actionview 4.1.0.beta1 → 4.1.0.beta2

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of actionview might be problematic. Click here for more details.

checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: e69ff5a4c30fd62beef867fc2784a150fb2257c8
4
- data.tar.gz: 432b3ab5392319c96a5bf40c6be38732e79d9471
3
+ metadata.gz: f9b23cbe6e5836943ca74bf7087aca78ff64e3c9
4
+ data.tar.gz: e97748e630afc36a648c8160bfff20b8cba563c4
5
5
  SHA512:
6
- metadata.gz: 130164484e50c2478720874582fe280412e5984fde4118f7300a474a04a13c5b759b3a1eba19d1cdee37349e170379b59b09416ffaf887f6d1081cda8c43529b
7
- data.tar.gz: 4df703381b324f9c3e85b97c095f6f41425b0322b451434f647608dbd25f9c787ca7472586d05986df199bdd8381a8d8a1452a5b8905270ce869e667c8b81299
6
+ metadata.gz: 9394df9f9b71741dfa33bb7229abbe56c4915eb7a69905c7171c09c059f9ab826c580113f6ecac9e881c06c034e4da1174d6ab4c64567e2e958e771c00125817
7
+ data.tar.gz: 46f8811a41621bdfbc7af6e9ec5fb79ada9ffcf1f8d96ce673c2945634fb020da611a29a73babe2ac7ef96c6853e52c4e2c31629646442ad8bd1b75617e43e98
data/CHANGELOG.md CHANGED
@@ -1,3 +1,7 @@
1
+ * Escape format, negative_format and units options of number helpers
2
+
3
+ Fixes: CVE-2014-0081
4
+
1
5
  * A Cycle object should accept an array and cycle through it as it would with a set of
2
6
  comma-separated objects.
3
7
 
@@ -384,20 +384,29 @@ module ActionView
384
384
 
385
385
  def delegate_number_helper_method(method, number, options)
386
386
  return unless number
387
- options = escape_unsafe_delimiters_and_separators(options.symbolize_keys)
387
+ options = escape_unsafe_options(options.symbolize_keys)
388
388
 
389
389
  wrap_with_output_safety_handling(number, options.delete(:raise)) {
390
390
  ActiveSupport::NumberHelper.public_send(method, number, options)
391
391
  }
392
392
  end
393
393
 
394
- def escape_unsafe_delimiters_and_separators(options)
395
- options[:separator] = ERB::Util.html_escape(options[:separator]) if options[:separator] && !options[:separator].html_safe?
396
- options[:delimiter] = ERB::Util.html_escape(options[:delimiter]) if options[:delimiter] && !options[:delimiter].html_safe?
397
- options[:unit] = ERB::Util.html_escape(options[:unit]) if options[:unit] && !options[:unit].html_safe?
394
+ def escape_unsafe_options(options)
395
+ options[:format] = ERB::Util.html_escape(options[:format]) if options[:format]
396
+ options[:negative_format] = ERB::Util.html_escape(options[:negative_format]) if options[:negative_format]
397
+ options[:separator] = ERB::Util.html_escape(options[:separator]) if options[:separator]
398
+ options[:delimiter] = ERB::Util.html_escape(options[:delimiter]) if options[:delimiter]
399
+ options[:unit] = ERB::Util.html_escape(options[:unit]) if options[:unit] && !options[:unit].html_safe?
400
+ options[:units] = escape_units(options[:units]) if options[:units] && Hash === options[:units]
398
401
  options
399
402
  end
400
403
 
404
+ def escape_units(units)
405
+ Hash[units.map do |k, v|
406
+ [k, ERB::Util.html_escape(v)]
407
+ end]
408
+ end
409
+
401
410
  def wrap_with_output_safety_handling(number, raise_on_invalid, &block)
402
411
  valid_float = valid_float?(number)
403
412
  raise InvalidNumberError, number if raise_on_invalid && !valid_float
@@ -1,7 +1,7 @@
1
1
  module ActionView
2
2
  # Returns the version of the currently loaded ActionView as a Gem::Version
3
3
  def self.version
4
- Gem::Version.new "4.1.0.beta1"
4
+ Gem::Version.new "4.1.0.beta2"
5
5
  end
6
6
 
7
7
  module VERSION #:nodoc:
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: actionview
3
3
  version: !ruby/object:Gem::Version
4
- version: 4.1.0.beta1
4
+ version: 4.1.0.beta2
5
5
  platform: ruby
6
6
  authors:
7
7
  - David Heinemeier Hansson
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2013-12-18 00:00:00.000000000 Z
11
+ date: 2014-02-18 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: activesupport
@@ -16,40 +16,40 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 4.1.0.beta1
19
+ version: 4.1.0.beta2
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 4.1.0.beta1
26
+ version: 4.1.0.beta2
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: builder
29
29
  requirement: !ruby/object:Gem::Requirement
30
30
  requirements:
31
- - - ~>
31
+ - - "~>"
32
32
  - !ruby/object:Gem::Version
33
33
  version: '3.1'
34
34
  type: :runtime
35
35
  prerelease: false
36
36
  version_requirements: !ruby/object:Gem::Requirement
37
37
  requirements:
38
- - - ~>
38
+ - - "~>"
39
39
  - !ruby/object:Gem::Version
40
40
  version: '3.1'
41
41
  - !ruby/object:Gem::Dependency
42
42
  name: erubis
43
43
  requirement: !ruby/object:Gem::Requirement
44
44
  requirements:
45
- - - ~>
45
+ - - "~>"
46
46
  - !ruby/object:Gem::Version
47
47
  version: 2.7.0
48
48
  type: :runtime
49
49
  prerelease: false
50
50
  version_requirements: !ruby/object:Gem::Requirement
51
51
  requirements:
52
- - - ~>
52
+ - - "~>"
53
53
  - !ruby/object:Gem::Version
54
54
  version: 2.7.0
55
55
  - !ruby/object:Gem::Dependency
@@ -58,28 +58,28 @@ dependencies:
58
58
  requirements:
59
59
  - - '='
60
60
  - !ruby/object:Gem::Version
61
- version: 4.1.0.beta1
61
+ version: 4.1.0.beta2
62
62
  type: :development
63
63
  prerelease: false
64
64
  version_requirements: !ruby/object:Gem::Requirement
65
65
  requirements:
66
66
  - - '='
67
67
  - !ruby/object:Gem::Version
68
- version: 4.1.0.beta1
68
+ version: 4.1.0.beta2
69
69
  - !ruby/object:Gem::Dependency
70
70
  name: activemodel
71
71
  requirement: !ruby/object:Gem::Requirement
72
72
  requirements:
73
73
  - - '='
74
74
  - !ruby/object:Gem::Version
75
- version: 4.1.0.beta1
75
+ version: 4.1.0.beta2
76
76
  type: :development
77
77
  prerelease: false
78
78
  version_requirements: !ruby/object:Gem::Requirement
79
79
  requirements:
80
80
  - - '='
81
81
  - !ruby/object:Gem::Version
82
- version: 4.1.0.beta1
82
+ version: 4.1.0.beta2
83
83
  description: Simple, battle-tested conventions and helpers for building web pages.
84
84
  email: david@loudthinking.com
85
85
  executables: []
@@ -87,14 +87,16 @@ extensions: []
87
87
  extra_rdoc_files: []
88
88
  files:
89
89
  - CHANGELOG.md
90
- - README.rdoc
91
90
  - MIT-LICENSE
91
+ - README.rdoc
92
+ - lib/action_view.rb
92
93
  - lib/action_view/base.rb
93
94
  - lib/action_view/buffers.rb
94
95
  - lib/action_view/context.rb
95
96
  - lib/action_view/dependency_tracker.rb
96
97
  - lib/action_view/digestor.rb
97
98
  - lib/action_view/flows.rb
99
+ - lib/action_view/helpers.rb
98
100
  - lib/action_view/helpers/active_model_helper.rb
99
101
  - lib/action_view/helpers/asset_tag_helper.rb
100
102
  - lib/action_view/helpers/asset_url_helper.rb
@@ -115,6 +117,7 @@ files:
115
117
  - lib/action_view/helpers/rendering_helper.rb
116
118
  - lib/action_view/helpers/sanitize_helper.rb
117
119
  - lib/action_view/helpers/tag_helper.rb
120
+ - lib/action_view/helpers/tags.rb
118
121
  - lib/action_view/helpers/tags/base.rb
119
122
  - lib/action_view/helpers/tags/check_box.rb
120
123
  - lib/action_view/helpers/tags/checkable.rb
@@ -148,11 +151,9 @@ files:
148
151
  - lib/action_view/helpers/tags/time_zone_select.rb
149
152
  - lib/action_view/helpers/tags/url_field.rb
150
153
  - lib/action_view/helpers/tags/week_field.rb
151
- - lib/action_view/helpers/tags.rb
152
154
  - lib/action_view/helpers/text_helper.rb
153
155
  - lib/action_view/helpers/translation_helper.rb
154
156
  - lib/action_view/helpers/url_helper.rb
155
- - lib/action_view/helpers.rb
156
157
  - lib/action_view/layouts.rb
157
158
  - lib/action_view/locale/en.yml
158
159
  - lib/action_view/log_subscriber.rb
@@ -169,27 +170,26 @@ files:
169
170
  - lib/action_view/rendering.rb
170
171
  - lib/action_view/routing_url_for.rb
171
172
  - lib/action_view/tasks/dependencies.rake
173
+ - lib/action_view/template.rb
172
174
  - lib/action_view/template/error.rb
175
+ - lib/action_view/template/handlers.rb
173
176
  - lib/action_view/template/handlers/builder.rb
174
177
  - lib/action_view/template/handlers/erb.rb
175
178
  - lib/action_view/template/handlers/raw.rb
176
- - lib/action_view/template/handlers.rb
177
179
  - lib/action_view/template/resolver.rb
178
180
  - lib/action_view/template/text.rb
179
181
  - lib/action_view/template/types.rb
180
- - lib/action_view/template.rb
181
182
  - lib/action_view/test_case.rb
182
183
  - lib/action_view/testing/resolvers.rb
184
+ - lib/action_view/vendor/html-scanner.rb
183
185
  - lib/action_view/vendor/html-scanner/html/document.rb
184
186
  - lib/action_view/vendor/html-scanner/html/node.rb
185
187
  - lib/action_view/vendor/html-scanner/html/sanitizer.rb
186
188
  - lib/action_view/vendor/html-scanner/html/selector.rb
187
189
  - lib/action_view/vendor/html-scanner/html/tokenizer.rb
188
190
  - lib/action_view/vendor/html-scanner/html/version.rb
189
- - lib/action_view/vendor/html-scanner.rb
190
191
  - lib/action_view/version.rb
191
192
  - lib/action_view/view_paths.rb
192
- - lib/action_view.rb
193
193
  homepage: http://www.rubyonrails.org
194
194
  licenses:
195
195
  - MIT
@@ -200,18 +200,18 @@ require_paths:
200
200
  - lib
201
201
  required_ruby_version: !ruby/object:Gem::Requirement
202
202
  requirements:
203
- - - '>='
203
+ - - ">="
204
204
  - !ruby/object:Gem::Version
205
205
  version: 1.9.3
206
206
  required_rubygems_version: !ruby/object:Gem::Requirement
207
207
  requirements:
208
- - - '>'
208
+ - - ">"
209
209
  - !ruby/object:Gem::Version
210
210
  version: 1.3.1
211
211
  requirements:
212
212
  - none
213
213
  rubyforge_project:
214
- rubygems_version: 2.1.11
214
+ rubygems_version: 2.2.0
215
215
  signing_key:
216
216
  specification_version: 4
217
217
  summary: Rendering framework putting the V in MVC (part of Rails).