RubyGems - actionview - Versions diffs - 5.2.2.1 → 5.2.5 - Mend

actionview 5.2.2.1 → 5.2.5

Potentially problematic release.

This version of actionview might be problematic. Click here for more details.

Files changed (12) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +69 -1
data/lib/action_view/digestor.rb +4 -6
data/lib/action_view/gem_version.rb +2 -2
data/lib/action_view/helpers/form_helper.rb +3 -3
data/lib/action_view/helpers/form_tag_helper.rb +2 -0
data/lib/action_view/helpers/javascript_helper.rb +4 -2
data/lib/action_view/helpers/text_helper.rb +1 -1
data/lib/action_view/helpers/translation_helper.rb +12 -1
data/lib/action_view/helpers/url_helper.rb +1 -1
data/lib/assets/compiled/rails-ujs.js +23 -13
metadata +11 -11

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e1ddf7489cf1872707e15a168f18951255a69d8e8192c35f5815541c49625aaf
-  data.tar.gz: 46cad7c727247d6e343ef5f93e03102e79e67163acefe86a03bd80add0930b24
+  metadata.gz: 7c9ded984056c842554fab54d47aa905a1608850275e62f42ffbdaa9f6b9678b
+  data.tar.gz: 7757657de6c7b78b852e154a9e4e5cb9f97e23dafc5315b92f7a7965d46bf81b
 SHA512:
-  metadata.gz: 43280fe2541a02731231562229de63d98a4cb2fa96e53a6f84a62d7a4f730e765f57d1e7d3d290b49eb262cba91c0d05c46533e624b537d17a475610ea736811
-  data.tar.gz: c26308cd713ae918f94255617e0f4111ecd1ce7b9a9322caf7eb301144f4492e05c2adb2a31c12ce5568a7c6308bdff429ebf151e00e044147c8ee6a822c42be
+  metadata.gz: 9309b8503b260efa316d74e478f06310af4339e6b304cf2a8debb4dc833907f260ac2956e38dc1c01652a5739c7ddb19acf8fbfd7845247e9eb8e0fa3803ed7e
+  data.tar.gz: f2152a3e5897a172602b7340721c58825addba9d13d5fcf42c0aa253524e323caa50eda7d532b5a792c471872f165e3d8c049bf8255150095133beb758e7899f

data/CHANGELOG.md CHANGED Viewed

@@ -1,8 +1,76 @@
-## Rails 5.2.2.1 (March 11, 2019) ##
+## Rails 5.2.5 (March 26, 2021) ##
+*   No changes.
+## Rails 5.2.4.5 (February 10, 2021) ##
+*   No changes.
+## Rails 5.2.4.4 (September 09, 2020) ##
+*   [CVE-2020-15169] Fix potential XSS vulnerability in the `translate`/`t` helper
+    *Jonathan Hefner*
+## Rails 5.2.4.3 (May 18, 2020) ##
+*   [CVE-2020-8167] Check that request is same-origin prior to including CSRF token in XHRs
+## Rails 5.2.4.2 (March 19, 2020) ##
+*   Fix possible XSS vector in `escape_javascript` helper
+    CVE-2020-5267
+    *Aaron Patterson*
+## Rails 5.2.4.1 (December 18, 2019) ##
 *   No changes.
+## Rails 5.2.4 (November 27, 2019) ##
+*   Allow programmatic click events to trigger Rails UJS click handlers.
+    Programmatic click events (eg. ones generated by `Rails.fire(link, "click")`) don't specify a button. These events were being incorrectly stopped by code meant to ignore scroll wheel and right clicks introduced in #34573.
+    *Sudara Williams*
+## Rails 5.2.3 (March 27, 2019) ##
+*   Prevent non-primary mouse keys from triggering Rails UJS click handlers.
+    Firefox fires click events even if the click was triggered by non-primary mouse keys such as right- or scroll-wheel-clicks.
+    For example, right-clicking a link such as the one described below (with an underlying ajax request registered on click) should not cause that request to occur.
+    ```
+    <%= link_to 'Remote', remote_path, class: 'remote', remote: true, data: { type: :json } %>
+    ```
+    Fixes #34541
+    *Wolfgang Hobmaier*
+## Rails 5.2.2.1 (March 11, 2019) ##
+*   Only accept formats from registered mime types
+    A lack of filtering on mime types could allow an attacker to read
+    arbitrary files on the target server or to perform a denial of service
+    attack.
+    Fixes CVE-2019-5418
+    Fixes CVE-2019-5419
+    *John Hawthorn*, *Eileen M. Uchitelle*, *Aaron Patterson*
 ## Rails 5.2.2 (December 04, 2018) ##
 *   No changes.

data/lib/action_view/digestor.rb CHANGED Viewed

@@ -70,13 +70,11 @@ module ActionView
       end
       private
-        def find_template(finder, *args)
+        def find_template(finder, name, prefixes, partial, keys)
           finder.disable_cache do
-            if format = finder.rendered_format
-              finder.find_all(*args, formats: [format]).first || finder.find_all(*args).first
-            else
-              finder.find_all(*args).first
-            end
+            format = finder.rendered_format
+            result = finder.find_all(name, prefixes, partial, keys, formats: [format]).first if format
+            result || finder.find_all(name, prefixes, partial, keys).first
           end
         end
     end

data/lib/action_view/gem_version.rb CHANGED Viewed

@@ -9,8 +9,8 @@ module ActionView
   module VERSION
     MAJOR = 5
     MINOR = 2
-    TINY  = 2
-    PRE   = "1"
+    TINY  = 5
+    PRE   = nil
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

data/lib/action_view/helpers/form_helper.rb CHANGED Viewed

@@ -736,7 +736,7 @@ module ActionView
       #   def labelled_form_with(**options, &block)
       #     form_with(**options.merge(builder: LabellingFormBuilder), &block)
       #   end
-      def form_with(model: nil, scope: nil, url: nil, format: nil, **options)
+      def form_with(model: nil, scope: nil, url: nil, format: nil, **options, &block)
         options[:allow_method_names_outside_object] = true
         options[:skip_default_ids] = !form_with_generates_ids
@@ -749,7 +749,7 @@ module ActionView
         if block_given?
           builder = instantiate_builder(scope, model, options)
-          output  = capture(builder, &Proc.new)
+          output  = capture(builder, &block)
           options[:multipart] ||= builder.multipart?
           html_options = html_options_for_form_with(url, model, options)
@@ -1971,7 +1971,7 @@ module ActionView
         convert_to_legacy_options(options)
-        fields_for(scope || model, model, **options, &block)
+        fields_for(scope || model, model, options, &block)
       end
       # Returns a label tag tailored for labelling an input field for a specified attribute (identified by +method+) on an object

data/lib/action_view/helpers/form_tag_helper.rb CHANGED Viewed

@@ -163,6 +163,8 @@ module ActionView
       # * <tt>:size</tt> - The number of visible characters that will fit in the input.
       # * <tt>:maxlength</tt> - The maximum number of characters that the browser will allow the user to enter.
       # * <tt>:placeholder</tt> - The text contained in the field by default which is removed when the field receives focus.
+      #   If set to true, use a translation is found in the current I18n locale
+      #   (through helpers.placeholders.<modelname>.<attribute>).
       # * Any other key creates standard HTML attributes for the tag.
       #
       # ==== Examples

data/lib/action_view/helpers/javascript_helper.rb CHANGED Viewed

@@ -12,7 +12,9 @@ module ActionView
         "\n"    => '\n',
         "\r"    => '\n',
         '"'     => '\\"',
-        "'"     => "\\'"
+        "'"     => "\\'",
+        "`"     => "\\`",
+        "$"     => "\\$"
       }
       JS_ESCAPE_MAP["\342\200\250".dup.force_encoding(Encoding::UTF_8).encode!] = "&#x2028;"
@@ -26,7 +28,7 @@ module ActionView
       #   $('some_element').replaceWith('<%= j render 'some/element_template' %>');
       def escape_javascript(javascript)
         if javascript
-          result = javascript.gsub(/(\\|<\/|\r\n|\342\200\250|\342\200\251|[\n\r"'])/u) { |match| JS_ESCAPE_MAP[match] }
+          result = javascript.gsub(/(\\|<\/|\r\n|\342\200\250|\342\200\251|[\n\r"']|[`]|[$])/u) { |match| JS_ESCAPE_MAP[match] }
           javascript.html_safe? ? result.html_safe : result
         else
           ""

data/lib/action_view/helpers/text_helper.rb CHANGED Viewed

@@ -228,7 +228,7 @@ module ActionView
       #   pluralize(2, 'Person', locale: :de)
       #   # => 2 Personen
       def pluralize(count, singular, plural_arg = nil, plural: plural_arg, locale: I18n.locale)
-        word = if (count == 1 || count =~ /^1(\.0+)?$/)
+        word = if (count == 1 || count.to_s =~ /^1(\.0+)?$/)
           singular
         else
           plural || singular.pluralize(locale)

data/lib/action_view/helpers/translation_helper.rb CHANGED Viewed

@@ -79,14 +79,22 @@ module ActionView
         if html_safe_translation_key?(key)
           html_safe_options = options.dup
           options.except(*I18n::RESERVED_KEYS).each do |name, value|
             unless name == :count && value.is_a?(Numeric)
               html_safe_options[name] = ERB::Util.html_escape(value.to_s)
             end
           end
+          html_safe_options[:default] = MISSING_TRANSLATION unless html_safe_options[:default].blank?
           translation = I18n.translate(scope_key_by_partial(key), html_safe_options.merge(raise: i18n_raise))
-          translation.respond_to?(:html_safe) ? translation.html_safe : translation
+          if translation.equal?(MISSING_TRANSLATION)
+            options[:default].first
+          else
+            translation.respond_to?(:html_safe) ? translation.html_safe : translation
+          end
         else
           I18n.translate(scope_key_by_partial(key), options.merge(raise: i18n_raise))
         end
@@ -121,6 +129,9 @@ module ActionView
       alias :l :localize
       private
+        MISSING_TRANSLATION = Object.new
+        private_constant :MISSING_TRANSLATION
         def scope_key_by_partial(key)
           if key.to_s.first == "."
             if @virtual_path

data/lib/action_view/helpers/url_helper.rb CHANGED Viewed

@@ -253,7 +253,7 @@ module ActionView
       #   #      <input value="New" type="submit" />
       #   #    </form>"
       #
-      #   <%= button_to "New", new_articles_path %>
+      #   <%= button_to "New", new_article_path %>
       #   # => "<form method="post" action="/articles/new" class="button_to">
       #   #      <input value="New" type="submit" />
       #   #    </form>"

data/lib/assets/compiled/rails-ujs.js CHANGED Viewed

@@ -2,7 +2,7 @@
 Unobtrusive JavaScript
 https://github.com/rails/rails/blob/master/actionview/app/assets/javascripts
 Released under the MIT license
- */
+ */;
 (function() {
   var context = this;
@@ -32,12 +32,17 @@ Released under the MIT license
   (function() {
     (function() {
-      var cspNonce;
+      var nonce;
-      cspNonce = Rails.cspNonce = function() {
-        var meta;
-        meta = document.querySelector('meta[name=csp-nonce]');
-        return meta && meta.content;
+      nonce = null;
+      Rails.loadCSPNonce = function() {
+        var ref;
+        return nonce = (ref = document.querySelector("meta[name=csp-nonce]")) != null ? ref.content : void 0;
+      };
+      Rails.cspNonce = function() {
+        return nonce != null ? nonce : Rails.loadCSPNonce();
       };
     }).call(this);
@@ -242,8 +247,8 @@ Released under the MIT license
         }
         if (!options.crossDomain) {
           xhr.setRequestHeader('X-Requested-With', 'XMLHttpRequest');
+          CSRFProtection(xhr);
         }
-        CSRFProtection(xhr);
         xhr.withCredentials = !!options.withCredentials;
         xhr.onreadystatechange = function() {
           if (xhr.readyState === XMLHttpRequest.DONE) {
@@ -616,22 +621,24 @@ Released under the MIT license
         return setData(form, 'ujs:submit-button-formmethod', button.getAttribute('formmethod'));
       };
-      Rails.handleMetaClick = function(e) {
-        var data, link, metaClick, method;
+      Rails.preventInsignificantClick = function(e) {
+        var data, insignificantMetaClick, link, metaClick, method, nonPrimaryMouseClick;
         link = this;
         method = (link.getAttribute('data-method') || 'GET').toUpperCase();
         data = link.getAttribute('data-params');
         metaClick = e.metaKey || e.ctrlKey;
-        if (metaClick && method === 'GET' && !data) {
+        insignificantMetaClick = metaClick && method === 'GET' && !data;
+        nonPrimaryMouseClick = (e.button != null) && e.button !== 0;
+        if (nonPrimaryMouseClick || insignificantMetaClick) {
           return e.stopImmediatePropagation();
         }
       };
     }).call(this);
     (function() {
-      var $, CSRFProtection, delegate, disableElement, enableElement, fire, formSubmitButtonClick, getData, handleConfirm, handleDisabledElement, handleMetaClick, handleMethod, handleRemote, refreshCSRFTokens;
+      var $, CSRFProtection, delegate, disableElement, enableElement, fire, formSubmitButtonClick, getData, handleConfirm, handleDisabledElement, handleMethod, handleRemote, loadCSPNonce, preventInsignificantClick, refreshCSRFTokens;
-      fire = Rails.fire, delegate = Rails.delegate, getData = Rails.getData, $ = Rails.$, refreshCSRFTokens = Rails.refreshCSRFTokens, CSRFProtection = Rails.CSRFProtection, enableElement = Rails.enableElement, disableElement = Rails.disableElement, handleDisabledElement = Rails.handleDisabledElement, handleConfirm = Rails.handleConfirm, handleRemote = Rails.handleRemote, formSubmitButtonClick = Rails.formSubmitButtonClick, handleMetaClick = Rails.handleMetaClick, handleMethod = Rails.handleMethod;
+      fire = Rails.fire, delegate = Rails.delegate, getData = Rails.getData, $ = Rails.$, refreshCSRFTokens = Rails.refreshCSRFTokens, CSRFProtection = Rails.CSRFProtection, loadCSPNonce = Rails.loadCSPNonce, enableElement = Rails.enableElement, disableElement = Rails.disableElement, handleDisabledElement = Rails.handleDisabledElement, handleConfirm = Rails.handleConfirm, preventInsignificantClick = Rails.preventInsignificantClick, handleRemote = Rails.handleRemote, formSubmitButtonClick = Rails.formSubmitButtonClick, handleMethod = Rails.handleMethod;
       if ((typeof jQuery !== "undefined" && jQuery !== null) && (jQuery.ajax != null)) {
         if (jQuery.rails) {
@@ -665,12 +672,13 @@ Released under the MIT license
         delegate(document, Rails.linkDisableSelector, 'ajax:stopped', enableElement);
         delegate(document, Rails.buttonDisableSelector, 'ajax:complete', enableElement);
         delegate(document, Rails.buttonDisableSelector, 'ajax:stopped', enableElement);
+        delegate(document, Rails.linkClickSelector, 'click', preventInsignificantClick);
         delegate(document, Rails.linkClickSelector, 'click', handleDisabledElement);
         delegate(document, Rails.linkClickSelector, 'click', handleConfirm);
-        delegate(document, Rails.linkClickSelector, 'click', handleMetaClick);
         delegate(document, Rails.linkClickSelector, 'click', disableElement);
         delegate(document, Rails.linkClickSelector, 'click', handleRemote);
         delegate(document, Rails.linkClickSelector, 'click', handleMethod);
+        delegate(document, Rails.buttonClickSelector, 'click', preventInsignificantClick);
         delegate(document, Rails.buttonClickSelector, 'click', handleDisabledElement);
         delegate(document, Rails.buttonClickSelector, 'click', handleConfirm);
         delegate(document, Rails.buttonClickSelector, 'click', disableElement);
@@ -688,10 +696,12 @@ Released under the MIT license
         });
         delegate(document, Rails.formSubmitSelector, 'ajax:send', disableElement);
         delegate(document, Rails.formSubmitSelector, 'ajax:complete', enableElement);
+        delegate(document, Rails.formInputClickSelector, 'click', preventInsignificantClick);
         delegate(document, Rails.formInputClickSelector, 'click', handleDisabledElement);
         delegate(document, Rails.formInputClickSelector, 'click', handleConfirm);
         delegate(document, Rails.formInputClickSelector, 'click', formSubmitButtonClick);
         document.addEventListener('DOMContentLoaded', refreshCSRFTokens);
+        document.addEventListener('DOMContentLoaded', loadCSPNonce);
         return window._rails_loaded = true;
       };

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: actionview
 version: !ruby/object:Gem::Version
-  version: 5.2.2.1
+  version: 5.2.5
 platform: ruby
 authors:
 - David Heinemeier Hansson
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2019-03-13 00:00:00.000000000 Z
+date: 2021-03-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 5.2.2.1
+        version: 5.2.5
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 5.2.2.1
+        version: 5.2.5
 - !ruby/object:Gem::Dependency
   name: builder
   requirement: !ruby/object:Gem::Requirement
@@ -92,28 +92,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 5.2.2.1
+        version: 5.2.5
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 5.2.2.1
+        version: 5.2.5
 - !ruby/object:Gem::Dependency
   name: activemodel
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 5.2.2.1
+        version: 5.2.5
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 5.2.2.1
+        version: 5.2.5
 description: Simple, battle-tested conventions and helpers for building web pages.
 email: david@loudthinking.com
 executables: []
@@ -230,8 +230,8 @@ homepage: http://rubyonrails.org
 licenses:
 - MIT
 metadata:
-  source_code_uri: https://github.com/rails/rails/tree/v5.2.2.1/actionview
-  changelog_uri: https://github.com/rails/rails/blob/v5.2.2.1/actionview/CHANGELOG.md
+  source_code_uri: https://github.com/rails/rails/tree/v5.2.5/actionview
+  changelog_uri: https://github.com/rails/rails/blob/v5.2.5/actionview/CHANGELOG.md
 post_install_message:
 rdoc_options: []
 require_paths:
@@ -248,7 +248,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements:
 - none
-rubygems_version: 3.0.1
+rubygems_version: 3.1.2
 signing_key:
 specification_version: 4
 summary: Rendering framework putting the V in MVC (part of Rails).