Current version is up to 0.10.0.

Changes since 0.7.2 include:

  • Allow use tags through as long as they dont reference external resources.
  • Allow image tags
  • Allow safe image data uri’s through
  • Allow setting xml options and another bugfix
  • Restructure arrays and add slope to attribute list
  • Always use lower case tags

I haven't been able to assess whether or not any are breaking changes.

CommentFileSizeAuthor
#15 3064351.patch5.84 KBlarowlan
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

matt_paz created an issue. See original summary.

larowlan’s picture

larowlan
Location 🇦🇺🏝.au GMT+10
CreditAttribution: larowlan at PreviousNext commented

its a minor update, so it should be fine, we should just relax the constraint to support minors

larowlan’s picture

larowlan
Location 🇦🇺🏝.au GMT+10
CreditAttribution: larowlan at PreviousNext commented
Status: Active » Fixed

We currently use ^0.7.1 but according to the composer docs that is interpreted as >0.7.1 and < 1.0.0

the salient part in their example docs:

For example ^1.2.3 is equivalent to >=1.2.3 <2.0.0

So there's nothing to do here.

matt_paz’s picture

matt_paz CreditAttribution: matt_paz commented
Status: Fixed » Needs work

@larowlan

Hmmm. I may be mistaken, but perhaps that isn't quite right?
Note the except if major version is 0 exception?

"vendor/package": "^0.3.2", // >=0.3.2 <0.4.0 // except if major version is 0

Am I reading that right?

larowlan’s picture

larowlan
Location 🇦🇺🏝.au GMT+10
CreditAttribution: larowlan at PreviousNext commented

Probably would help if I read the whole section in the docs 😂

100% happy to do a new release with a more flexible version constraint - what would you suggest?

matt_paz’s picture

matt_paz CreditAttribution: matt_paz commented

Probably would help if I read the whole section in the docs 😂

Heh, well, I initially thought that too, but I couldn't figure out why it wasn't updating, so I just kept digging.

what would you suggest?

Hmm. Hard to say. If ya want to provide lots of flexibility (given the composer limitations), I'd guess ya might go with ~0.10 until a 1.X release is provided (or until breaking changes are encountered in 0.X -- at which ya could lock it to a particular version in the interim). I'd though about 0 - 1, but the 1.X release would probably be a significant enough milestone to warrant some deeper review.

So I'd guess either, ~0.10 or just stick with ^0.10 and continue to monitor as changes are made.

Also, FWIW, I haven't actually tested with 0.10 yet.

Thoughts?

larowlan’s picture

larowlan
Location 🇦🇺🏝.au GMT+10
CreditAttribution: larowlan at PreviousNext commented

Happy to go with ~0.10 but yeah, lets get some testing done first

larowlan credited greggles.

larowlan credited tsug0d.

larowlan’s picture

larowlan
Location 🇦🇺🏝.au GMT+10
CreditAttribution: larowlan at PreviousNext commented
Title: Evaluate Update of dependency enshrined/svg-sanitize » Relax composer.json to allow for upstream security fix in enshrined/svg-sanitize
Priority: Minor » Critical

There is a security fix in the upstream library - https://github.com/darylldoyle/svg-sanitizer/commit/51ca4b713f3706d6b277...

Its not yet in a tagged release, but we should relax our constraint so that when it is available, it can be installed.

Adding those who reported this privately first and worked on it there

larowlan’s picture

larowlan
Location 🇦🇺🏝.au GMT+10
CreditAttribution: larowlan at PreviousNext commented
Title: Relax composer.json to allow for upstream security fix in enshrined/svg-sanitize » Pin composer.json to prevent installation of insecure versions of enshrined/svg-sanitize
Status: Needs work » Postponed

We're waiting for upstream to cut a new tag here

tsug0d’s picture

tsug0d CreditAttribution: tsug0d commented

Hi, note that not only the xss fix but also the Denial of Service (The new billion laughs attack introduced by us), we can see the begin "bug-fix" commit is a60a9b3 in https://github.com/darylldoyle/svg-sanitizer/commits/master from ohader, we recommend update full the repository code.

larowlan’s picture

larowlan
Location 🇦🇺🏝.au GMT+10
CreditAttribution: larowlan at PreviousNext commented

Thanks, once a new release is made available from upstream, I'll update the composer.json here to be ^{that version}

larowlan’s picture

larowlan
Location 🇦🇺🏝.au GMT+10
CreditAttribution: larowlan at PreviousNext for Charles Darwin University commented
Assigned: Unassigned » larowlan
Status: Postponed » Active

Upstream tag is available

larowlan’s picture

larowlan
Location 🇦🇺🏝.au GMT+10
CreditAttribution: larowlan at PreviousNext for Charles Darwin University commented
Status: Active » Needs review
FileSize
3064351.patch5.84 KB
larowlan’s picture

larowlan
Location 🇦🇺🏝.au GMT+10
CreditAttribution: larowlan at PreviousNext for Charles Darwin University commented
Status: Needs review » Fixed

  • larowlan committed e1b0666 on 8.x-1.x 
    Issue #3064351 by larowlan, matt_paz, tsug0d, greggles: Pin composer....
larowlan’s picture

larowlan
Location 🇦🇺🏝.au GMT+10
CreditAttribution: larowlan at PreviousNext for Charles Darwin University commented

Rolling a new release

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.