actionview 5.2.2.1 → 5.2.5
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of actionview might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +69 -1
- data/lib/action_view/digestor.rb +4 -6
- data/lib/action_view/gem_version.rb +2 -2
- data/lib/action_view/helpers/form_helper.rb +3 -3
- data/lib/action_view/helpers/form_tag_helper.rb +2 -0
- data/lib/action_view/helpers/javascript_helper.rb +4 -2
- data/lib/action_view/helpers/text_helper.rb +1 -1
- data/lib/action_view/helpers/translation_helper.rb +12 -1
- data/lib/action_view/helpers/url_helper.rb +1 -1
- data/lib/assets/compiled/rails-ujs.js +23 -13
- metadata +11 -11
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 7c9ded984056c842554fab54d47aa905a1608850275e62f42ffbdaa9f6b9678b
|
4
|
+
data.tar.gz: 7757657de6c7b78b852e154a9e4e5cb9f97e23dafc5315b92f7a7965d46bf81b
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 9309b8503b260efa316d74e478f06310af4339e6b304cf2a8debb4dc833907f260ac2956e38dc1c01652a5739c7ddb19acf8fbfd7845247e9eb8e0fa3803ed7e
|
7
|
+
data.tar.gz: f2152a3e5897a172602b7340721c58825addba9d13d5fcf42c0aa253524e323caa50eda7d532b5a792c471872f165e3d8c049bf8255150095133beb758e7899f
|
data/CHANGELOG.md
CHANGED
@@ -1,8 +1,76 @@
|
|
1
|
-
## Rails 5.2.
|
1
|
+
## Rails 5.2.5 (March 26, 2021) ##
|
2
|
+
|
3
|
+
* No changes.
|
4
|
+
|
5
|
+
|
6
|
+
## Rails 5.2.4.5 (February 10, 2021) ##
|
7
|
+
|
8
|
+
* No changes.
|
9
|
+
|
10
|
+
|
11
|
+
## Rails 5.2.4.4 (September 09, 2020) ##
|
12
|
+
|
13
|
+
* [CVE-2020-15169] Fix potential XSS vulnerability in the `translate`/`t` helper
|
14
|
+
|
15
|
+
*Jonathan Hefner*
|
16
|
+
|
17
|
+
|
18
|
+
## Rails 5.2.4.3 (May 18, 2020) ##
|
19
|
+
|
20
|
+
* [CVE-2020-8167] Check that request is same-origin prior to including CSRF token in XHRs
|
21
|
+
|
22
|
+
|
23
|
+
## Rails 5.2.4.2 (March 19, 2020) ##
|
24
|
+
|
25
|
+
* Fix possible XSS vector in `escape_javascript` helper
|
26
|
+
|
27
|
+
CVE-2020-5267
|
28
|
+
|
29
|
+
*Aaron Patterson*
|
30
|
+
|
31
|
+
|
32
|
+
## Rails 5.2.4.1 (December 18, 2019) ##
|
2
33
|
|
3
34
|
* No changes.
|
4
35
|
|
5
36
|
|
37
|
+
## Rails 5.2.4 (November 27, 2019) ##
|
38
|
+
|
39
|
+
* Allow programmatic click events to trigger Rails UJS click handlers.
|
40
|
+
Programmatic click events (eg. ones generated by `Rails.fire(link, "click")`) don't specify a button. These events were being incorrectly stopped by code meant to ignore scroll wheel and right clicks introduced in #34573.
|
41
|
+
|
42
|
+
*Sudara Williams*
|
43
|
+
|
44
|
+
|
45
|
+
## Rails 5.2.3 (March 27, 2019) ##
|
46
|
+
|
47
|
+
* Prevent non-primary mouse keys from triggering Rails UJS click handlers.
|
48
|
+
Firefox fires click events even if the click was triggered by non-primary mouse keys such as right- or scroll-wheel-clicks.
|
49
|
+
For example, right-clicking a link such as the one described below (with an underlying ajax request registered on click) should not cause that request to occur.
|
50
|
+
|
51
|
+
```
|
52
|
+
<%= link_to 'Remote', remote_path, class: 'remote', remote: true, data: { type: :json } %>
|
53
|
+
```
|
54
|
+
|
55
|
+
Fixes #34541
|
56
|
+
|
57
|
+
*Wolfgang Hobmaier*
|
58
|
+
|
59
|
+
|
60
|
+
## Rails 5.2.2.1 (March 11, 2019) ##
|
61
|
+
|
62
|
+
* Only accept formats from registered mime types
|
63
|
+
|
64
|
+
A lack of filtering on mime types could allow an attacker to read
|
65
|
+
arbitrary files on the target server or to perform a denial of service
|
66
|
+
attack.
|
67
|
+
|
68
|
+
Fixes CVE-2019-5418
|
69
|
+
Fixes CVE-2019-5419
|
70
|
+
|
71
|
+
*John Hawthorn*, *Eileen M. Uchitelle*, *Aaron Patterson*
|
72
|
+
|
73
|
+
|
6
74
|
## Rails 5.2.2 (December 04, 2018) ##
|
7
75
|
|
8
76
|
* No changes.
|
data/lib/action_view/digestor.rb
CHANGED
@@ -70,13 +70,11 @@ module ActionView
|
|
70
70
|
end
|
71
71
|
|
72
72
|
private
|
73
|
-
def find_template(finder,
|
73
|
+
def find_template(finder, name, prefixes, partial, keys)
|
74
74
|
finder.disable_cache do
|
75
|
-
|
76
|
-
|
77
|
-
|
78
|
-
finder.find_all(*args).first
|
79
|
-
end
|
75
|
+
format = finder.rendered_format
|
76
|
+
result = finder.find_all(name, prefixes, partial, keys, formats: [format]).first if format
|
77
|
+
result || finder.find_all(name, prefixes, partial, keys).first
|
80
78
|
end
|
81
79
|
end
|
82
80
|
end
|
@@ -736,7 +736,7 @@ module ActionView
|
|
736
736
|
# def labelled_form_with(**options, &block)
|
737
737
|
# form_with(**options.merge(builder: LabellingFormBuilder), &block)
|
738
738
|
# end
|
739
|
-
def form_with(model: nil, scope: nil, url: nil, format: nil, **options)
|
739
|
+
def form_with(model: nil, scope: nil, url: nil, format: nil, **options, &block)
|
740
740
|
options[:allow_method_names_outside_object] = true
|
741
741
|
options[:skip_default_ids] = !form_with_generates_ids
|
742
742
|
|
@@ -749,7 +749,7 @@ module ActionView
|
|
749
749
|
|
750
750
|
if block_given?
|
751
751
|
builder = instantiate_builder(scope, model, options)
|
752
|
-
output = capture(builder, &
|
752
|
+
output = capture(builder, &block)
|
753
753
|
options[:multipart] ||= builder.multipart?
|
754
754
|
|
755
755
|
html_options = html_options_for_form_with(url, model, options)
|
@@ -1971,7 +1971,7 @@ module ActionView
|
|
1971
1971
|
|
1972
1972
|
convert_to_legacy_options(options)
|
1973
1973
|
|
1974
|
-
fields_for(scope || model, model,
|
1974
|
+
fields_for(scope || model, model, options, &block)
|
1975
1975
|
end
|
1976
1976
|
|
1977
1977
|
# Returns a label tag tailored for labelling an input field for a specified attribute (identified by +method+) on an object
|
@@ -163,6 +163,8 @@ module ActionView
|
|
163
163
|
# * <tt>:size</tt> - The number of visible characters that will fit in the input.
|
164
164
|
# * <tt>:maxlength</tt> - The maximum number of characters that the browser will allow the user to enter.
|
165
165
|
# * <tt>:placeholder</tt> - The text contained in the field by default which is removed when the field receives focus.
|
166
|
+
# If set to true, use a translation is found in the current I18n locale
|
167
|
+
# (through helpers.placeholders.<modelname>.<attribute>).
|
166
168
|
# * Any other key creates standard HTML attributes for the tag.
|
167
169
|
#
|
168
170
|
# ==== Examples
|
@@ -12,7 +12,9 @@ module ActionView
|
|
12
12
|
"\n" => '\n',
|
13
13
|
"\r" => '\n',
|
14
14
|
'"' => '\\"',
|
15
|
-
"'" => "\\'"
|
15
|
+
"'" => "\\'",
|
16
|
+
"`" => "\\`",
|
17
|
+
"$" => "\\$"
|
16
18
|
}
|
17
19
|
|
18
20
|
JS_ESCAPE_MAP["\342\200\250".dup.force_encoding(Encoding::UTF_8).encode!] = "
"
|
@@ -26,7 +28,7 @@ module ActionView
|
|
26
28
|
# $('some_element').replaceWith('<%= j render 'some/element_template' %>');
|
27
29
|
def escape_javascript(javascript)
|
28
30
|
if javascript
|
29
|
-
result = javascript.gsub(/(\\|<\/|\r\n|\342\200\250|\342\200\251|[\n\r"'])/u) { |match| JS_ESCAPE_MAP[match] }
|
31
|
+
result = javascript.gsub(/(\\|<\/|\r\n|\342\200\250|\342\200\251|[\n\r"']|[`]|[$])/u) { |match| JS_ESCAPE_MAP[match] }
|
30
32
|
javascript.html_safe? ? result.html_safe : result
|
31
33
|
else
|
32
34
|
""
|
@@ -228,7 +228,7 @@ module ActionView
|
|
228
228
|
# pluralize(2, 'Person', locale: :de)
|
229
229
|
# # => 2 Personen
|
230
230
|
def pluralize(count, singular, plural_arg = nil, plural: plural_arg, locale: I18n.locale)
|
231
|
-
word = if (count == 1 || count =~ /^1(\.0+)?$/)
|
231
|
+
word = if (count == 1 || count.to_s =~ /^1(\.0+)?$/)
|
232
232
|
singular
|
233
233
|
else
|
234
234
|
plural || singular.pluralize(locale)
|
@@ -79,14 +79,22 @@ module ActionView
|
|
79
79
|
|
80
80
|
if html_safe_translation_key?(key)
|
81
81
|
html_safe_options = options.dup
|
82
|
+
|
82
83
|
options.except(*I18n::RESERVED_KEYS).each do |name, value|
|
83
84
|
unless name == :count && value.is_a?(Numeric)
|
84
85
|
html_safe_options[name] = ERB::Util.html_escape(value.to_s)
|
85
86
|
end
|
86
87
|
end
|
88
|
+
|
89
|
+
html_safe_options[:default] = MISSING_TRANSLATION unless html_safe_options[:default].blank?
|
90
|
+
|
87
91
|
translation = I18n.translate(scope_key_by_partial(key), html_safe_options.merge(raise: i18n_raise))
|
88
92
|
|
89
|
-
translation.
|
93
|
+
if translation.equal?(MISSING_TRANSLATION)
|
94
|
+
options[:default].first
|
95
|
+
else
|
96
|
+
translation.respond_to?(:html_safe) ? translation.html_safe : translation
|
97
|
+
end
|
90
98
|
else
|
91
99
|
I18n.translate(scope_key_by_partial(key), options.merge(raise: i18n_raise))
|
92
100
|
end
|
@@ -121,6 +129,9 @@ module ActionView
|
|
121
129
|
alias :l :localize
|
122
130
|
|
123
131
|
private
|
132
|
+
MISSING_TRANSLATION = Object.new
|
133
|
+
private_constant :MISSING_TRANSLATION
|
134
|
+
|
124
135
|
def scope_key_by_partial(key)
|
125
136
|
if key.to_s.first == "."
|
126
137
|
if @virtual_path
|
@@ -253,7 +253,7 @@ module ActionView
|
|
253
253
|
# # <input value="New" type="submit" />
|
254
254
|
# # </form>"
|
255
255
|
#
|
256
|
-
# <%= button_to "New",
|
256
|
+
# <%= button_to "New", new_article_path %>
|
257
257
|
# # => "<form method="post" action="/articles/new" class="button_to">
|
258
258
|
# # <input value="New" type="submit" />
|
259
259
|
# # </form>"
|
@@ -2,7 +2,7 @@
|
|
2
2
|
Unobtrusive JavaScript
|
3
3
|
https://github.com/rails/rails/blob/master/actionview/app/assets/javascripts
|
4
4
|
Released under the MIT license
|
5
|
-
|
5
|
+
*/;
|
6
6
|
|
7
7
|
(function() {
|
8
8
|
var context = this;
|
@@ -32,12 +32,17 @@ Released under the MIT license
|
|
32
32
|
|
33
33
|
(function() {
|
34
34
|
(function() {
|
35
|
-
var
|
35
|
+
var nonce;
|
36
36
|
|
37
|
-
|
38
|
-
|
39
|
-
|
40
|
-
|
37
|
+
nonce = null;
|
38
|
+
|
39
|
+
Rails.loadCSPNonce = function() {
|
40
|
+
var ref;
|
41
|
+
return nonce = (ref = document.querySelector("meta[name=csp-nonce]")) != null ? ref.content : void 0;
|
42
|
+
};
|
43
|
+
|
44
|
+
Rails.cspNonce = function() {
|
45
|
+
return nonce != null ? nonce : Rails.loadCSPNonce();
|
41
46
|
};
|
42
47
|
|
43
48
|
}).call(this);
|
@@ -242,8 +247,8 @@ Released under the MIT license
|
|
242
247
|
}
|
243
248
|
if (!options.crossDomain) {
|
244
249
|
xhr.setRequestHeader('X-Requested-With', 'XMLHttpRequest');
|
250
|
+
CSRFProtection(xhr);
|
245
251
|
}
|
246
|
-
CSRFProtection(xhr);
|
247
252
|
xhr.withCredentials = !!options.withCredentials;
|
248
253
|
xhr.onreadystatechange = function() {
|
249
254
|
if (xhr.readyState === XMLHttpRequest.DONE) {
|
@@ -616,22 +621,24 @@ Released under the MIT license
|
|
616
621
|
return setData(form, 'ujs:submit-button-formmethod', button.getAttribute('formmethod'));
|
617
622
|
};
|
618
623
|
|
619
|
-
Rails.
|
620
|
-
var data, link, metaClick, method;
|
624
|
+
Rails.preventInsignificantClick = function(e) {
|
625
|
+
var data, insignificantMetaClick, link, metaClick, method, nonPrimaryMouseClick;
|
621
626
|
link = this;
|
622
627
|
method = (link.getAttribute('data-method') || 'GET').toUpperCase();
|
623
628
|
data = link.getAttribute('data-params');
|
624
629
|
metaClick = e.metaKey || e.ctrlKey;
|
625
|
-
|
630
|
+
insignificantMetaClick = metaClick && method === 'GET' && !data;
|
631
|
+
nonPrimaryMouseClick = (e.button != null) && e.button !== 0;
|
632
|
+
if (nonPrimaryMouseClick || insignificantMetaClick) {
|
626
633
|
return e.stopImmediatePropagation();
|
627
634
|
}
|
628
635
|
};
|
629
636
|
|
630
637
|
}).call(this);
|
631
638
|
(function() {
|
632
|
-
var $, CSRFProtection, delegate, disableElement, enableElement, fire, formSubmitButtonClick, getData, handleConfirm, handleDisabledElement,
|
639
|
+
var $, CSRFProtection, delegate, disableElement, enableElement, fire, formSubmitButtonClick, getData, handleConfirm, handleDisabledElement, handleMethod, handleRemote, loadCSPNonce, preventInsignificantClick, refreshCSRFTokens;
|
633
640
|
|
634
|
-
fire = Rails.fire, delegate = Rails.delegate, getData = Rails.getData, $ = Rails.$, refreshCSRFTokens = Rails.refreshCSRFTokens, CSRFProtection = Rails.CSRFProtection, enableElement = Rails.enableElement, disableElement = Rails.disableElement, handleDisabledElement = Rails.handleDisabledElement, handleConfirm = Rails.handleConfirm,
|
641
|
+
fire = Rails.fire, delegate = Rails.delegate, getData = Rails.getData, $ = Rails.$, refreshCSRFTokens = Rails.refreshCSRFTokens, CSRFProtection = Rails.CSRFProtection, loadCSPNonce = Rails.loadCSPNonce, enableElement = Rails.enableElement, disableElement = Rails.disableElement, handleDisabledElement = Rails.handleDisabledElement, handleConfirm = Rails.handleConfirm, preventInsignificantClick = Rails.preventInsignificantClick, handleRemote = Rails.handleRemote, formSubmitButtonClick = Rails.formSubmitButtonClick, handleMethod = Rails.handleMethod;
|
635
642
|
|
636
643
|
if ((typeof jQuery !== "undefined" && jQuery !== null) && (jQuery.ajax != null)) {
|
637
644
|
if (jQuery.rails) {
|
@@ -665,12 +672,13 @@ Released under the MIT license
|
|
665
672
|
delegate(document, Rails.linkDisableSelector, 'ajax:stopped', enableElement);
|
666
673
|
delegate(document, Rails.buttonDisableSelector, 'ajax:complete', enableElement);
|
667
674
|
delegate(document, Rails.buttonDisableSelector, 'ajax:stopped', enableElement);
|
675
|
+
delegate(document, Rails.linkClickSelector, 'click', preventInsignificantClick);
|
668
676
|
delegate(document, Rails.linkClickSelector, 'click', handleDisabledElement);
|
669
677
|
delegate(document, Rails.linkClickSelector, 'click', handleConfirm);
|
670
|
-
delegate(document, Rails.linkClickSelector, 'click', handleMetaClick);
|
671
678
|
delegate(document, Rails.linkClickSelector, 'click', disableElement);
|
672
679
|
delegate(document, Rails.linkClickSelector, 'click', handleRemote);
|
673
680
|
delegate(document, Rails.linkClickSelector, 'click', handleMethod);
|
681
|
+
delegate(document, Rails.buttonClickSelector, 'click', preventInsignificantClick);
|
674
682
|
delegate(document, Rails.buttonClickSelector, 'click', handleDisabledElement);
|
675
683
|
delegate(document, Rails.buttonClickSelector, 'click', handleConfirm);
|
676
684
|
delegate(document, Rails.buttonClickSelector, 'click', disableElement);
|
@@ -688,10 +696,12 @@ Released under the MIT license
|
|
688
696
|
});
|
689
697
|
delegate(document, Rails.formSubmitSelector, 'ajax:send', disableElement);
|
690
698
|
delegate(document, Rails.formSubmitSelector, 'ajax:complete', enableElement);
|
699
|
+
delegate(document, Rails.formInputClickSelector, 'click', preventInsignificantClick);
|
691
700
|
delegate(document, Rails.formInputClickSelector, 'click', handleDisabledElement);
|
692
701
|
delegate(document, Rails.formInputClickSelector, 'click', handleConfirm);
|
693
702
|
delegate(document, Rails.formInputClickSelector, 'click', formSubmitButtonClick);
|
694
703
|
document.addEventListener('DOMContentLoaded', refreshCSRFTokens);
|
704
|
+
document.addEventListener('DOMContentLoaded', loadCSPNonce);
|
695
705
|
return window._rails_loaded = true;
|
696
706
|
};
|
697
707
|
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: actionview
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 5.2.
|
4
|
+
version: 5.2.5
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- David Heinemeier Hansson
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2021-03-26 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: activesupport
|
@@ -16,14 +16,14 @@ dependencies:
|
|
16
16
|
requirements:
|
17
17
|
- - '='
|
18
18
|
- !ruby/object:Gem::Version
|
19
|
-
version: 5.2.
|
19
|
+
version: 5.2.5
|
20
20
|
type: :runtime
|
21
21
|
prerelease: false
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
23
23
|
requirements:
|
24
24
|
- - '='
|
25
25
|
- !ruby/object:Gem::Version
|
26
|
-
version: 5.2.
|
26
|
+
version: 5.2.5
|
27
27
|
- !ruby/object:Gem::Dependency
|
28
28
|
name: builder
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
@@ -92,28 +92,28 @@ dependencies:
|
|
92
92
|
requirements:
|
93
93
|
- - '='
|
94
94
|
- !ruby/object:Gem::Version
|
95
|
-
version: 5.2.
|
95
|
+
version: 5.2.5
|
96
96
|
type: :development
|
97
97
|
prerelease: false
|
98
98
|
version_requirements: !ruby/object:Gem::Requirement
|
99
99
|
requirements:
|
100
100
|
- - '='
|
101
101
|
- !ruby/object:Gem::Version
|
102
|
-
version: 5.2.
|
102
|
+
version: 5.2.5
|
103
103
|
- !ruby/object:Gem::Dependency
|
104
104
|
name: activemodel
|
105
105
|
requirement: !ruby/object:Gem::Requirement
|
106
106
|
requirements:
|
107
107
|
- - '='
|
108
108
|
- !ruby/object:Gem::Version
|
109
|
-
version: 5.2.
|
109
|
+
version: 5.2.5
|
110
110
|
type: :development
|
111
111
|
prerelease: false
|
112
112
|
version_requirements: !ruby/object:Gem::Requirement
|
113
113
|
requirements:
|
114
114
|
- - '='
|
115
115
|
- !ruby/object:Gem::Version
|
116
|
-
version: 5.2.
|
116
|
+
version: 5.2.5
|
117
117
|
description: Simple, battle-tested conventions and helpers for building web pages.
|
118
118
|
email: david@loudthinking.com
|
119
119
|
executables: []
|
@@ -230,8 +230,8 @@ homepage: http://rubyonrails.org
|
|
230
230
|
licenses:
|
231
231
|
- MIT
|
232
232
|
metadata:
|
233
|
-
source_code_uri: https://github.com/rails/rails/tree/v5.2.
|
234
|
-
changelog_uri: https://github.com/rails/rails/blob/v5.2.
|
233
|
+
source_code_uri: https://github.com/rails/rails/tree/v5.2.5/actionview
|
234
|
+
changelog_uri: https://github.com/rails/rails/blob/v5.2.5/actionview/CHANGELOG.md
|
235
235
|
post_install_message:
|
236
236
|
rdoc_options: []
|
237
237
|
require_paths:
|
@@ -248,7 +248,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
248
248
|
version: '0'
|
249
249
|
requirements:
|
250
250
|
- none
|
251
|
-
rubygems_version: 3.
|
251
|
+
rubygems_version: 3.1.2
|
252
252
|
signing_key:
|
253
253
|
specification_version: 4
|
254
254
|
summary: Rendering framework putting the V in MVC (part of Rails).
|