Hi there,
I prepared my first LTS update. You can find it here:
https://salsa.debian.org/lts-team/packages/ruby-loofah
When I ran some test cases to see if all the vulnerabilities are fixed,
I discovered that there is a slight behavioral change:
As part of the fix for CVE-2022-23516, loofah will no longer remove
nested <script> sections, but escape the tags instead. They also
adjusted their tests for that. To demonstrate:
This:
<div><script><script>alert(1);</script></script></div>
resulted in:
<div>alert(1);</div>
and now it results in:
<div><script><script>alert(1);</script></script></div>
What do you think? I wonder if that is an acceptable change?