Hi there, I prepared my first LTS update. You can find it here:
https://salsa.debian.org/lts-team/packages/ruby-loofah When I ran some test cases to see if all the vulnerabilities are fixed, I discovered that there is a slight behavioral change: As part of the fix for CVE-2022-23516, loofah will no longer remove nested <script> sections, but escape the tags instead. They also adjusted their tests for that. To demonstrate: This: <div><script><script>alert(1);</script></script></div> resulted in: <div>alert(1);</div> and now it results in: <div><script><script>alert(1);</script></script></div> What do you think? I wonder if that is an acceptable change? if you have any other feedback, please don't hesitate to leave it here. Regards, Daniel
signature.asc
Description: This is a digitally signed message part
