DevHeads.net

Postings by Mike Dalessio

loofah v2.2.0 released

loofah version 2.2.0 has been released!

* <https://github.com/flavorjones/loofah>
* <http://rubydoc.info/github/flavorjones/loofah/master/frames>
* <http://librelist.com/browser/loofah>

Loofah is a general library for manipulating and transforming HTML/XML
documents and fragments. It's built on top of Nokogiri and libxml2, so
it's fast and has a nice API.

Loofah excels at HTML sanitization (XSS prevention). It includes some
nice HTML sanitizers, which are based on HTML5lib's whitelist, so it
most likely won't make your codes less secure.

nokogiri security update 1.8.2 released

nokogiri version 1.8.2 has been released.

This release contains a few new features and bugfixes in addition to the
security update, wherein the vendored libxml2 and libxslt versions have
been updated:

* libxml2 is updated from 2.9.5 to 2.9.7

* libxslt is updated from 1.1.30 to 1.1.32

which addresses at least one published vulnerability, [CVE-2017-15412][],
which rates a "priority:medium" from Canonical.

loofah 2.1.0 released

loofah version 2.1.0 has been released!

TL;DR: CSS property parsing and sanitization has been re-implemented on top
of Crass:

<a href="https://github.com/rgrove/crass" title="https://github.com/rgrove/crass">https://github.com/rgrove/crass</a>

replacing the regexes that were lifted from html5lib back in 2009. I'm
relatively sure this is a good thing.

Note that Loofah underlies Rails sanitization since 4.2, so please do let
me know via Github issue if this breaks any behavior for you.

nokogiri security update 1.8.1 Released

nokogiri version 1.8.1 has been released.

This is primarily a security update, wherein the vendored libxml2 and
libxslt versions have been updated:

- libxml 2.9.5
- libxslt 1.1.30

which address the CVEs called out in USN3424-1 [1].

These patches only apply when using Nokogiri's vendored libxml2 library.

nokogiri 1.8.0 Released

Nokogiri version 1.8.0 has been released!

* <a href="http://nokogiri.org" title="http://nokogiri.org">http://nokogiri.org</a>
* Installation: <a href="http://nokogiri.org/tutorials/installing_nokogiri.html" title="http://nokogiri.org/tutorials/installing_nokogiri.html">http://nokogiri.org/tutorials/installing_nokogiri.html</a>
* Tutorials: <a href="http://nokogiri.org" title="http://nokogiri.org">http://nokogiri.org</a>
* README: <a href="https://github.com/sparklemotion/nokogiri" title="https://github.com/sparklemotion/nokogiri">https://github.com/sparklemotion/nokogiri</a>
* Mailing List: <a href="https://groups.google.com/group/nokogiri-talk" title="https://groups.google.com/group/nokogiri-talk">https://groups.google.com/group/nokogiri-talk</a>
* Bug Reports: <a href="https://github.com/sparklemotion/nokogiri/issues" title="https://github.com/sparklemotion/nokogiri/issues">https://github.com/sparklemotion/nokogiri/issues</a>

Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser.

*# 1.8.0 / 2017-06-04*

*## Backwards incompatibilities*

This release ends support for Ruby 2.1 on Windows in the `x86-mingw32` and
`x64-mingw32` platform gems (containing pre-compiled DLLs).

nokogiri security update 1.7.2 released

nokogiri version 1.7.2 has been released.

This is a security update based on 1.7.1, addressing two upstream libxslt
1.1.29 vulnerabilities classified as "Medium" by Canonical and given a
CVSS3 score of "6.5 Medium" and "8.8 High" by RedHat.

These patches only apply when using Nokogiri's vendored libxslt package.

nokogiri security update 1.7.1 released

nokogiri version 1.7.1 has been released.

This is a security update based on 1.7.0.1, addressing two upstream libxml
2.9.4 vulnerabilities classified as "Medium" by Canonical, and CVSS3 score
of "5.3 Medium" by RedHat.

These patches only apply when using Nokogiri's vendored libxml2 package.

CFP: GORUCO 2017, NYC, June 24th

*# GORUCO 2017 is now accepting talk proposals!*

On Saturday, June 24th, [GORUCO][] is celebrating its 11th convocation as
NYC's premier regional software conference. It's a one-day, single-track
event geared toward highly motivated and experienced developers that's been
celebrated for its warm, personal spirit and strong sense of community.

[GORUCO]: <a href="http://goruco.com" title="http://goruco.com">http://goruco.com</a>

You can start submitting your proposals at <a href="http://cfp.goruco.com/" title="http://cfp.goruco.com/">http://cfp.goruco.com/</a>. If you
have questions, please email <a href="mailto: ... at goruco dot com"> ... at goruco dot com</a>.

hoe-debugging 1.3.0 released

hoe-debugging version 1.3.0 has been released!

* <http://github.com/jbarnette/hoe-debugging>

A Hoe plugin to help you debug your C extensions. This plugin provides
`test:gdb` and `test:valgrind` tasks (plus a few variants).

See the Hoe::Debugging module for a few configuration options.

This plugin expects you to have `gdb` and `valgrind` available in your PATH.

Changes:

### 1.3.0 / 2017-01-20

* The rake task now fails if valgrind detects any errors during the run.

nokogiri 1.7.0.1 Released

nokogiri version 1.7.0.1 has been released!

* Tutorials: <a href="http://nokogiri.org" title="http://nokogiri.org">http://nokogiri.org</a>
* README: <a href="https://github.com/sparklemotion/nokogiri" title="https://github.com/sparklemotion/nokogiri">https://github.com/sparklemotion/nokogiri</a>
* Mailing List: <a href="https://groups.google.com/group/nokogiri-talk" title="https://groups.google.com/group/nokogiri-talk">https://groups.google.com/group/nokogiri-talk</a>
* Bug Reports: <a href="https://github.com/sparklemotion/nokogiri/issues" title="https://github.com/sparklemotion/nokogiri/issues">https://github.com/sparklemotion/nokogiri/issues</a>

Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among
Nokogiri's many features is the ability to search documents via XPath
or CSS3 selectors.

Changes:

* Fix OpenBSD support. (#1569) (related to #1543)

nokogiri 1.7.0 Released

nokogiri version 1.7.0 has been released!

No meaningful functional changes in this release. This release is primarily
serving as a bridge release for ending support of versions of Ruby that are
no longer supported, and introducing support for Ruby 2.4.0 without
deprecation warnings.

loofah-activerecord 2.0.0 Released

loofah-activerecord version 2.0.0 has been released!

* <http://github.com/flavorjones/loofah-activerecord>
* <http://rubydoc.info/github/flavorjones/loofah-activerecord/master/frames>
* <http://librelist.com/browser/loofah>

`loofah-activerecord` extends `loofah`'s HTML sanitization into Rails
ActiveRecord models.

See more about `loofah` at: <a href="http://github.com/flavorjones/loofah" title="http://github.com/flavorjones/loofah">http://github.com/flavorjones/loofah</a>

Changes:

## 2.0 (2016-11-22)

Backwards incompatibilities:

* Removed support for Rails <= 3.0.

Features:

* Added support for Rails 5.

nokogiri 1.6.8.1 Released

nokogiri version 1.6.8.1 has been released!

Changes:

=== 1.6.8.1 / 2016-10-03

==== Dependency License Notes

Removes required dependency on the `pkg-config` gem. This dependency was
introduced in v1.6.8 and, because it's distributed under LGPL, was
objectionable to some Nokogiri users (#1488, #1496).

This version makes `pkg-config` an optional dependency. If it's installed,
it's used; but otherwise Nokogiri will attempt to work around its absence.

This gem was only used when building Nokogiri against system libraries when
the Linux tool `pkg-config` was not present.

nokogiri 1.6.8 Released

nokogiri version 1.6.8 has been released!

* Tutorials: <a href="http://nokogiri.org" title="http://nokogiri.org">http://nokogiri.org</a>
* Installation: <a href="http://nokogiri.org/tutorials/installing_nokogiri.html" title="http://nokogiri.org/tutorials/installing_nokogiri.html">http://nokogiri.org/tutorials/installing_nokogiri.html</a>
* Mailing List: <a href="https://groups.google.com/group/nokogiri-talk" title="https://groups.google.com/group/nokogiri-talk">https://groups.google.com/group/nokogiri-talk</a>

Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's
many features is the ability to search documents via XPath or CSS3
selectors.

Changes:

*==== Security Notes*

[MRI] Bundled libxml2 is upgraded to 2.9.4, which fixes many security
issues.

GORUCO 2016 tickets and speaker line-up

Hello Rubyists,

I'm excited to invite you to GORUCO -- one of the U.S.'s largest regional
Ruby conferences, happening on Saturday, June 25. For the past 10 years,
GORUCO has been organized by Ruby developers (just like you and me) who
volunteer within the community to bring people together to share and learn
in exciting technical sessions.

license_finder 2.1.0 released

LicenseFinder v2.1.0 has been released!

LicenseFinder works with your package managers to find dependencies,
detect the licenses of the packages in them, compare those licenses
against a user-defined whitelist, and give you an actionable exception
report.

* code: <a href="https://github.com/pivotal/LicenseFinder" title="https://github.com/pivotal/LicenseFinder">https://github.com/pivotal/LicenseFinder</a>
* support:
* <a href="mailto:license- ... at googlegroups dot com">license- ... at googlegroups dot com</a>
* https://groups.google.com/forum/#!forum/license-finder
* backlog: <a href="https://www.pivotaltracker.com/s/projects/234851" title="https://www.pivotaltracker.com/s/projects/234851">https://www.pivotaltracker.com/s/projects/234851</a>

### Supported project types

* Ruby Gems (via `bundler`)
* Python Eggs (via `pip`)
* Node.js (via `npm`)
* Bower
* Nuget (with

nokogiri security update - 1.6.7.2

Hello,

Nokogiri version 1.6.7.2 has been released, pulling in several upstream
patches to the vendored libxml2 to address the following CVE:

CVE-2015-7499

Ubuntu classifies this as "Priority: *Low*", RedHat classifies this as
"Impact: *Moderate*", and NIST classifies this as "Severity: 5.0 (*MEDIUM*
)".

Full details are included below.

Please note that although CVE-2015-7499 was partially addressed in the
1.6.7.1 release, an additional commit was included in the latest Canonical
security update from 2016-01-19 (along with two previous commits necessary
for that patch to apply cleanly) als

nokogiri security update - 1.6.7.1

Hello,

Nokogiri version 1.6.7.1 has been released, pulling in several upstream
patches to the vendored libxml2 to address the following CVEs:

CVE-2015-5312
CVE-2015-7497
CVE-2015-7498
CVE-2015-7499
CVE-2015-7500
CVE-2015-8241
CVE-2015-8242
CVE-2015-8317

These CVEs are all *low* or *medium* priority according to Canonical,
however NIST NVD gives CVE-2015-5312 a *high* severity score.

hoe-debugging 1.2.1 Released

hoe-debugging version 1.2.1 has been released!

* <http://github.com/jbarnette/hoe-debugging>

A Hoe plugin to help you debug your C extensions. This plugin provides
<tt>test:gdb</tt> and <tt>test:valgrind</tt> tasks (plus a few
variants).

Changes:

### 1.2.1 / 2015-12-16

Features:

* Set larger stack size (via `ulimit -s`) to properly support Ruby 2.1 and
later

nokogiri 1.6.7 Released

nokogiri version 1.6.7 has been released!

* <http://nokogiri.org>
* <README: https://github.com/sparklemotion/nokogiri>
* <Mailing List: https://groups.google.com/group/nokogiri-talk>
* <Bug Reports: https://github.com/sparklemotion/nokogiri/issues>

Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among
Nokogiri's many features is the ability to search documents via XPath
or CSS3 selectors.

Changes:

### 1.6.7 / 2015-11-29

==== Notes

This version supports native builds on Windows using the RubyInstaller
DevKit.

nokogiri 1.6.6.4 Released (security)

nokogiri version 1.6.6.4 has been released!

Changes:

### 1.6.6.4 / 2015-11-19

This version pulls in an upstream patch to the vendored libxml2 to address:

* unclosed comment uninitialized access issue (#1376)

This issue does not have a CVE assigned to it as this time. Background at
<a href="https://bugzilla.gnome.org/show_bug.cgi?id=746048" title="https://bugzilla.gnome.org/show_bug.cgi?id=746048">https://bugzilla.gnome.org/show_bug.cgi?id=746048</a>

Please also note that Canonical has not yet pulled this patch in to their
backport, to our knowledge.

nokogiri 1.6.6.3 Released (security update)

nokogiri version 1.6.6.3 has been released!

Changes:

### 1.6.6.3 / 2015-11-16

This version pulls in several upstream patches to the vendored libxml2 and
libxslt to address:

* CVE-2015-1819
* CVE-2015-7941_1
* CVE-2015-7941_2
* CVE-2015-7942
* CVE-2015-7942-2
* CVE-2015-8035
* CVE-2015-7995

See #1374 (<a href="https://github.com/sparklemotion/nokogiri/issues/1374" title="https://github.com/sparklemotion/nokogiri/issues/1374">https://github.com/sparklemotion/nokogiri/issues/1374</a>) for
details.

nokogiri 1.6.7.rc2 Released

nokogiri version 1.6.7.rc2 has been released!

This is intended as a "request for comments" release focused on improved
Windows support. If no known blockers are raised by Friday, 4 Sept 2015,
this will be released as 1.6.7 final.

If you have ever complained about Windows support, this is your opportunity
to contribute.

mini_portile 0.7.0.rc1 released

mini_portile v0.7.0.rc1 has been released!

Many thanks to @larskanis, @knu, and @kirikak2, who all contributed
code, ideas, or both to this release.

This release improves portability, focusing on the Windows platform.

loofah 2.1.0.rc1 released

loofah version 2.1.0.rc1 has been released!

TL;DR: CSS property parsing and sanitization has been re-implemented on top
of Crass:

<a href="https://github.com/rgrove/crass" title="https://github.com/rgrove/crass">https://github.com/rgrove/crass</a>

replacing the regexes that were lifted from html5lib back in 2009. I'm
relatively sure this is a good thing.

I would very much like feedback on this implementation before cutting an
actual release, as Loofah is the underlying implementation for Rails
sanitization, and thus has a large surface area.

loofah 2.0.3 released

loofah version 2.0.3 has been released!

TL;DR: This reverts a change that introduced slow performance for some CSS
properties. See <a href="https://github.com/flavorjones/loofah/issues/90" title="https://github.com/flavorjones/loofah/issues/90">https://github.com/flavorjones/loofah/issues/90</a> for details.

* <https://github.com/flavorjones/loofah>
* <http://rubydoc.info/github/flavorjones/loofah/master/frames>
* <http://librelist.com/browser/loofah>

Loofah is a general library for manipulating and transforming HTML/XML
documents and fragments. It's built on top of Nokogiri and libxml2, so
it's fast and has a nice API.

Loofah excels at HTML sanitization (XSS prevention).

chromedriver-helper 1.0.0 released

chromedriver-helper 1.0.0 has been released!

Easy installation and use of [chromedriver](
<a href="https://sites.google.com/a/chromium.org/chromedriver/" title="https://sites.google.com/a/chromium.org/chromedriver/">https://sites.google.com/a/chromium.org/chromedriver/</a>), the Chromium
project's
selenium webdriver adapter.

* <a href="http://github.com/flavorjones/chromedriver-helper" title="http://github.com/flavorjones/chromedriver-helper">http://github.com/flavorjones/chromedriver-helper</a>

# Description

`chromedriver-helper` installs an executable, `chromedriver`, in your
gem path.

This script will, if necessary, download the appropriate binary for
your platform and install it into `~/.chromedriver-helper`, then exec
it. Easy peasy!

1.0.0 - 2015-06-06
* Updated gemspec info.

GORUCO 2015 Call for Proposals

The Gotham Ruby Conference, a one-day, single-track event in New York City,
is now accepting talk proposals.

chromedriver-helper 0.0.8 released

chromedriver-helper version 0.0.8 has been released!

Easy installation and use of chromedriver, the Chromium project's selenium
webdriver adapter.

* <a href="http://github.com/flavorjones/chromedriver-helper" title="http://github.com/flavorjones/chromedriver-helper">http://github.com/flavorjones/chromedriver-helper</a>

Changes:

0.0.8 - 2015-01-23
* Guaranteeing that we get the *latest* version of chromedriver. (#15)
(Thanks, @AlexRiedler!)

nokogiri 1.6.6.1 released

nokogiri version 1.6.6.1 has been released!

(Note that 1.6.6.0 was not released.)

* <http://nokogiri.org>
* <https://github.com/sparklemotion/nokogiri>
* <https://groups.google.com/group/nokogiri-talk>
* <https://github.com/sparklemotion/nokogiri/issues>

Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser.