RubyGems - actionview - Versions diffs - 4.1.0.beta1 → 4.1.0.beta2 - Mend

actionview 4.1.0.beta1 → 4.1.0.beta2

Potentially problematic release.

This version of actionview might be problematic. Click here for more details.

Files changed (5) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +4 -0
data/lib/action_view/helpers/number_helper.rb +14 -5
data/lib/action_view/version.rb +1 -1
metadata +22 -22

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: e69ff5a4c30fd62beef867fc2784a150fb2257c8
-  data.tar.gz: 432b3ab5392319c96a5bf40c6be38732e79d9471
+  metadata.gz: f9b23cbe6e5836943ca74bf7087aca78ff64e3c9
+  data.tar.gz: e97748e630afc36a648c8160bfff20b8cba563c4
 SHA512:
-  metadata.gz: 130164484e50c2478720874582fe280412e5984fde4118f7300a474a04a13c5b759b3a1eba19d1cdee37349e170379b59b09416ffaf887f6d1081cda8c43529b
-  data.tar.gz: 4df703381b324f9c3e85b97c095f6f41425b0322b451434f647608dbd25f9c787ca7472586d05986df199bdd8381a8d8a1452a5b8905270ce869e667c8b81299
+  metadata.gz: 9394df9f9b71741dfa33bb7229abbe56c4915eb7a69905c7171c09c059f9ab826c580113f6ecac9e881c06c034e4da1174d6ab4c64567e2e958e771c00125817
+  data.tar.gz: 46f8811a41621bdfbc7af6e9ec5fb79ada9ffcf1f8d96ce673c2945634fb020da611a29a73babe2ac7ef96c6853e52c4e2c31629646442ad8bd1b75617e43e98

data/CHANGELOG.md CHANGED Viewed

@@ -1,3 +1,7 @@
+*   Escape format, negative_format and units options of number helpers
+    Fixes: CVE-2014-0081
 *   A Cycle object should accept an array and cycle through it as it would with a set of
     comma-separated objects.

data/lib/action_view/helpers/number_helper.rb CHANGED Viewed

@@ -384,20 +384,29 @@ module ActionView
       def delegate_number_helper_method(method, number, options)
         return unless number
-        options = escape_unsafe_delimiters_and_separators(options.symbolize_keys)
+        options = escape_unsafe_options(options.symbolize_keys)
         wrap_with_output_safety_handling(number, options.delete(:raise)) {
           ActiveSupport::NumberHelper.public_send(method, number, options)
         }
       end
-      def escape_unsafe_delimiters_and_separators(options)
-        options[:separator] = ERB::Util.html_escape(options[:separator]) if options[:separator] && !options[:separator].html_safe?
-        options[:delimiter] = ERB::Util.html_escape(options[:delimiter]) if options[:delimiter] && !options[:delimiter].html_safe?
-        options[:unit]      = ERB::Util.html_escape(options[:unit]) if options[:unit] && !options[:unit].html_safe?
+      def escape_unsafe_options(options)
+        options[:format]          = ERB::Util.html_escape(options[:format]) if options[:format]
+        options[:negative_format] = ERB::Util.html_escape(options[:negative_format]) if options[:negative_format]
+        options[:separator]       = ERB::Util.html_escape(options[:separator]) if options[:separator]
+        options[:delimiter]       = ERB::Util.html_escape(options[:delimiter]) if options[:delimiter]
+        options[:unit]            = ERB::Util.html_escape(options[:unit]) if options[:unit] && !options[:unit].html_safe?
+        options[:units]           = escape_units(options[:units]) if options[:units] && Hash === options[:units]
         options
       end
+      def escape_units(units)
+        Hash[units.map do |k, v|
+          [k, ERB::Util.html_escape(v)]
+        end]
+      end
       def wrap_with_output_safety_handling(number, raise_on_invalid, &block)
         valid_float = valid_float?(number)
         raise InvalidNumberError, number if raise_on_invalid && !valid_float

data/lib/action_view/version.rb CHANGED Viewed

@@ -1,7 +1,7 @@
 module ActionView
   # Returns the version of the currently loaded ActionView as a Gem::Version
   def self.version
-    Gem::Version.new "4.1.0.beta1"
+    Gem::Version.new "4.1.0.beta2"
   end
   module VERSION #:nodoc:

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: actionview
 version: !ruby/object:Gem::Version
-  version: 4.1.0.beta1
+  version: 4.1.0.beta2
 platform: ruby
 authors:
 - David Heinemeier Hansson
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2013-12-18 00:00:00.000000000 Z
+date: 2014-02-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -16,40 +16,40 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 4.1.0.beta1
+        version: 4.1.0.beta2
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 4.1.0.beta1
+        version: 4.1.0.beta2
 - !ruby/object:Gem::Dependency
   name: builder
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '3.1'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '3.1'
 - !ruby/object:Gem::Dependency
   name: erubis
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: 2.7.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: 2.7.0
 - !ruby/object:Gem::Dependency
@@ -58,28 +58,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 4.1.0.beta1
+        version: 4.1.0.beta2
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 4.1.0.beta1
+        version: 4.1.0.beta2
 - !ruby/object:Gem::Dependency
   name: activemodel
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 4.1.0.beta1
+        version: 4.1.0.beta2
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 4.1.0.beta1
+        version: 4.1.0.beta2
 description: Simple, battle-tested conventions and helpers for building web pages.
 email: david@loudthinking.com
 executables: []
@@ -87,14 +87,16 @@ extensions: []
 extra_rdoc_files: []
 files:
 - CHANGELOG.md
-- README.rdoc
 - MIT-LICENSE
+- README.rdoc
+- lib/action_view.rb
 - lib/action_view/base.rb
 - lib/action_view/buffers.rb
 - lib/action_view/context.rb
 - lib/action_view/dependency_tracker.rb
 - lib/action_view/digestor.rb
 - lib/action_view/flows.rb
+- lib/action_view/helpers.rb
 - lib/action_view/helpers/active_model_helper.rb
 - lib/action_view/helpers/asset_tag_helper.rb
 - lib/action_view/helpers/asset_url_helper.rb
@@ -115,6 +117,7 @@ files:
 - lib/action_view/helpers/rendering_helper.rb
 - lib/action_view/helpers/sanitize_helper.rb
 - lib/action_view/helpers/tag_helper.rb
+- lib/action_view/helpers/tags.rb
 - lib/action_view/helpers/tags/base.rb
 - lib/action_view/helpers/tags/check_box.rb
 - lib/action_view/helpers/tags/checkable.rb
@@ -148,11 +151,9 @@ files:
 - lib/action_view/helpers/tags/time_zone_select.rb
 - lib/action_view/helpers/tags/url_field.rb
 - lib/action_view/helpers/tags/week_field.rb
-- lib/action_view/helpers/tags.rb
 - lib/action_view/helpers/text_helper.rb
 - lib/action_view/helpers/translation_helper.rb
 - lib/action_view/helpers/url_helper.rb
-- lib/action_view/helpers.rb
 - lib/action_view/layouts.rb
 - lib/action_view/locale/en.yml
 - lib/action_view/log_subscriber.rb
@@ -169,27 +170,26 @@ files:
 - lib/action_view/rendering.rb
 - lib/action_view/routing_url_for.rb
 - lib/action_view/tasks/dependencies.rake
+- lib/action_view/template.rb
 - lib/action_view/template/error.rb
+- lib/action_view/template/handlers.rb
 - lib/action_view/template/handlers/builder.rb
 - lib/action_view/template/handlers/erb.rb
 - lib/action_view/template/handlers/raw.rb
-- lib/action_view/template/handlers.rb
 - lib/action_view/template/resolver.rb
 - lib/action_view/template/text.rb
 - lib/action_view/template/types.rb
-- lib/action_view/template.rb
 - lib/action_view/test_case.rb
 - lib/action_view/testing/resolvers.rb
+- lib/action_view/vendor/html-scanner.rb
 - lib/action_view/vendor/html-scanner/html/document.rb
 - lib/action_view/vendor/html-scanner/html/node.rb
 - lib/action_view/vendor/html-scanner/html/sanitizer.rb
 - lib/action_view/vendor/html-scanner/html/selector.rb
 - lib/action_view/vendor/html-scanner/html/tokenizer.rb
 - lib/action_view/vendor/html-scanner/html/version.rb
-- lib/action_view/vendor/html-scanner.rb
 - lib/action_view/version.rb
 - lib/action_view/view_paths.rb
-- lib/action_view.rb
 homepage: http://www.rubyonrails.org
 licenses:
 - MIT
@@ -200,18 +200,18 @@ require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
-  - - '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: 1.9.3
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - '>'
+  - - ">"
     - !ruby/object:Gem::Version
       version: 1.3.1
 requirements:
 - none
 rubyforge_project:
-rubygems_version: 2.1.11
+rubygems_version: 2.2.0
 signing_key:
 specification_version: 4
 summary: Rendering framework putting the V in MVC (part of Rails).