Skip to content

Bump loofah from 2.25.1 to 2.25.2#1667

Merged
github-actions[bot] merged 1 commit into
masterfrom
dependabot/bundler/loofah-2.25.2
Jul 15, 2026
Merged

Bump loofah from 2.25.1 to 2.25.2#1667
github-actions[bot] merged 1 commit into
masterfrom
dependabot/bundler/loofah-2.25.2

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 15, 2026

Copy link
Copy Markdown

Bumps loofah from 2.25.1 to 2.25.2.

Release notes

Sourced from loofah's releases.

2.25.2 / 2026-07-15

Security

  • Ensure Loofah::HTML5::Scrub.allowed_uri? recognizes numeric character references without semicolons (e.g. javascript&#58alert(1)), which browsers decode and execute, and rejects schemes split by them. See GHSA-5qhf-9phg-95m2. @​flavorjones
  • Ensure Loofah::HTML5::Scrub.allowed_uri? recognizes the named character references 	 and 
, which CGI.unescapeHTML does not decode and browsers strip from URIs, and rejects schemes split by them (e.g. java	script:alert(1)). See GHSA-8whx-365g-h9vv. @​flavorjones
  • Ensure that both href and xlink:href attributes on SVG elements like use are restricted to local (same-document) references. Previously only xlink:href was restricted, allowing the SVG 2 href attribute to reference external documents. See GHSA-9wjq-cp2p-hrgf. @​flavorjones

Improved

  • Harden data: URI mediatype parsing in Loofah::HTML5::Scrub.allowed_uri?. The mediatype is now parsed following the WHATWG data: URL spec and RFC 2397 instead of simply being split on a colon. A data: URI with an omitted or malformed mediatype is now treated as text/plain and allowed, and one without the required comma is now rejected. #305 @​flavorjones
  • Remove feed from the default set of allowed protocols. The feed URI scheme was never accepted as a standard protocol, and no major browser supports it. Removing it reduces the attack surface particularly for non-browser contexts. #304 @​flavorjones
  • Remove a vestigial &#x70 alternative from Loofah::HTML5::SafeList::PROTOCOL_SEPARATOR. This appears to be an ancient typo dating back to pre-extraction Rails circa 2007. #305 @​flavorjones
Changelog

Sourced from loofah's changelog.

2.25.2 / 2026-07-15

Security

  • Ensure Loofah::HTML5::Scrub.allowed_uri? recognizes numeric character references without semicolons (e.g. javascript&#58alert(1)), which browsers decode and execute, and rejects schemes split by them. See GHSA-5qhf-9phg-95m2. @​flavorjones
  • Ensure Loofah::HTML5::Scrub.allowed_uri? recognizes the named character references 	 and 
, which CGI.unescapeHTML does not decode and browsers strip from URIs, and rejects schemes split by them (e.g. java	script:alert(1)). See GHSA-8whx-365g-h9vv. @​flavorjones
  • Ensure that both href and xlink:href attributes on SVG elements like use are restricted to local (same-document) references. Previously only xlink:href was restricted, allowing the SVG 2 href attribute to reference external documents. See GHSA-9wjq-cp2p-hrgf. @​flavorjones

Improved

  • Harden data: URI mediatype parsing in Loofah::HTML5::Scrub.allowed_uri?. The mediatype is now parsed following the WHATWG data: URL spec and RFC 2397 instead of simply being split on a colon. A data: URI with an omitted or malformed mediatype is now treated as text/plain and allowed, and one without the required comma is now rejected. #305 @​flavorjones
  • Remove feed from the default set of allowed protocols. The feed URI scheme was never accepted as a standard protocol, and no major browser supports it. Removing it reduces the attack surface particularly for non-browser contexts. #304 @​flavorjones
  • Remove a vestigial &#x70 alternative from Loofah::HTML5::SafeList::PROTOCOL_SEPARATOR. This appears to be an ancient typo dating back to pre-extraction Rails circa 2007. #305 @​flavorjones
Commits
  • 2706d7e version bump to v2.25.2
  • 1afde0c Merge pull request #308 from flavorjones/security-2252
  • f1be9d8 Update allowed_uri? to decode semicolon-less numeric character references
  • 5e91af8 Update allowed_uri? to handle named whitespace character references
  • 20867b9 Properly restrict SVG href attributes
  • 5f3bff4 test: opt into JSON comment parsing for sanitizer testdata (#307)
  • b07713d test: do not run in verbose mode
  • babe7a8 doc: update CHANGELOG
  • a8d8d96 Merge pull request #305 from flavorjones/drop-protocol-typo
  • b52f4b0 version bump to 2.25.2.beta1
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [loofah](https://github.com/flavorjones/loofah) from 2.25.1 to 2.25.2.
- [Release notes](https://github.com/flavorjones/loofah/releases)
- [Changelog](https://github.com/flavorjones/loofah/blob/main/CHANGELOG.md)
- [Commits](flavorjones/loofah@v2.25.1...v2.25.2)

---
updated-dependencies:
- dependency-name: loofah
  dependency-version: 2.25.2
  dependency-type: indirect
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@github-actions github-actions Bot enabled auto-merge (squash) July 15, 2026 23:43
@github-actions github-actions Bot merged commit 3a7df4a into master Jul 15, 2026
26 checks passed
@dependabot dependabot Bot deleted the dependabot/bundler/loofah-2.25.2 branch July 15, 2026 23:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants