Build(deps): Bump sanitize from 6.0.0 to 6.1.3

[dependabot]

Bumps sanitize from 6.0.0 to 6.1.3.

Release notes

Sourced from sanitize's releases.

v6.1.3

Bug Fixes

• The CSS URL protocol allowlist is now enforced on the nonstandard -webkit-image-set CSS function. [@​ltk - #242]242

v6.1.2

Bug Fixes

• The CSS URL protocol allowlist is now properly enforced in CSS Images Module Level 4 image and image-set functions. [@​ltk - #240]240

v6.1.1

Bug Fixes

• Proactively fixed a compatibility issue with libxml >= 2.13.0 (which will be used in an upcoming version of Nokogiri) that caused HTML doctype sanitization to fail. [@​flavorjones - #238]238

v6.1.0

Features

• Added the text-decoration-skip-ink and text-decoration-thickness CSS properties to the relaxed config. [@​martineriksson - #228]228

v6.0.2

Bug Fixes

• CVE-2023-36823: Fixed an HTML+CSS sanitization bypass that could allow XSS (cross-site scripting). This issue affects Sanitize versions 3.0.0 through 6.0.1.

  When using Sanitize's relaxed config or a custom config that allows <style> elements and one or more CSS at-rules, carefully crafted input could be used to sneak arbitrary HTML through Sanitize.

  See the following security advisory for additional details: GHSA-f5ww-cq3m-q3g7

  Thanks to @​cure53 for finding this issue.

v6.0.1

Bug Fixes

• Sanitize now always removes <noscript> elements and their contents, even when noscript is in the allowlist.

  This fixes a sanitization bypass that could occur when noscript was allowed by a custom allowlist. In this scenario, carefully crafted input could sneak arbitrary HTML through Sanitize, potentially enabling an XSS (cross-site scripting) attack.

  Sanitize's default configs don't allow <noscript> elements and are not vulnerable. This issue only affects users who are using a custom config that adds noscript to the element allowlist.

  The root cause of this issue is that HTML parsing rules treat the contents of a <noscript> element differently depending on whether scripting is enabled in the user agent. Nokogiri doesn't support scripting so it follows the "scripting disabled" rules, but a web browser with scripting enabled will follow the "scripting enabled" rules. This means that Sanitize can't reliably make the contents of a <noscript> element safe for scripting enabled browsers, so the safest thing to do is to remove the element and its contents entirely.

... (truncated)

Changelog

Sourced from sanitize's changelog.

6.1.3 (2024-08-14)

Bug Fixes

• The CSS URL protocol allowlist is now enforced on the nonstandard -webkit-image-set CSS function. [@​ltk - #242]242

6.1.2 (2024-07-27)

Bug Fixes

• The CSS URL protocol allowlist is now properly enforced in CSS Images Module Level 4 image and image-set functions. [@​ltk - #240]240

6.1.1 (2024-06-12)

Bug Fixes

• Proactively fixed a compatibility issue with libxml >= 2.13.0 (which will be used in an upcoming version of Nokogiri) that caused HTML doctype sanitization to fail. [@​flavorjones - #238]238

6.1.0 (2023-09-14)

Features

• Added the text-decoration-skip-ink and text-decoration-thickness CSS properties to the relaxed config. [@​martineriksson - #228]228

6.0.2 (2023-07-06)

Bug Fixes

• CVE-2023-36823: Fixed an HTML+CSS sanitization bypass that could allow XSS (cross-site scripting). This issue affects Sanitize versions 3.0.0 through 6.0.1.

  When using Sanitize's relaxed config or a custom config that allows <style> elements and one or more CSS at-rules, carefully crafted input could be used to sneak arbitrary HTML through Sanitize.

  See the following security advisory for additional details: GHSA-f5ww-cq3m-q3g7

  Thanks to @​cure53 for finding this issue.

6.0.1 (2023-01-27)

... (truncated)

Commits

• b0ec1d6 Release 6.1.3
• caa94cb Update history for 6.1.3
• c168413 Avoid repeating the list of CSS image functions
• a5d93bb Add protocol allowlisting for -webkit-image-set CSS function
• a98ac98 Release 6.1.2
• 9148cb0 Update history for 6.1.2
• 4478fa5 Enforce protocol allowlisting for image and image-set CSS funcs
• 2bc3d4a Release 6.1.1
• 3db37cb Update history for 6.1.1
• 49f7eed dep: update minitest dependency to avoid mutex_m on ruby 3.4.0-dev
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)