Make public force_correct_attribute_escaping!

which was previously a private method. This is so that downstream gems (like rails-html-sanitizer) can use this logic directly for their own attribute scrubbers should they need to address CVE-2018-8048.
flavorjones · Mar 22, 2018 · 56e95a6 · 56e95a6
1 parent 9452bff
commit 56e95a6
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 2 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,13 @@
 # Changelog
 
+## 2.2.2 / 2018-03-22
+
+Make public `Loofah::HTML5::Scrub.force_correct_attribute_escaping!`,
+which was previously a private method. This is so that downstream gems
+(like rails-html-sanitizer) can use this logic directly for their own
+attribute scrubbers should they need to address CVE-2018-8048.
+
+
 ## 2.2.1 / 2018-03-19
 
 Addresses CVE-2018-8048. Loofah allowed non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments.

diff --git a/lib/loofah/html5/scrub.rb b/lib/loofah/html5/scrub.rb
@@ -101,8 +101,6 @@ def scrub_css style
           Crass::Parser.stringify sanitized_tree
         end
 
-        private
-
         #
         #  libxml2 >= 2.9.2 fails to escape comments within some attributes.
         #
-Original file line number
+Diff line change
@@ Expand Up / @@ -101,8 +101,6 @@ def scrub_css style @@
               Crass::Parser.stringify sanitized_tree
             end
-            private
             #
             #  libxml2 >= 2.9.2 fails to escape comments within some attributes.
             #
@@ Expand Down @@