!8 [sync] PR-7: update to version 2.18.0

From: @openeuler-sync-bot Reviewed-by: @jxy_git Signed-off-by: @jxy_git
update to version 2.18.0
2022-08-22 06:28:53 +00:00 · 2022-08-22 14:15:34 +08:00 · 2022-03-04 09:17:23 +00:00 · 2022-03-03 13:56:03 +08:00 · 2020-10-10 15:51:46 +08:00 · 2020-10-10 14:05:09 +08:00
5 changed files with 17 additions and 94 deletions
--- a/loofah-2.18.0.gem
+++ b/loofah-2.18.0.gem
--- a/loofah-2.2.3.gem
+++ b/loofah-2.2.3.gem
--- a/rubygem-loofah-2.3.1-CVE-2019-15587-mitigate-XSS-vulnerability-in-SVG-animate-attributes.patch
+++ b/rubygem-loofah-2.3.1-CVE-2019-15587-mitigate-XSS-vulnerability-in-SVG-animate-attributes.patch
@ -1,83 +0,0 @@
-From 0c6617af440879ce97440f6eb6c58636456dc8ec Mon Sep 17 00:00:00 2001
-From: Mike Dalessio <mike.dalessio@gmail.com>
-Date: Wed, 9 Oct 2019 15:36:32 -0400
-Subject: [PATCH] mitigate XSS vulnerability in SVG animate attributes
-
-this addresses CVE-2019-15587
-
-see #171 for more information
-
-https://github.com/flavorjones/loofah/issues/171
---
- lib/loofah/html5/safelist.rb    |  3 ---
- test/integration/test_ad_hoc.rb | 30 ++++++++++++++++++++++++------
- 2 files changed, 24 insertions(+), 9 deletions(-)
-
-diff --git a/lib/loofah/html5/safelist.rb b/lib/loofah/html5/safelist.rb
-index 8abd922..4b2b6dd 100644
--- a/lib/loofah/html5/whitelist.rb
-+++ b/lib/loofah/html5/whitelist.rb
-@@ -88,7 +88,7 @@
- 
-       SVG_ATTRIBUTES = Set.new %w[accent-height accumulate additive alphabetic
-        arabic-form ascent attributeName attributeType baseProfile bbox begin
-       by calcMode cap-height class clip-path clip-rule color
-+       calcMode cap-height class clip-path clip-rule color
-        color-interpolation-filters color-rendering content cx cy d dx
-        dy descent display dur end fill fill-opacity fill-rule
-        filterRes filterUnits font-family
-@@ -105,9 +105,9 @@
-        stemv stop-color stop-opacity strikethrough-position
-        strikethrough-thickness stroke stroke-dasharray stroke-dashoffset
-        stroke-linecap stroke-linejoin stroke-miterlimit stroke-opacity
-       stroke-width systemLanguage target text-anchor to transform type u1
-+       stroke-width systemLanguage target text-anchor transform type u1
-        u2 underline-position underline-thickness unicode unicode-range
-       units-per-em values version viewBox visibility width widths x
-+       units-per-em version viewBox visibility width widths x
-        x-height x1 x2 xlink:actuate xlink:arcrole xlink:href xlink:role
-        xlink:show xlink:title xlink:type xml:base xml:lang xml:space xmlns
-        xmlns:xlink y y1 y2 zoomAndPan]
-diff --git a/test/integration/test_ad_hoc.rb b/test/integration/test_ad_hoc.rb
-index 16fccbb..cc6fc65 100644
--- a/test/integration/test_ad_hoc.rb
-+++ b/test/integration/test_ad_hoc.rb
-@@ -190,14 +190,32 @@ def test_dont_remove_whitespace_between_tags
-       end
-     end
- 
-    # see:
-    # - https://github.com/flavorjones/loofah/issues/154
-    # - https://hackerone.com/reports/429267
-    context "xss protection from svg xmlns:xlink animate attribute" do
-      it "sanitizes appropriate attributes" do
-        html = %Q{<svg><a xmlns:xlink=http://www.w3.org/1999/xlink xlink:href=?><circle r=400 /><animate attributeName=xlink:href begin=0 from=javascript:alert(1) to=%26>}
-+    context "xss protection from svg animate attributes" do
-+      # see recommendation from https://html5sec.org/#137
-+      # to sanitize "to", "from", "values", and "by" attributes
-+
-+      it "sanitizes 'from', 'to', and 'by' attributes" do
-+        # for CVE-2018-16468
-+        # see:
-+        # - https://github.com/flavorjones/loofah/issues/154
-+        # - https://hackerone.com/reports/429267
-+        html = %Q{<svg><a xmlns:xlink=http://www.w3.org/1999/xlink xlink:href=?><circle r=400 /><animate attributeName=xlink:href begin=0 from=javascript:alert(1) to=%26 by=5>}
-+
-         sanitized = Loofah.scrub_fragment(html, :escape)
-         assert_nil sanitized.at_css("animate")["from"]
-+        assert_nil sanitized.at_css("animate")["to"]
-+        assert_nil sanitized.at_css("animate")["by"]
-+      end
-+
-+      it "sanitizes 'values' attribute" do
-+        # for CVE-2019-15587
-+        # see:
-+        # - https://github.com/flavorjones/loofah/issues/171
-+        # - https://hackerone.com/reports/709009
-+        html = %Q{<svg> <animate href="#foo" attributeName="href" values="javascript:alert('xss')"/> <a id="foo"> <circle r=400 /> </a> </svg>}
-+
-+        sanitized = Loofah.scrub_fragment(html, :escape)
-+        assert_nil sanitized.at_css("animate")["values"]
-       end
-     end
-   end
--- a/rubygem-loofah.spec
+++ b/rubygem-loofah.spec
@ -1,14 +1,17 @@
 %global gem_name loofah
+
 Name:                rubygem-%{gem_name}
-Version:             2.2.3
+Version:             2.18.0
 Release:             1
 Summary:             Manipulate and transform HTML/XML documents and fragments
 License:             MIT
 URL:                 https://github.com/flavorjones/loofah
 Source0:             https://rubygems.org/gems/%{gem_name}-%{version}.gem
-Patch0:              rubygem-loofah-2.3.1-CVE-2019-15587-mitigate-XSS-vulnerability-in-SVG-animate-attributes.patch
+# git clone https://github.com/flavorjones/loofah.git && cd loofah
+# git archive -v -o loofah-2.10.0-test.tar.gz v2.10.0 test/
+Source1:             https://github.com/flavorjones/loofah/archive/refs/tags/v2.18.0.tar.gz
 BuildRequires:       ruby(release) rubygems-devel rubygem(nokogiri) >= 1.6.6.2 rubygem(minitest)
-BuildRequires:       rubygem(crass)
+BuildRequires:       rubygem(crass) rubygem(rr) ruby
 BuildArch:           noarch
 %description
 Loofah is a general library for manipulating and transforming HTML/XML
@ -26,8 +29,7 @@ BuildArch:           noarch
 Documentation for %{name}.

 %prep
-%setup -q -n %{gem_name}-%{version}
-%patch0 -p1
+%setup -q -n %{gem_name}-%{version} -b1

 %build
 gem build ../%{gem_name}-%{version}.gemspec
@ -40,12 +42,12 @@ cp -a .%{gem_dir}/* \

 %check
 pushd .%{gem_instdir}
+cp -a %{_builddir}/%{gem_name}-%{version}/test .
 ruby -Itest -e 'Dir.glob "./test/**/test_*.rb", &method(:require)'
 popd

 %files
 %dir %{gem_instdir}
-%exclude %{gem_instdir}/.*
 %license %{gem_instdir}/MIT-LICENSE.txt
 %{gem_libdir}
 %exclude %{gem_cache}
@ -54,14 +56,18 @@ popd
 %files doc
 %doc %{gem_docdir}
 %doc %{gem_instdir}/CHANGELOG.md
-%{gem_instdir}/Gemfile
-%doc %{gem_instdir}/Manifest.txt
 %doc %{gem_instdir}/README.md
-%{gem_instdir}/Rakefile
 %doc %{gem_instdir}/SECURITY.md
-%{gem_instdir}/benchmark
-%{gem_instdir}/test

 %changelog
+* Thu Jul 14 2022 Ge Wang <wangge20@h-partners.com> - 2.18.0-1
+- update to 2.18.0
+
+* Thu Mar 03 2022 jiangxinyu <jiangxinyu@kylinos.cn> - 2.10.0-1
+- update to 2.10.0
+
+* Sat Sep 5 2020 yanan li <liyanan032@huawei.com> - 2.2.3-2
+- Fix build fail
+
 * Tue Aug 18 2020 geyanan <geyanan2@huawei.com> - 2.2.3-1
 - package init
--- a/v2.18.0.tar.gz
+++ b/v2.18.0.tar.gz
Author	SHA1	Message	Date
openeuler-ci-bot	30801c40fe	!8 [sync] PR-7: update to version 2.18.0 From: @openeuler-sync-bot Reviewed-by: @jxy_git Signed-off-by: @jxy_git	2022-08-22 06:28:53 +00:00
wang--ge	5db005705d	update to version 2.18.0 (cherry picked from commit 82f95d1d23ef767e06b7b575ae3e450a9baf1cc1)	2022-08-22 14:15:34 +08:00
openeuler-ci-bot	bba84720af	!4 update to 2.10.0 From: @jxy_git Reviewed-by: @shinwell_hu Signed-off-by: @shinwell_hu	2022-03-04 09:17:23 +00:00
jxy_git	263288ac29	update to 2.10.0	2022-03-03 13:56:03 +08:00
openeuler-ci-bot	ce23804a52	!3 yaml fix From: @gyn_emma Reviewed-by: @shinwell_hu Signed-off-by: @shinwell_hu	2020-10-10 15:51:46 +08:00
GYN	58d3631628	update rubygem-loofah.yaml.	2020-10-10 14:05:09 +08:00
openeuler-ci-bot	e50da0498a	!2 fix build fail Merge pull request !2 from lyn/master	2020-09-07 12:05:51 +08:00
lyn1001	20cb484d2f	fix build fail	2020-09-05 17:26:16 +08:00
openeuler-ci-bot	2dc070efda	!1 package init Merge pull request !1 from GYN/master	2020-08-27 09:11:53 +08:00
GYN	2e3f0a5bcd	change spec	2020-08-25 10:46:27 +08:00