Bump the bundler group in /gemfiles/rails_61_turbolinks with 11 updates

[dependabot]

Bumps the bundler group in /gemfiles/rails_61_turbolinks with 11 updates:

Package	From	To
actionpack	6.1.4.4	6.1.7.8
actionview	6.1.4.4	6.1.7.8
activerecord	6.1.4.4	6.1.7.8
activestorage	6.1.4.4	6.1.7.8
activesupport	6.1.4.4	6.1.7.8
globalid	1.0.0	1.2.1
loofah	2.13.0	2.22.0
nokogiri	1.12.5	1.16.5
rack	2.2.3	2.2.9
rails-html-sanitizer	1.4.2	1.6.0
rexml	3.2.5	3.2.8

Updates actionpack from 6.1.4.4 to 6.1.7.8

Release notes

Sourced from actionpack's releases.

6.1.7.8

Active Support

• No changes.

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• Include the HTTP Permissions-Policy on non-HTML Content-Types [CVE-2024-28103]

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

... (truncated)

Commits

• e39361a Preparing for 6.1.7.8 release
• 86521a0 update changelog
• b329b26 include the HTTP Permissions-Policy on non-HTML Content-Types
• ac87f58 Preparing for 6.1.7.7 release
• fc2f1b8 update changelog
• 56bcc0a Preparing for 6.1.7.6 release
• 1f03e9d Bumping version for new release
• 3a1b615 Preparing for 6.1.7.5 release
• c2af578 bumping version / changelog
• 7d949d7 Preparing for 6.1.7.4 release
• Additional commits viewable in compare view

Updates actionview from 6.1.4.4 to 6.1.7.8

Release notes

Sourced from actionview's releases.

6.1.7.8

Active Support

• No changes.

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• Include the HTTP Permissions-Policy on non-HTML Content-Types [CVE-2024-28103]

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

... (truncated)

Commits

• e39361a Preparing for 6.1.7.8 release
• 86521a0 update changelog
• ac87f58 Preparing for 6.1.7.7 release
• fc2f1b8 update changelog
• 56bcc0a Preparing for 6.1.7.6 release
• 1f03e9d Bumping version for new release
• 3a1b615 Preparing for 6.1.7.5 release
• c2af578 bumping version / changelog
• 7d949d7 Preparing for 6.1.7.4 release
• f09dc7c Preparing for 6.1.7.3 release
• Additional commits viewable in compare view

Updates activerecord from 6.1.4.4 to 6.1.7.8

Release notes

Sourced from activerecord's releases.

6.1.7.8

Active Support

• No changes.

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• Include the HTTP Permissions-Policy on non-HTML Content-Types [CVE-2024-28103]

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

... (truncated)

Commits

• e39361a Preparing for 6.1.7.8 release
• 86521a0 update changelog
• ac87f58 Preparing for 6.1.7.7 release
• fc2f1b8 update changelog
• 56bcc0a Preparing for 6.1.7.6 release
• 1f03e9d Bumping version for new release
• 3a1b615 Preparing for 6.1.7.5 release
• c2af578 bumping version / changelog
• 7d949d7 Preparing for 6.1.7.4 release
• f09dc7c Preparing for 6.1.7.3 release
• Additional commits viewable in compare view

Updates activestorage from 6.1.4.4 to 6.1.7.8

Release notes

Sourced from activestorage's releases.

6.1.7.8

Active Support

• No changes.

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• Include the HTTP Permissions-Policy on non-HTML Content-Types [CVE-2024-28103]

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

... (truncated)

Commits

• e39361a Preparing for 6.1.7.8 release
• 86521a0 update changelog
• ac87f58 Preparing for 6.1.7.7 release
• fc2f1b8 update changelog
• 78fe149 Merge pull request #48869 from brunoprietog/disable-session-active-storage-pr...
• 56bcc0a Preparing for 6.1.7.6 release
• 1f03e9d Bumping version for new release
• 3a1b615 Preparing for 6.1.7.5 release
• c2af578 bumping version / changelog
• 7d949d7 Preparing for 6.1.7.4 release
• Additional commits viewable in compare view

Updates activesupport from 6.1.4.4 to 6.1.7.8

Release notes

Sourced from activesupport's releases.

6.1.7.8

Active Support

• No changes.

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• Include the HTTP Permissions-Policy on non-HTML Content-Types [CVE-2024-28103]

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

... (truncated)

Commits

• e39361a Preparing for 6.1.7.8 release
• 86521a0 update changelog
• ac87f58 Preparing for 6.1.7.7 release
• fc2f1b8 update changelog
• 56bcc0a Preparing for 6.1.7.6 release
• 1f03e9d Bumping version for new release
• 3a1b615 Preparing for 6.1.7.5 release
• c2af578 bumping version / changelog
• c85cc66 Use a temporary file for storing unencrypted files while editing
• 7d949d7 Preparing for 6.1.7.4 release
• Additional commits viewable in compare view

Updates globalid from 1.0.0 to 1.2.1

Release notes

Sourced from globalid's releases.

1.2.0

What's Changed

• Drop support to Rails < 6.1 and Ruby <2.7 by @​rafaelfranca in rails/globalid#153
• Don't show secrets for SignedGlobalID#inspect by @​p8 in rails/globalid#160
• Allow for composite identifiers delimited by / by @​nvasilevski in rails/globalid#163
• Add Eager Load Option by @​rafacoello in rails/globalid#139

New Contributors

• @​rafaelfranca made their first contribution in rails/globalid#153
• @​p8 made their first contribution in rails/globalid#159
• @​nvasilevski made their first contribution in rails/globalid#162
• @​rafacoello made their first contribution in rails/globalid#139

Full Changelog: rails/globalid@v1.1.0...v1.2.0

1.1.0

What's Changed

• URI::GID: Update #check_scheme, no need to call super by @​alexcwatt in rails/globalid#146
• JSON-encode GlobalIDs as strings by @​georgeclaghorn in rails/globalid#149
• Support pattern matching of GlobalID & GlobalID::URI by @​ojab in rails/globalid#140
• prevent double find by @​ooooooo-q in rails/globalid#148
• implement non signed global_id helper method on fixture set by @​rainerborene in rails/globalid#144

New Contributors

• @​daemonsy made their first contribution in rails/globalid#142
• @​alexcwatt made their first contribution in rails/globalid#146
• @​liijunwei made their first contribution in rails/globalid#150
• @​ojab made their first contribution in rails/globalid#140
• @​ooooooo-q made their first contribution in rails/globalid#148
• @​rainerborene made their first contribution in rails/globalid#144

Full Changelog: rails/globalid@v1.0.1...v1.1.0

v1.0.1

Possible ReDoS based DoS vulnerability in GlobalID

There is a ReDoS based DoS vulnerability in the GlobalID gem. This vulnerability has been assigned the CVE identifier CVE-2023-22799.

Versions Affected: >= 0.2.1 Not affected: NOTAFFECTED Fixed Versions: 1.0.1

Impact

There is a possible DoS vulnerability in the model name parsing section of the GlobalID gem. Carefully crafted input can cause the regular expression engine to take an unexpected amount of time. All users running an affected release should either upgrade or use one of the workarounds immediately.

... (truncated)

Commits

• 488ab6c Prepare for 1.2.1
• 0f585e9 Whitespaces
• 626a342 Merge pull request #168 from ghiculescu/handle-no-primary-key
• 759d1eb Don't break on models where primary_key is not defined
• 27dff72 Prepare for 1.2.0
• 4ec9833 Merge pull request #165 from rails/rm-json-serializer
• d371dd1 Change verifier to conform Rails 7.1 API
• b73e5f9 Remove deprecation when default cache format is used
• 5246758 Make sure legacy verifier behavior work with JSON serializer and symbol values
• 2fab171 Update the ruby extension to use Ruby LSP
• Additional commits viewable in compare view

Updates loofah from 2.13.0 to 2.22.0

Release notes

Sourced from loofah's releases.

2.22.0 / 2023-11-13

Added

• A :targetblank HTML scrubber which ensures all hyperlinks have target="_blank". #275 @​stefannibrasil and @​thdaraujo
• A :noreferrer HTML scrubber which ensures all hyperlinks have rel=noreferrer, similar to the :nofollow and :noopener scrubbers. #277 @​wynksaiddestroy

2.21.4 / 2023-10-10

Fixed

• Loofah::HTML5::Scrub.scrub_css is more consistent in preserving whitespace (and lack of whitespace) in CSS property values. In particular, .scrub_css no longer inserts whitespace between tokens that did not already have whitespace between them. [#273, fixes #271]

2.21.3 / 2023-05-15

• Quash "instance variable not initialized" warning in Ruby < 3.0. [#268] (Thanks, @​dharamgollapudi!)

2.21.2 / 2023-05-11

Dependencies

• Update the dependency on Nokogiri to be >= 1.12.0. The dependency in 2.21.0 and 2.21.1 was left at >= 1.5.9 but versions before 1.12 would result in a NameError exception. [#266]

2.21.1 / 2023-05-10

Fixed

• Don't define HTML5::Document and HTML5::DocumentFragment when Nokogiri is < 1.14. In 2.21.0 these classes were defined whenever Nokogiri::HTML5 was defined, but Nokogiri v1.12 and v1.13 do not support Loofah subclassing properly.

2.21.0 / 2023-05-10

HTML5 Support

Classes Loofah::HTML5::Document and Loofah::HTML5::DocumentFragment are introduced, along with helper methods:

• Loofah.html5_document
• Loofah.html5_fragment
• Loofah.scrub_html5_document
• Loofah.scrub_html5_fragment

These classes and methods use Nokogiri's HTML5 parser to ensure modern web standards are used.

⚠ HTML5 functionality is only available with Nokogiri v1.14.0 and higher.

... (truncated)

Changelog

Sourced from loofah's changelog.

2.22.0 / 2023-11-13

Added

• A :targetblank HTML scrubber which ensures all hyperlinks have target="_blank". #275 @​stefannibrasil and @​thdaraujo
• A :noreferrer HTML scrubber which ensures all hyperlinks have rel=noreferrer, similar to the :nofollow and :noopener scrubbers. #277 @​wynksaiddestroy

2.21.4 / 2023-10-10

Fixed

• Loofah::HTML5::Scrub.scrub_css is more consistent in preserving whitespace (and lack of whitespace) in CSS property values. In particular, .scrub_css no longer inserts whitespace between tokens that did not already have whitespace between them. [#273, fixes #271]

2.21.3 / 2023-05-15

Fixed

• Quash "instance variable not initialized" warning in Ruby < 3.0. [#268] (Thanks, @​dharamgollapudi!)

2.21.2 / 2023-05-11

Dependencies

• Update the dependency on Nokogiri to be >= 1.12.0. The dependency in 2.21.0 and 2.21.1 was left at >= 1.5.9 but versions before 1.12 would result in a NameError exception. [#266]

2.21.1 / 2023-05-10

Fixed

• Don't define HTML5::Document and HTML5::DocumentFragment when Nokogiri is < 1.14. In 2.21.0 these classes were defined whenever Nokogiri::HTML5 was defined, but Nokogiri v1.12 and v1.13 do not support Loofah subclassing properly.

2.21.0 / 2023-05-10

HTML5 Support

Classes Loofah::HTML5::Document and Loofah::HTML5::DocumentFragment are introduced, along with helper methods:

• Loofah.html5_document
• Loofah.html5_fragment
• Loofah.scrub_html5_document
• Loofah.scrub_html5_fragment

These classes and methods use Nokogiri's HTML5 parser to ensure modern web standards are used.

⚠ HTML5 functionality is only available with Nokogiri v1.14.0 and higher.

... (truncated)

Commits

• cb14ea7 version bump to v2.22.0
• 64e0a26 update CHANGELOG
• c5cfb80 Merge pull request #277 from wynksaiddestroy/feature/noreferrer_scrubber
• 4ad2e13 Add noreferrer scrubber
• 5345bb7 Merge pull request #275 from hexdevs/add-target-blank-scrub
• 09e11ad feat: adds :targetblank scrubber
• 992b054 version bump to v2.21.4
• 5d9a22f Merge pull request #273 from flavorjones/flavorjones-css-whitespace-handling
• 876116e fix: scrub_css is more consistent with whitespace
• edde5f2 Merge pull request #274 from flavorjones/flavorjones-bump-hoe-markdown
• Additional commits viewable in compare view

Updates nokogiri from 1.12.5 to 1.16.5

Release notes

Sourced from nokogiri's releases.

v1.16.5 / 2024-05-13

Security

• [CRuby] Vendored libxml2 is updated to address CVE-2024-34459. See GHSA-r95h-9x8f-r3f7 for more information.

Dependencies

• [CRuby] Vendored libxml2 is updated to v2.12.7 from v2.12.6. (@​flavorjones)

---

sha256 checksums:

af0f44fa3e664dfb2aa10de8b551447d720c1e8d1f0aa3f35783dcc43e40a874  nokogiri-1.16.5-aarch64-linux.gem
23dc2357b26409a5c33b7e32a82902f0e9995305420f16d1a03ab3ea1a482fec  nokogiri-1.16.5-arm-linux.gem
950d037530edb49f75ad35de0b8038b970a7dda57e2b6326895b0e49fadf6214  nokogiri-1.16.5-arm64-darwin.gem
b7aefc94370c62476b8528e8d8abb6160203abd84a1f4eceda8f1aa8974d9989  nokogiri-1.16.5-java.gem
ec2167160df8fec3137bf95d574ed80ebc1d002bb3b281546b60b4aa9002466e  nokogiri-1.16.5-x64-mingw-ucrt.gem
6984200491fac69974005ecfa2de129d61843d345eafa5d6f58e8b908d1cf107  nokogiri-1.16.5-x64-mingw32.gem
abdc389ab1ec6604492da16bd9d06ad746fdb6bd6a1bd274c400d61ffcadb3c4  nokogiri-1.16.5-x86-linux.gem
63d24981345856f2baf7f4089870a62d3042fb8d3021b280fb04fc052532e3c4  nokogiri-1.16.5-x86-mingw32.gem
71b5f54e378c433d13df67c3b71acc4716129da62402d8181f310c4216a63279  nokogiri-1.16.5-x86_64-darwin.gem
0ca238da870066bed2f7837af6f35791bb9b76c4c5638999c46aac44818a6a97  nokogiri-1.16.5-x86_64-linux.gem
ec36162c68984fa0a90a5c4ae7ab7759460639e716cc1ce75f34c3cb54158ad2  nokogiri-1.16.5.gem

v1.16.4 / 2024-04-10

Dependencies

• [CRuby] Vendored zlib in the precompiled native gems is updated to v1.3.1 from v1.3. Nokogiri is not affected by the minizip CVE patched in this version, but this update may satisfy some security scanners. Related, see this discussion about removing the compression libraries altogether in a future version of Nokogiri.

---

sha256 checksums:

bdb1dc4378ebcf3ade8f440c7df68f6d76946a1a96c4823a2b4c53c01a320cd5  nokogiri-1.16.4-aarch64-linux.gem
0c994b9996d5576eddcc3201a94ef2bff6fc3627c4ae4d2708b0ec9b9743ec6a  nokogiri-1.16.4-arm-linux.gem
8e86abb64c93c06d3c588042a0e757279e8f1dc88b5210a00be892a9a7a27196  nokogiri-1.16.4-arm64-darwin.gem
bf84fa28be4943692bd64772186e0832fb1061f80714ccb93e111e9d72b1cadc  nokogiri-1.16.4-java.gem
a46808467c1f63a2031e1ca0715cd5336bb4ec759e9c0e2f4c951c1cc30994ae  nokogiri-1.16.4-x64-mingw-ucrt.gem
4cdf64bc5e9443ec3e0b595347ecc8affe21968d9ae934c0825d26630ef96468  nokogiri-1.16.4-x64-mingw32.gem
d86d21bae47dd9f6f5223055e45d33fae08b0b89aad94cbc0ece4f4274fa7af5  nokogiri-1.16.4-x86-linux.gem
d488b872884844686780fda7cf5da44ee884d32faa713a55aeb4736d76718168  nokogiri-1.16.4-x86-mingw32.gem
a896e52a56951ffb0e6a9279afbf485d683e357a053d27f4cfcb2a73b0824628  nokogiri-1.16.4-x86_64-darwin.gem
92ff4f09910255fec84b3bc4c4b182e94cada3ed12b9f7a6ea058e0af186fb31  nokogiri-1.16.4-x86_64-linux.gem
</tr></table> 

... (truncated)

Changelog

Sourced from nokogiri's changelog.

v1.16.5

Security

• [CRuby] Vendored libxml2 is updated to address CVE-2024-34459. See GHSA-r95h-9x8f-r3f7 for more information.

Dependencies

• [CRuby] Vendored libxml2 is updated to v2.12.7 from v2.12.6. (@​flavorjones)

v1.16.4 / 2024-04-10

Dependencies

• [CRuby] Vendored zlib in the precompiled native gems is updated to v1.3.1 from v1.3. Nokogiri is not affected by the minizip CVE patched in this version, but this update may satisfy some security scanners. Related, see this discussion about removing the compression libraries altogether in a future version of Nokogiri.

v1.16.3 / 2024-03-15

Dependencies

• [CRuby] Vendored libxml2 is updated to v2.12.6 from v2.12.5. (@​flavorjones)

Changed

• [CRuby] XML::Reader sets the @encoding instance variable during reading if it is not passed into the initializer. Previously, it would remain nil. The behavior of Reader#encoding has not changed. This works around changes to how libxml2 reports the encoding used in v2.12.6.

v1.16.2 / 2024-02-04

Security

• [CRuby] Vendored libxml2 is updated to address CVE-2024-25062. See GHSA-xc9x-jj77-9p9j for more information.

Dependencies

• [CRuby] Vendored libxml2 is updated to v2.12.5 from v2.12.4. (@​flavorjones)

v1.16.1 / 2024-02-03

Dependencies

• [CRuby] Vendored libxml2 is updated to v2.12.4 from v2.12.3. (@​flavorjones)

... (truncated)

Commits

• cd70bd3 version bump to v1.16.5
• afc36de dep: update vendored libxml2 to v2.12.7 (#3191)
• 41b4f08 ci: add arm64-darwin coverage using macos-14
• 67b9e86 dep: update libxml2 to v2.12.7
• 17c0362 version bump to v1.16.4
• 1c329e9 dep: update to zlib 1.3.1 (v1.16.x) (#3175)
• edeac07 dep: update to zlib 1.3.1
• 80fb608 version bump to v1.16.3
• 710bd96 dep: update libxml 2.12.6 (branch v1.16.x) (#3151)
• 461a96e fix: Reader#read sets @​encoding if it is unset
• Additional commits viewable in compare view

Updates rack from 2.2.3 to 2.2.9

Release notes

Sourced from rack's releases.

v2.2.8.1

What's Changed

• Fixed ReDoS in Accept header parsing [CVE-2024-26146]
• Fixed ReDoS in Content Type header parsing [CVE-2024-25126]
• Reject Range headers which are too large [CVE-2024-26141]

Full Changelog: rack/rack@v2.2.8...v2.2.8.1

v2.2.8

What's Changed

• Limit file extension length of multipart tempfiles (2.2 backport) by @​dentarg in rack/rack#2075
• CHANGELOG: Add missing 2.2.7 by @​tisba in rack/rack#2081
• Update cookie.rb by @​dchandekstark in rack/rack#2092
• Prefer ubuntu-latest for testing. by @​ioquatix in rack/rack#2095
• Fix inefficient assert pattern in Rack::Lint [2-2-stable] by @​skipkayhil in rack/rack#2101
• Regenerate SPEC [2-2-stable] by @​skipkayhil in rack/rack#2102

New Contributors

• @​tisba made their first contribution in rack/rack#2081
• @​dchandekstark made their first contribution in rack/rack#2092

Full Changelog: rack/rack@v2.2.7...v2.2.8

v2.2.7

What's Changed

• Correct the year number in the changelog by @​kimulab in rack/rack#2015
• Support underscore in host names for Rack 2.2 (Fixes #2070) by @​jeremyevans in rack/rack#2071

New Contributors

• @​kimulab made their first contribution in rack/rack#2015

Full Changelog: rack/rack@v2.2.6.4...v2.2.7

v2.2.6.4

No release notes provided.

Changelog

Sourced from rack's changelog.

Changelog

All notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference Keep A Changelog.

Unreleased

SPEC Changes

• rack.input is now optional. (#1997, [@​ioquatix])
• PATH_INFO is now validated according to the HTTP/1.1 specification. (#2117, [@​ioquatix])

Changed

• rack.input is now optional, and if missing, will raise an error. Use this to fail on multipart parsing a request without an input body. (#2018, [@​ioquatix])
• Introduce module Rack::BadRequest which is included in multipart and query parser errors. (#2019, [@​ioquatix])
• MIME type for JavaScript files (.js) changed from application/javascript to text/javascript (1bd0f15)
• Add .mjs MIME type (#2057, [@​axilleas])
• Update MIME types associated to .ttf, .woff, .woff2 and .otf extensions to use mondern font/* types. (#2065, [@​davidstosik])
• Rack::Utils.escape_html is now delegated to CGI.escapeHTML. ' is escaped to [#39](https://github.com/rack/rack/issues/39); instead of #x27;. (decimal vs hexadecimal) (#2099, @​JunichiIto)
• set_cookie_header utility now supports the partitioned cookie attribute. This is required by Chrome in some embedded contexts. (#2131, [@​flavio-b])
• Remove non-standard status codes 306, 509, & 510 and update descriptions for 413, 422, & 451. (#2137, [@​wtn])
• Add fallback lookup and deprecation warning for obsolete status symbols. (#2137, [@​wtn])
• In Rack::Files, ignore the Range header if served file is 0 bytes. (#2159, [@​zarqman])
• rack.early_hints is now officially supported as an optional feature (already implemented by Unicorn, Puma, and Falcon). (#1831, [@​casperisfine, @​jeremyevans])
• • Add Rack::SetXForwardedProtoHeader middleware (#2089, [@​tomharvey])

[3.0.11] - 2024-05-10

• Backport #2062 to 3-0-stable: Do not allow BodyProxy to respond to to_str, make to_ary call close . (#2062, @​jeremyevans)

[3.0.10] - 2024-03-21

• Backport #2104 to 3-0-stable: Return empty when parsing a multi-part POST with only one end delimiter. (#2164, @​JoeDupuis)

[3.0.9.1] - 2024-02-21

Security

• CVE-2024-26146 Fixed ReDoS in Accept header parsing
• CVE-2024-25126 Fixed ReDoS in Content Type header parsing
• CVE-2024-26141 Reject Range headers which are too large

[3.0.9] - 2024-01-31

• Fix incorrect content-length header that was emitted when Rack::Response#write was used in some situations. (#2150, @​mattbrictson)

... (truncated)

Commits

• b1deebd Bump patch version.
• f7d40f9 Merge branch '2-2-sec' into 2-2-stable
• e830011 bump version
• d9c163a Avoid 2nd degree polynomial regexp in MediaType
• 6245768 Return an empty array when ranges are too large
• e4c1177 Fixing ReDoS in header parsing
• fdb12cb backport #2104 (#2121)
• 99057e6 Update CHANGELOG for 2.2.8 (#2107)
• 3314622 Adds missing 2.2.8 to CHANGELOG.md (#2106)
• f169ff7 Bump patch version.
• Additional commits viewable in compare view

Updates rails-html-sanitizer from 1.4.2 to 1.6.0

Release notes

Sourced from rails-html-sanitizer's releases.

1.6.0 / 2023-05-26

• Dependencies have been updated:

  • Loofah ~>2.21 and Nokogiri ~>1.14 for HTML5 parser support
  • As a result, required Ruby version is now >= 2.7.0

  Security updates will continue to be made on the 1.5.x release branch as long as Rails 6.1 (which supports Ruby 2.5) is still in security support.

  Mike Dalessio

• HTML5 standards-compliant sanitizers are now available on platforms supported by Nokogiri::HTML5. These are available as:

  • Rails::HTML5::FullSanitizer
  • Rails::HTML5::LinkSanitizer
  • Rails::HTML5::SafeListSanitizer

  And a new "vendor" is provided at Rails::HTML5::Sanitizer that can be used in a future version of Rails.

  Note that for symmetry Rails::HTML4::Sanitizer is also added, though its behavior is identical to the vendor class methods on Rails::HTML::Sanitizer.

  Users may call Rails::HTML::Sanitizer.best_supported_vendor to get back the HTML5 vendor if it's supported, else the legacy HTML4 vendor.

  Mike Dalessio

• Module namespaces have changed, but backwards compatibility is provided by aliases.

  The library defines three additional modules:

  • Rails::HTML for general functionality (replacing Rails::Html)
  • Rails::HTML4 containing sanitizers that parse content as HTML4
  • Rails::HTML5 containing sanitizers that parse content as HTML5

  The following aliases are maintained for backwards compatibility:

  • Rails::Html points to Rails::HTML
  • Rails::HTML::FullSanitizer points to Rails::HTML4::FullSanitizer
  • Rails::HTML::LinkSanitizer points to Rails::HTML4::LinkSanitizer
  • Rails::HTML::SafeListSanitizer points to Rails::HTML4::SafeListSanitizer

  Mike Dalessio

• LinkSanitizer always returns UTF-8 encoded strings. SafeListSanitizer and FullSanitizer already ensured this encoding.

... (truncated)

Changelog

Sourced from rails-html-sanitizer's changelog.

1.6.0 / 2023-05-26

• Dependencies have been updated:

  • Loofah ~>2.21 and Nokogiri ~>1.14 for HTML5 parser support
  • As a result, required Ruby version is now >= 2.7.0

  Security updates will continue to be made on the 1.5.x release branch as long as Rails 6.1 (which supports Ruby 2.5) is still in security support.

  Mike Dalessio

• HTML5 standards-compliant sanitizers are now available on platforms supported by Nokogiri::HTML5. These are available as:

  • Rails::HTML5::FullSanitizer
  • Rails::HTML5::LinkSanitizer
  • Rails::HTML5::SafeListSanitizer

  And a new "vendor" is provided at Rails::HTML5::Sanitizer that can be used in a future version of Rails.

  Note that for symmetry Rails::HTML4::Sanitizer is also added, though its behavior is identical to the vendor class methods on Rails::HTML::Sanitizer.

  Users may call Rails::HTML::Sanitizer.best_supported_vendor to get back the HTML5 vendor if it's supported, else the legacy HTML4 vendor.

  Mike Dalessio

• Module namespaces have changed, but backwards compatibility is provided by aliases.

  The library defines three additional modules:

  • Rails::HTML for general functionality (replacing Rails::Html)
  • Rails::HTML4 containing sanitizers that parse content as HTML4
  • Rails::HTML5 containing sanitizers that parse content as HTML5

  The following aliases are maintained for backwards compatibility:

  • Rails::Html points to Rails::HTML
  • Rails::HTML::FullSanitizer points to Rails::HTML4::FullSanitizer
  • Rails::HTML::LinkSanitizer points to Rails::HTML4::LinkSanitizer
  • Rails::HTML::SafeListSanitizer points to Rails::HTML4::SafeListSanitizer

  Mike Dalessio

• LinkSanitizer always returns UTF-8 encoded strings. SafeListSanitizer and FullSanitizer already ensured this encoding.

... (truncated)

Commits

• 19fd6cd version bump to v1.6.0
• a9b2f1e doc: update CHANGELOG and README with supported branch info
• ca29c20 doc: update README moving verbose notes after usage
• 3b31be5 version bump to v1.6.0.rc2
• b98af6c Merge pull request #167 from rails/flavorjones-best-supported-vendor-method
• e953444 feat: introduce Rails::HTML::Sanitizer.best_supported_vendor
• 5419017 version bump to v1.6.0.rc1
• 669dcd0 doc: update CONTRIBUTING with release process
• cd77210 Merge pull request #166 from rails/flavorjones-update-deps-for-html5-variation2
• 7cc07bb dep: update loofah and nokogiri to versions fully supporting HTML5
• Additional commits viewable in compare view

Updates rexml from 3.2.5 to 3.2.8

Release notes

Sourced from rexml's releases.

REXML 3.2.8 - 2024-05-16

Fixes

• Suppressed a warning

REXML 3.2.7 - 2024-05-16

Improvements

• Improve parse performance by using StringScanner.

  • GH-106

  • GH-107

  • GH-108

  • GH-109

  • GH-112

  • GH-113

  • GH-114

  • GH-115

  • GH-116

  • GH-117

  • GH-118

  • GH-119

  • GH-121

  • Patch by NAITOH Jun.

• Improved parse performance when an attribute has many <s.

  • GH-126

Fixes

• XPath: Fixed a bug of normalize_space(array).

  • GH-110

  • GH-111

  • Patch by flatisland.

• XPath: Fixed a bug that wrong position is used with nested path.

  • GH-110

  • GH-122

  • Reported by jcavalieri.

  • Patch by NAITOH Jun.

• Fixed a bug that an exception message can't be generated for invalid encoding XML.

... (truncated)

Changelog

Sourced from rexml's changelog.

3.2.8 - 2024-05-16 {#version-3-2-8}

Fixes

• Suppressed a warning

3.2.7 - 2024-05-16 {#version-3-2-7}

Improvements

• Improve parse performance by using StringScanner.

  • GH-106

  • GH-107

  • GH-108

  • GH-109

  • GH-112

  • GH-113

  • GH-114

  • GH-115

  • GH-116

  • GH-117

  • GH-118

  • GH-119

  • GH-121

  • Patch by NAITOH Jun.

• Improved parse performance when an attribute has many <s.

  • GH-126

Fixes

• XPath: Fixed a bug of normalize_space(array).

  • GH-110

  • GH-111

  • Patch by flatisland.

• XPath: Fixed a bug that wrong position is used with nested path.

  • GH-110

  • GH-122

  • Reported by jcavalieri.

  • Patch by NAITOH Jun.

• Fixed a bug that an exception message can't be generated for

... (truncated)

Commits

• 1cf37ba Add 3.2.8 entry
• b67081c Remove an unused variable (#128)
• 94e180e Suppress a warning
• d574ba5 ci: install only gems required for running tests (#129)
• 4670f8f Add missing Thanks section
• 9ba35f9 Bump version
• 085def0 Add 3.2.7 entry
• 4325835 Read quoted attributes in chunks (#126)
• e77365e Exclude older than 2.6 on macos-14
• bf2c8ed Move development dependencies to Gemfile (#124)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• `@dependabot ignore <dependency name...

Description has been truncated