Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package ghc-xss-sanitize for openSUSE:Factory checked in at 2021-10-12 21:49:03 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/ghc-xss-sanitize (Old) and /work/SRC/openSUSE:Factory/.ghc-xss-sanitize.new.2443 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "ghc-xss-sanitize" Tue Oct 12 21:49:03 2021 rev:4 rq:921711 version:0.3.7 Changes: -------- --- /work/SRC/openSUSE:Factory/ghc-xss-sanitize/ghc-xss-sanitize.changes 2020-12-22 11:49:35.378013988 +0100 +++ /work/SRC/openSUSE:Factory/.ghc-xss-sanitize.new.2443/ghc-xss-sanitize.changes 2021-10-12 21:50:19.055954545 +0200 @@ -1,0 +2,8 @@ +Mon Sep 20 07:11:01 UTC 2021 - psim...@suse.com + +- Update xss-sanitize to version 0.3.7. + # 0.3.7 + + clear the contents of style and script tags instead of escaping them + +------------------------------------------------------------------- Old: ---- xss-sanitize-0.3.6.tar.gz New: ---- xss-sanitize-0.3.7.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ghc-xss-sanitize.spec ++++++ --- /var/tmp/diff_new_pack.8JbF4Y/_old 2021-10-12 21:50:19.635955375 +0200 +++ /var/tmp/diff_new_pack.8JbF4Y/_new 2021-10-12 21:50:19.635955375 +0200 @@ -1,7 +1,7 @@ # # spec file for package ghc-xss-sanitize # -# Copyright (c) 2020 SUSE LLC +# Copyright (c) 2021 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -19,7 +19,7 @@ %global pkg_name xss-sanitize %bcond_with tests Name: ghc-%{pkg_name} -Version: 0.3.6 +Version: 0.3.7 Release: 0 Summary: Sanitize untrusted HTML to prevent XSS attacks License: BSD-2-Clause ++++++ xss-sanitize-0.3.6.tar.gz -> xss-sanitize-0.3.7.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xss-sanitize-0.3.6/ChangeLog.md new/xss-sanitize-0.3.7/ChangeLog.md --- old/xss-sanitize-0.3.6/ChangeLog.md 2018-06-28 11:28:26.000000000 +0200 +++ new/xss-sanitize-0.3.7/ChangeLog.md 2021-09-18 18:42:36.000000000 +0200 @@ -1,3 +1,7 @@ +# 0.3.7 + +clear the contents of style and script tags instead of escaping them + # 0.3.5.6 expose safeTagName diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xss-sanitize-0.3.6/README.md new/xss-sanitize-0.3.7/README.md --- old/xss-sanitize-0.3.6/README.md 2018-06-28 18:03:48.000000000 +0200 +++ new/xss-sanitize-0.3.7/README.md 2021-09-18 18:49:58.000000000 +0200 @@ -1,7 +1,6 @@ # Summary -[![Build Status](https://travis-ci.org/yesodweb/haskell-xss-sanitize.svg?branch=master)](https://travis-ci.org/yesodweb/haskell-xss-sanitize) -[![Build status](https://ci.appveyor.com/api/projects/status/1i4xx9qi53r58tsh/branch/master?svg=true)](https://ci.appveyor.com/project/snoyberg/haskell-xss-sanitize/branch/master) +[![Tests](https://github.com/yesodweb/haskell-xss-sanitize/actions/workflows/tests.yml/badge.svg)](https://github.com/yesodweb/haskell-xss-sanitize/actions/workflows/tests.yml) xss-sanitize allows you to accept html from untrusted sources by first filtering it through a white list. The white list filtering is fairly comprehensive, including support for css in style attributes, but there are limitations enumerated below. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xss-sanitize-0.3.6/src/Text/HTML/SanitizeXSS.hs new/xss-sanitize-0.3.7/src/Text/HTML/SanitizeXSS.hs --- old/xss-sanitize-0.3.6/src/Text/HTML/SanitizeXSS.hs 2018-07-02 07:52:20.000000000 +0200 +++ new/xss-sanitize-0.3.7/src/Text/HTML/SanitizeXSS.hs 2021-09-18 18:42:36.000000000 +0200 @@ -43,12 +43,12 @@ -- | alias of sanitize function sanitizeXSS :: Text -> Text -sanitizeXSS = filterTags safeTags +sanitizeXSS = filterTags (safeTags . clearTags) -- | Sanitize HTML to prevent XSS attacks and also make sure the tags are balanced. -- This is equivalent to @filterTags (balanceTags . safeTags)@. sanitizeBalance :: Text -> Text -sanitizeBalance = filterTags (balanceTags . safeTags) +sanitizeBalance = filterTags (balanceTags . safeTags . clearTags) -- | Filter which makes sure the tags are balanced. Use with 'filterTags' and 'safeTags' to create a custom filter. balanceTags :: [Tag Text] -> [Tag Text] @@ -108,6 +108,26 @@ | otherwise = safeTagsCustom safeName sanitizeAttr tags safeTagsCustom n a (t:tags) = t : safeTagsCustom n a tags +clearTags :: [Tag Text] -> [Tag Text] +clearTags = clearTagsCustom clearableTagName + +clearTagsCustom :: (Text -> Bool) -> [Tag Text] -> [Tag Text] +clearTagsCustom _ [] = [] +clearTagsCustom clearableName (tag@(TagOpen name _) : tags) + | clearableName name = tag : go 0 tags + | otherwise = tag : clearTagsCustom clearableName tags + where + go d (t@(TagOpen n _) : ts) + | n /= name = go d ts + | otherwise = go (d + 1) ts + go d (t@(TagClose n) : ts) + | n /= name = go d ts + | d == 0 = t : clearTagsCustom clearableName ts + | otherwise = go (d - 1) ts + go d (t : ts) = go d ts + go d [] = [] +clearTagsCustom clearableName (t : tags) = t : clearTagsCustom clearableName tags + safeTagName :: Text -> Bool safeTagName tagname = tagname `member` sanitaryTags @@ -115,6 +135,9 @@ safeAttribute (name, value) = name `member` sanitaryAttributes && (name `notMember` uri_attributes || sanitaryURI value) +clearableTagName :: Text -> Bool +clearableTagName tagname = tagname `member` clearableTags + -- | low-level API if you have your own HTML parser. Used by safeTags. sanitizeAttribute :: (Text, Text) -> Maybe (Text, Text) sanitizeAttribute ("style", value) = @@ -149,6 +172,9 @@ sanitaryAttributes = fromList (allowed_html_uri_attributes ++ acceptable_attributes ++ mathml_attributes ++ svg_attributes) \\ (fromList svg_attr_val_allows_ref) -- extra unescaping not implemented +clearableTags :: Set Text +clearableTags = fromList ["script", "style"] + allowed_html_uri_attributes :: [Text] allowed_html_uri_attributes = ["href", "src", "cite", "action", "longdesc"] @@ -272,4 +298,3 @@ "animateMotion", "animateTransform", "cursor", "feImage", "filter", "linearGradient", "pattern", "radialGradient", "textpath", "tref", "set", "use"] - diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xss-sanitize-0.3.6/xss-sanitize.cabal new/xss-sanitize-0.3.7/xss-sanitize.cabal --- old/xss-sanitize-0.3.6/xss-sanitize.cabal 2018-07-02 07:52:23.000000000 +0200 +++ new/xss-sanitize-0.3.7/xss-sanitize.cabal 2021-09-18 18:45:16.000000000 +0200 @@ -1,11 +1,11 @@ --- This file has been generated from package.yaml by hpack version 0.28.2. +cabal-version: 1.12 + +-- This file has been generated from package.yaml by hpack version 0.34.4. -- -- see: https://github.com/sol/hpack --- --- hash: 12365b28c17ec0278092a7008af7bd838b0bc4f21a2ee2072d484601b74a6379 name: xss-sanitize -version: 0.3.6 +version: 0.3.7 synopsis: sanitize untrusted HTML to prevent XSS attacks description: run untrusted HTML through Text.HTML.SanitizeXSS.sanitizeXSS to prevent XSS attacks. see README.md <http://github.com/yesodweb/haskell-xss-sanitize> for more details category: Web @@ -17,10 +17,9 @@ license: BSD2 license-file: LICENSE build-type: Simple -cabal-version: >= 1.10 extra-source-files: - ChangeLog.md README.md + ChangeLog.md source-repository head type: git