Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • jake williamson 207 posts 873 karma points
    Mar 01, 2021 @ 02:13
    jake williamson
    0

    upgrading v8.8.0 through v8.11.1 is broken by HtmlSanitizer dependency?!

    hey out there,

    i've been upgrading a few v8 sites today and hit a fairly major issue:

    update-Package : Unable to find a version of 'HtmlSanitizer' that is compatible with 'UmbracoCms.Web 8.11.1 constraint: HtmlSanitizer (>= 4.0.217 && < 4.999999.0)'.
    

    seems version 4x of the HtmlSanitizer package has been removed from nuget and only version 5x is available...

    the v8.12.0-rc version of umbraco is available and has the dependency on v5 of HtmlSanitizer but i'm really not keen on upgrading production based sites to a release candidate version...

    has anyone else hit this?! the only info i can find is this bug report on github:

    https://github.com/umbraco/Umbraco-CMS/issues/9615

    the suggested work around is to put a version 4x of HtmlSanitizer on a local nuget feed - but if we can't get a nuget package of v4 as it's been removed, this is kinda impossible!

    it also means we'd be releasing umbraco to production servers with a know security issue in them... which seems risky as all hell...

    anyone else hit this?!?!

    cheers,

    jake

  • jake williamson 207 posts 873 karma points
    Mar 01, 2021 @ 04:26
    jake williamson
    100

    ok, hacking around and i think i've got the full workaround...

    i found that the last released 4x version of HtmlSanitizer was v4.0.217 (based on https://github.com/mganss/HtmlSanitizer/tags?after=v4.0.230)

    although it doesn't appear on https://www.nuget.org/packages/HtmlSanitizer/ it is still available on this link:

    http://nuget.org/api/v2/package/HtmlSanitizer/4.0.217

    so i downloaded that, stuck it in a directory and then installed it via the package manager:

    Install-Package HtmlSanitizer -source C:\Temp\packages

    (i guess you could set up C:\Temp\packages as a package source in the settings but i figured try this first...)

    now i can do update-Package UmbracoCms -Version 8.8.0 and as the package is already installed, the dependency is resolved and away the upgrade goes.

    so i've worked through the rest of the installs and my final step was to upgrade HtmlSanitizer to version 5 so the security vulnerability discovered in 4x doesn't effect any production based site.

    lucky i told my project manager upgrading the sites may take a while!

Please Sign in or register to post replies

Write your reply to:

Draft