Bump version and add explanation to HISTORY

rgrove · Sep 30, 2018 · 053e45a · 053e45a
1 parent 143e2d1
commit 053e45a
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 1 deletion.
diff --git a/HISTORY.md b/HISTORY.md
@@ -1,6 +1,26 @@
 Sanitize History
 ================================================================================
 
+Version 2.1.1 (2018-30-09)
+--------------------------
+
+* [CVE-2018-3740][176]: Backported the fix for an HTML injection vulnerability that could allow
+  XSS from the `sanitize 4.x` line.
+
+  When Sanitize <= 4.6.2 is used in combination with libxml2 >= 2.9.2, a
+  specially crafted HTML fragment can cause libxml2 to generate improperly
+  escaped output, allowing non-whitelisted attributes to be used on whitelisted
+  elements.
+
+  Sanitize now performs additional escaping on affected attributes to prevent
+  this.
+
+  Many thanks to the Shopify Application Security Team for responsibly reporting
+  this issue.
+
+[176]:https://github.com/rgrove/sanitize/issues/176
+[187]:https://github.com/rgrove/sanitize/issues/187
+
 Version 2.1.0 (2014-01-13)
 --------------------------
 

diff --git a/lib/sanitize/version.rb b/lib/sanitize/version.rb
@@ -1,3 +1,3 @@
 class Sanitize
-  VERSION = '2.1.0'
+  VERSION = '2.1.1'
 end