actionpack 3.1.0.rc2 → 3.1.0.rc3

data/CHANGELOG

@@ -1,5 +1,34 @@
 *Rails 3.1.0 (unreleased)*
 
+* Fix escape_js to work correctly with the new SafeBuffer restriction [Paul Gallagher]
+
+* Brought back alternative convention for namespaced models in i18n [thoefer]
+
+  Now the key can be either "namespace.model" or "namespace/model" until further deprecation.
+
+* It is prohibited to perform a in-place SafeBuffer mutation [tenderlove]
+
+  The old behavior of SafeBuffer allowed you to mutate string in place via
+  method like `sub!`. These methods can add unsafe strings to a safe buffer,
+  and the safe buffer will continue to be marked as safe.
+
+  An example problem would be something like this:
+
+    <%= link_to('hello world', @user).sub!(/hello/, params[:xss])  %>
+
+  In the above example, an untrusted string (`params[:xss]`) is added to the
+  safe buffer returned by `link_to`, and the untrusted content is successfully
+  sent to the client without being escaped.  To prevent this from happening
+  `sub!` and other similar methods will now raise an exception when they are called on a safe buffer.
+
+  In addition to the in-place versions, some of the versions of these methods which return a copy of the string will incorrectly mark strings as safe. For example:
+
+     <%= link_to('hello world', @user).sub(/hello/, params[:xss]) %>
+
+  The new versions will now ensure that *all* strings returned by these methods on safe buffers are marked unsafe.
+
+  You can read more about this change in http://groups.google.com/group/rubyonrails-security/browse_thread/thread/2e516e7acc96c4fb
+
 * Warn if we cannot verify CSRF token authenticity [José Valim]
 
 * Allow AM/PM format in datetime selectors [Aditya Sanghi]

data/lib/action_pack/version.rb

@@ -3,7 +3,7 @@ module ActionPack
     MAJOR = 3
     MINOR = 1
     TINY  = 0
-    PRE   = "rc2"
+    PRE   = "rc3"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
   end

data/lib/action_view/helpers/cache_helper.rb

@@ -51,7 +51,13 @@ module ActionView
           # This dance is needed because Builder can't use capture
           pos = output_buffer.length
           yield
-          fragment = output_buffer.slice!(pos..-1)
+          if output_buffer.is_a?(ActionView::OutputBuffer)
+            safe_output_buffer = output_buffer.to_str
+            fragment = safe_output_buffer.slice!(pos..-1)
+            self.output_buffer = ActionView::OutputBuffer.new(safe_output_buffer)
+          else
+            fragment = output_buffer.slice!(pos..-1)
+          end
           controller.write_fragment(name, fragment, options)
         end
       end

data/lib/action_view/helpers/javascript_helper.rb

@@ -18,7 +18,7 @@ module ActionView
       #   $('some_element').replaceWith('<%=j render 'some/element_template' %>');
       def escape_javascript(javascript)
         if javascript
-          javascript.gsub(/(\\|<\/|\r\n|[\n\r"'])/) { JS_ESCAPE_MAP[$1] }
+          javascript.gsub(/(\\|<\/|\r\n|[\n\r"'])/) {|match| JS_ESCAPE_MAP[match] }
         else
           ''
         end

data/lib/action_view/helpers/text_helper.rb

@@ -255,14 +255,16 @@ module ActionView
       #   simple_format("<span>I'm allowed!</span> It's true.", {}, :sanitize => false)
       #   # => "<p><span>I'm allowed!</span> It's true.</p>"
       def simple_format(text, html_options={}, options={})
-        text = ''.html_safe if text.nil?
+        text = text ? text.to_str : ''
+        text = text.dup if text.frozen?
         start_tag = tag('p', html_options, true)
-        text = sanitize(text) unless options[:sanitize] == false
         text.gsub!(/\r\n?/, "\n")                    # \r\n and \r -> \n
         text.gsub!(/\n\n+/, "</p>\n\n#{start_tag}")  # 2+ newline  -> paragraph
         text.gsub!(/([^\n]\n)(?=[^\n])/, '\1<br />') # 1 newline   -> br
         text.insert 0, start_tag
-        text.html_safe.safe_concat("</p>")
+        text.concat("</p>")
+        text = sanitize(text) unless options[:sanitize] == false
+        text
       end
 
       # Creates a Cycle object whose _to_s_ method cycles through elements of an

data/lib/action_view/helpers/url_helper.rb

@@ -497,14 +497,14 @@ module ActionView
         }.compact
         extras = extras.empty? ? '' : '?' + ERB::Util.html_escape(extras.join('&'))
 
-        email_address_obfuscated = email_address.dup
+        email_address_obfuscated = email_address.to_str
         email_address_obfuscated.gsub!(/@/, html_options.delete("replace_at")) if html_options.key?("replace_at")
         email_address_obfuscated.gsub!(/\./, html_options.delete("replace_dot")) if html_options.key?("replace_dot")
         case encode
         when "javascript"
           string = ''
           html   = content_tag("a", name || email_address_obfuscated.html_safe, html_options.merge("href" => "mailto:#{email_address}#{extras}".html_safe))
-          html   = escape_javascript(html)
+          html   = escape_javascript(html.to_str)
           "document.write('#{html}');".each_byte do |c|
             string << sprintf("%%%x", c)
           end

data/lib/sprockets/helpers/rails_helper.rb

@@ -15,42 +15,48 @@ module Sprockets
         end
       end
 
-      def javascript_include_tag(source, options = {})
+      def javascript_include_tag(*sources)
+        options = sources.extract_options!
         debug = options.key?(:debug) ? options.delete(:debug) : debug_assets?
         body  = options.key?(:body)  ? options.delete(:body)  : false
 
-        if debug && asset = asset_paths.asset_for(source, 'js')
-          asset.to_a.map { |dep|
-            javascript_include_tag(dep, :debug => false, :body => true)
-          }.join("\n").html_safe
-        else
-          options = {
-            'type' => "text/javascript",
-            'src'  => asset_path(source, 'js', body)
-          }.merge(options.stringify_keys)
+        sources.collect do |source|
+          if debug && asset = asset_paths.asset_for(source, 'js')
+            asset.to_a.map { |dep|
+              javascript_include_tag(dep, :debug => false, :body => true)
+            }.join("\n").html_safe
+          else
+            tag_options = {
+              'type' => "text/javascript",
+              'src'  => asset_path(source, 'js', body)
+            }.merge(options.stringify_keys)
 
-          content_tag 'script', "", options
-        end
+            content_tag 'script', "", tag_options
+          end
+        end.join("\n").html_safe
       end
 
-      def stylesheet_link_tag(source, options = {})
+      def stylesheet_link_tag(*sources)
+        options = sources.extract_options!
         debug = options.key?(:debug) ? options.delete(:debug) : debug_assets?
         body  = options.key?(:body)  ? options.delete(:body)  : false
 
-        if debug && asset = asset_paths.asset_for(source, 'css')
-          asset.to_a.map { |dep|
-            stylesheet_link_tag(dep, :debug => false, :body => true)
-          }.join("\n").html_safe
-        else
-          options = {
-            'rel'   => "stylesheet",
-            'type'  => "text/css",
-            'media' => "screen",
-            'href'  => asset_path(source, 'css', body)
-          }.merge(options.stringify_keys)
+        sources.collect do |source|
+          if debug && asset = asset_paths.asset_for(source, 'css')
+            asset.to_a.map { |dep|
+              stylesheet_link_tag(dep, :debug => false, :body => true)
+            }.join("\n").html_safe
+          else
+            tag_options = {
+              'rel'   => "stylesheet",
+              'type'  => "text/css",
+              'media' => "screen",
+              'href'  => asset_path(source, 'css', body)
+            }.merge(options.stringify_keys)
 
-          tag 'link', options
-        end
+            tag 'link', tag_options
+          end
+        end.join("\n").html_safe
       end
 
     private

metadata

@@ -1,15 +1,15 @@
 --- !ruby/object:Gem::Specification 
 name: actionpack
 version: !ruby/object:Gem::Version 
-  hash: 15424097
+  hash: 15424099
   prerelease: 6
   segments: 
   - 3
   - 1
   - 0
   - rc
-  - 2
-  version: 3.1.0.rc2
+  - 3
+  version: 3.1.0.rc3
 platform: ruby
 authors: 
 - David Heinemeier Hansson
@@ -17,7 +17,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2011-06-07 00:00:00 Z
+date: 2011-06-08 00:00:00 Z
 dependencies: 
 - !ruby/object:Gem::Dependency 
   name: activesupport
@@ -27,14 +27,14 @@ dependencies:
     requirements: 
     - - "="
       - !ruby/object:Gem::Version 
-        hash: 15424097
+        hash: 15424099
         segments: 
         - 3
         - 1
         - 0
         - rc
-        - 2
-        version: 3.1.0.rc2
+        - 3
+        version: 3.1.0.rc3
   type: :runtime
   version_requirements: *id001
 - !ruby/object:Gem::Dependency 
@@ -45,14 +45,14 @@ dependencies:
     requirements: 
     - - "="
       - !ruby/object:Gem::Version 
-        hash: 15424097
+        hash: 15424099
         segments: 
         - 3
         - 1
         - 0
         - rc
-        - 2
-        version: 3.1.0.rc2
+        - 3
+        version: 3.1.0.rc3
   type: :runtime
   version_requirements: *id002
 - !ruby/object:Gem::Dependency