tagname = tagname `member` sanitaryTags
@@ -115,6 +135,9 @@
safeAttribute (name, value) = name `member` sanitaryAttributes &&
(name `notMember` uri_attributes || sanitaryURI value)
+clearableTagName :: Text -> Bool
+clearableTagName tagname = tagname `member` clearableTags
+
-- | low-level API if you have your own HTML parser. Used by safeTags.
sanitizeAttribute :: (Text, Text) -> Maybe (Text, Text)
sanitizeAttribute ("style", value) =
@@ -149,6 +172,9 @@
sanitaryAttributes = fromList (allowed_html_uri_attributes ++
acceptable_attributes ++ mathml_attributes ++ svg_attributes)
\\ (fromList svg_attr_val_allows_ref) -- extra unescaping not implemented
+clearableTags :: Set Text
+clearableTags = fromList ["script", "style"]
+
allowed_html_uri_attributes :: [Text]
allowed_html_uri_attributes = ["href", "src", "cite", "action", "longdesc"]
@@ -272,4 +298,3 @@
"animateMotion", "animateTransform", "cursor", "feImage", "filter",
"linearGradient", "pattern", "radialGradient", "textpath", "tref",
"set", "use"]
-
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/xss-sanitize-0.3.6/xss-sanitize.cabal
new/xss-sanitize-0.3.7/xss-sanitize.cabal
--- old/xss-sanitize-0.3.6/xss-sanitize.cabal 2018-07-02 07:52:23.000000000
+0200
+++ new/xss-sanitize-0.3.7/xss-sanitize.cabal 2021-09-18 18:45:16.000000000
+0200
@@ -1,11 +1,11 @@
--- This file has been generated from package.yaml by hpack version 0.28.2.
+cabal-version: 1.12
+
+-- This file has been generated from package.yaml by hpack version 0.34.4.
--
-- see: https://github.com/sol/hpack
---
--- hash: 12365b28c17ec0278092a7008af7bd838b0bc4f21a2ee2072d484601b74a6379
name: xss-sanitize
-version: 0.3.6
+version: 0.3.7
synopsis: sanitize untrusted HTML to prevent XSS attacks
description: run untrusted HTML through Text.HTML.SanitizeXSS.sanitizeXSS
to prevent XSS attacks. see README.md
<http://github.com/yesodweb/haskell-xss-sanitize> for more details
category: Web
@@ -17,10 +17,9 @@
license: BSD2
license-file: LICENSE
build-type: Simple
-cabal-version: >= 1.10
extra-source-files:
- ChangeLog.md
README.md
+ ChangeLog.md
source-repository head
type: git
