Skip to content

build(deps): bump rails-html-sanitizer from 1.7.0 to 1.7.1#5292

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/bundler/rails-html-sanitizer-1.7.1
Open

build(deps): bump rails-html-sanitizer from 1.7.0 to 1.7.1#5292
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/bundler/rails-html-sanitizer-1.7.1

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 16, 2026

Copy link
Copy Markdown
Contributor

Bumps rails-html-sanitizer from 1.7.0 to 1.7.1.

Release notes

Sourced from rails-html-sanitizer's releases.

v1.7.1 / 2026-07-15

  • SVG reference elements now restrict both href and xlink:href to local references.

    Previously PermitScrubber restricted only xlink:href on elements in SVG_ALLOW_LOCAL_HREF, so a plain href attribute on those elements could reference an external document. Applications are only affected if the allowed tags are overridden to include an SVG reference element such as use; the default configuration is not affected.

    This change addresses GHSA-cj75-f6xr-r4g7 (CVE requested). The minimum Loofah dependency is now ~> 2.25, >= 2.25.2.

    Mike Dalessio @​flavorjones

Changelog

Sourced from rails-html-sanitizer's changelog.

v1.7.1 / 2026-07-15

  • SVG reference elements now restrict both href and xlink:href to local references.

    Previously PermitScrubber restricted only xlink:href on elements in SVG_ALLOW_LOCAL_HREF, so a plain href attribute on those elements could reference an external document. Applications are only affected if the allowed tags are overridden to include an SVG reference element such as use; the default configuration is not affected.

    This change addresses GHSA-cj75-f6xr-r4g7 (CVE requested). The minimum Loofah dependency is now ~> 2.25, >= 2.25.2.

    Mike Dalessio

Commits
  • 4f37e3d version bump to v1.7.1
  • b4673b9 Merge pull request #223 from rails/svg-href-local-ref
  • 74dcb80 Properly restrict SVG href attributes
  • 11ee440 Adjust data: URI mediatype tests for loofah 2.25.2 (#222)
  • bc9622c Harden GitHub Actions workflows (#220)
  • 3459ffd dep(dev): update nokogiri (#219)
  • 8aa4bb2 build(deps-dev): bump concurrent-ruby from 1.3.6 to 1.3.7 (#218)
  • 4ddc0c7 dep(dev): update development dependencies (#217)
  • f87abb4 Merge pull request #215 from yuri-zubov/reduce-gem-size
  • 527b317 Reduce gem size by excluding test files
  • See full diff in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [rails-html-sanitizer](https://github.com/rails/rails-html-sanitizer) from 1.7.0 to 1.7.1.
- [Release notes](https://github.com/rails/rails-html-sanitizer/releases)
- [Changelog](https://github.com/rails/rails-html-sanitizer/blob/main/CHANGELOG.md)
- [Commits](rails/rails-html-sanitizer@v1.7.0...v1.7.1)

---
updated-dependencies:
- dependency-name: rails-html-sanitizer
  dependency-version: 1.7.1
  dependency-type: indirect
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file ruby Pull requests that update Ruby code labels Jul 16, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file ruby Pull requests that update Ruby code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants