From 3fd6e650f991ce687961da45038b77504114d237 Mon Sep 17 00:00:00 2001 From: Mike Dalessio Date: Sun, 1 Dec 2024 14:16:09 -0500 Subject: [PATCH] doc: update CHANGELOG --- CHANGELOG.md | 36 +++++++++++++++++++++++++++++++++++- 1 file changed, 35 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e3da579..3fc0251 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,38 @@ -## next / unreleased +## 1.6.1 / unreleased + +This is a performance and security release which addresses several possible XSS vulnerabilities. + +* The dependency on Nokogiri is updated to v1.15.7 or >=1.16.8. + + This change addresses CVE-TODO (GHSA-w8gc-x259-rc7x). + + *Mike Dalessio* + +* Disallowed tags will be pruned when they appear in foreign content (i.e. SVG or MathML content), + regardless of the `prune:` option value. Previously, disallowed tags were "stripped" unless the + gem was configured with the `prune: true` option. + + The CVEs addressed by this change are: + + - CVE-TODO (GHSA-638j-pmjw-jq48) + - CVE-TODO (GHSA-2x5m-9ch4-qgrr) + + *Mike Dalessio* + +* The tags "noscript", "mglyph", and "malignmark" will not be allowed, even if explicitly added to + the allowlist. If applications try to allow any of these tags, a warning is emitted and the tags + are removed from the allow-list. + + The CVEs addressed by this change are: + + - CVE-TODO (GHSA-cfjx-w229-hgx5) + - CVE-TODO (GHSA-rxv5-gxqc-xx8g) + + Please note that we _may_ restore support for allowing "noscript" in a future release. We do not + expect to ever allow "mglyph" or "malignmark", though, especially since browser support is minimal + for these tags. + + *Mike Dalessio* * Improve performance by eliminating needless operations on attributes that are being removed. #188