Update sanitize and loofah (#6855)

Fixes CVE-2018-8048 and CVE-2018-3740, two medium-severity XSS vulnerabilities present in these gems when built against libxml2 >= 2.9.2.
7 years ago · d97903a358
parent 93897134ca
commit d97903a358
2 changed files with 7 additions and 7 deletions
--- a/2
+++ b/2
@ -71,7 +71,7 @@ gem 'mario-redis-lock', '~> 1.2', require: 'redis_lock'
 gem 'rqrcode', '~> 0.10'
 gem 'ruby-oembed', '~> 0.12', require: 'oembed'
 gem 'ruby-progressbar', '~> 1.4'
-gem 'sanitize', '~> 4.4'
+gem 'sanitize', '~> 4.6.4'
 gem 'sidekiq', '~> 5.0'
 gem 'sidekiq-scheduler', '~> 2.1'
 gem 'sidekiq-unique-jobs', '~> 5.0'
--- a/Gemfile.lock
+++ b/Gemfile.lock
@ -288,7 +288,7 @@ GEM
      activesupport (>= 4, < 5.2)
      railties (>= 4, < 5.2)
      request_store (~> 1.0)
-    loofah (2.1.1)
+    loofah (2.2.1)
      crass (~> 1.0.2)
      nokogiri (>= 1.5.9)
    mail (2.7.0)
@ -316,9 +316,9 @@ GEM
      net-ssh (>= 2.6.5)
    net-ssh (4.2.0)
    nio4r (2.1.0)
-    nokogiri (1.8.1)
+    nokogiri (1.8.2)
      mini_portile2 (~> 2.3.0)
-    nokogumbo (1.4.13)
+    nokogumbo (1.5.0)
      nokogiri
    nsa (0.2.4)
      activesupport (>= 4.2, < 6)
@ -496,10 +496,10 @@ GEM
    rufus-scheduler (3.4.2)
      et-orbi (~> 1.0)
    safe_yaml (1.0.4)
-    sanitize (4.5.0)
+    sanitize (4.6.4)
      crass (~> 1.0.2)
      nokogiri (>= 1.4.4)
-      nokogumbo (~> 1.4.1)
+      nokogumbo (~> 1.4)
    sass (3.5.3)
      sass-listen (~> 4.0.0)
    sass-listen (4.0.0)
@ -699,7 +699,7 @@ DEPENDENCIES
  rubocop
  ruby-oembed (~> 0.12)
  ruby-progressbar (~> 1.4)
-  sanitize (~> 4.4)
+  sanitize (~> 4.6.4)
  scss_lint (~> 0.55)
  sidekiq (~> 5.0)
  sidekiq-bulk (~> 0.1.1)