actionview 5.2.6.2 → 5.2.7.1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of actionview might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +22 -0
- data/lib/action_view/gem_version.rb +2 -2
- data/lib/action_view/helpers/tag_helper.rb +37 -6
- metadata +10 -10
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 0b2a6c8b465b9914ab6831b8972018525cb2fc2a0c7f950a693ba7895ff52923
|
|
4
|
+
data.tar.gz: 1e9b4548ad481fed3e2b7dec7d256a611e858c8eee70e118d38daaa93f72f7b8
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: a2e838a423037a30cf4e4e12e8aab64c8e8493f1a370f921be0f7cfbfa92669da4f13cf7cd3c03c42d2c3a2f516b661ba1ca7baa4cf409bf3709b12d3b9692af
|
|
7
|
+
data.tar.gz: a705450df376aa7abcdd1762ee4f5a9cfc3165bd5102c7c82a7209f8910bd8d46f52d014c3a3feb5f22bfac327414dfeacd75d948b0e2f0ae5d746f0aab71dc7
|
data/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,25 @@
|
|
|
1
|
+
## Rails 5.2.7.1 (April 26, 2022) ##
|
|
2
|
+
|
|
3
|
+
* Fix and add protections for XSS in `ActionView::Helpers` and `ERB::Util`.
|
|
4
|
+
|
|
5
|
+
Escape dangerous characters in names of tags and names of attributes in the
|
|
6
|
+
tag helpers, following the XML specification. Rename the option
|
|
7
|
+
`:escape_attributes` to `:escape`, to simplify by applying the option to the
|
|
8
|
+
whole tag.
|
|
9
|
+
|
|
10
|
+
*Álvaro Martín Fraguas*
|
|
11
|
+
|
|
12
|
+
|
|
13
|
+
## Rails 5.2.7 (March 10, 2022) ##
|
|
14
|
+
|
|
15
|
+
* No changes.
|
|
16
|
+
|
|
17
|
+
|
|
18
|
+
## Rails 5.2.6.3 (March 08, 2022) ##
|
|
19
|
+
|
|
20
|
+
* No changes.
|
|
21
|
+
|
|
22
|
+
|
|
1
23
|
## Rails 5.2.6.2 (February 11, 2022) ##
|
|
2
24
|
|
|
3
25
|
* No changes.
|
|
@@ -41,18 +41,25 @@ module ActionView
|
|
|
41
41
|
@view_context = view_context
|
|
42
42
|
end
|
|
43
43
|
|
|
44
|
-
def tag_string(name, content = nil,
|
|
44
|
+
def tag_string(name, content = nil, **options, &block)
|
|
45
|
+
escape = handle_deprecated_escape_options(options)
|
|
45
46
|
content = @view_context.capture(self, &block) if block_given?
|
|
47
|
+
|
|
46
48
|
if VOID_ELEMENTS.include?(name) && content.nil?
|
|
47
|
-
"<#{name.to_s.dasherize}#{tag_options(options,
|
|
49
|
+
"<#{name.to_s.dasherize}#{tag_options(options, escape)}>".html_safe
|
|
48
50
|
else
|
|
49
|
-
content_tag_string(name.to_s.dasherize, content || "", options,
|
|
51
|
+
content_tag_string(name.to_s.dasherize, content || "", options, escape)
|
|
50
52
|
end
|
|
51
53
|
end
|
|
52
54
|
|
|
53
55
|
def content_tag_string(name, content, options, escape = true)
|
|
54
56
|
tag_options = tag_options(options, escape) if options
|
|
55
|
-
|
|
57
|
+
|
|
58
|
+
if escape
|
|
59
|
+
name = ERB::Util.xml_name_escape(name)
|
|
60
|
+
content = ERB::Util.unwrapped_html_escape(content)
|
|
61
|
+
end
|
|
62
|
+
|
|
56
63
|
"<#{name}#{tag_options}>#{PRE_CONTENT_STRINGS[name]}#{content}</#{name}>".html_safe
|
|
57
64
|
end
|
|
58
65
|
|
|
@@ -85,6 +92,8 @@ module ActionView
|
|
|
85
92
|
end
|
|
86
93
|
|
|
87
94
|
def tag_option(key, value, escape)
|
|
95
|
+
key = ERB::Util.xml_name_escape(key) if escape
|
|
96
|
+
|
|
88
97
|
if value.is_a?(Array)
|
|
89
98
|
value = escape ? safe_join(value, " ".freeze) : value.join(" ".freeze)
|
|
90
99
|
else
|
|
@@ -106,8 +115,29 @@ module ActionView
|
|
|
106
115
|
true
|
|
107
116
|
end
|
|
108
117
|
|
|
109
|
-
def
|
|
110
|
-
|
|
118
|
+
def handle_deprecated_escape_options(options)
|
|
119
|
+
# The option :escape_attributes has been merged into the options hash to be
|
|
120
|
+
# able to warn when it is used, so we need to handle default values here.
|
|
121
|
+
escape_option_provided = options.has_key?(:escape)
|
|
122
|
+
escape_attributes_option_provided = options.has_key?(:escape_attributes)
|
|
123
|
+
|
|
124
|
+
if escape_attributes_option_provided
|
|
125
|
+
ActiveSupport::Deprecation.warn(<<~MSG)
|
|
126
|
+
Use of the option :escape_attributes is deprecated. It currently \
|
|
127
|
+
escapes both names and values of tags and attributes and it is \
|
|
128
|
+
equivalent to :escape. If any of them are enabled, the escaping \
|
|
129
|
+
is fully enabled.
|
|
130
|
+
MSG
|
|
131
|
+
end
|
|
132
|
+
|
|
133
|
+
return true unless escape_option_provided || escape_attributes_option_provided
|
|
134
|
+
escape_option = options.delete(:escape)
|
|
135
|
+
escape_attributes_option = options.delete(:escape_attributes)
|
|
136
|
+
escape_option || escape_attributes_option
|
|
137
|
+
end
|
|
138
|
+
|
|
139
|
+
def method_missing(called, *args, **options, &block)
|
|
140
|
+
tag_string(called, *args, **options, &block)
|
|
111
141
|
end
|
|
112
142
|
end
|
|
113
143
|
|
|
@@ -236,6 +266,7 @@ module ActionView
|
|
|
236
266
|
if name.nil?
|
|
237
267
|
tag_builder
|
|
238
268
|
else
|
|
269
|
+
name = ERB::Util.xml_name_escape(name) if escape
|
|
239
270
|
"<#{name}#{tag_builder.tag_options(options, escape) if options}#{open ? ">" : " />"}".html_safe
|
|
240
271
|
end
|
|
241
272
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: actionview
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 5.2.
|
|
4
|
+
version: 5.2.7.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- David Heinemeier Hansson
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2022-
|
|
11
|
+
date: 2022-04-26 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: activesupport
|
|
@@ -16,14 +16,14 @@ dependencies:
|
|
|
16
16
|
requirements:
|
|
17
17
|
- - '='
|
|
18
18
|
- !ruby/object:Gem::Version
|
|
19
|
-
version: 5.2.
|
|
19
|
+
version: 5.2.7.1
|
|
20
20
|
type: :runtime
|
|
21
21
|
prerelease: false
|
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
|
23
23
|
requirements:
|
|
24
24
|
- - '='
|
|
25
25
|
- !ruby/object:Gem::Version
|
|
26
|
-
version: 5.2.
|
|
26
|
+
version: 5.2.7.1
|
|
27
27
|
- !ruby/object:Gem::Dependency
|
|
28
28
|
name: builder
|
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -92,28 +92,28 @@ dependencies:
|
|
|
92
92
|
requirements:
|
|
93
93
|
- - '='
|
|
94
94
|
- !ruby/object:Gem::Version
|
|
95
|
-
version: 5.2.
|
|
95
|
+
version: 5.2.7.1
|
|
96
96
|
type: :development
|
|
97
97
|
prerelease: false
|
|
98
98
|
version_requirements: !ruby/object:Gem::Requirement
|
|
99
99
|
requirements:
|
|
100
100
|
- - '='
|
|
101
101
|
- !ruby/object:Gem::Version
|
|
102
|
-
version: 5.2.
|
|
102
|
+
version: 5.2.7.1
|
|
103
103
|
- !ruby/object:Gem::Dependency
|
|
104
104
|
name: activemodel
|
|
105
105
|
requirement: !ruby/object:Gem::Requirement
|
|
106
106
|
requirements:
|
|
107
107
|
- - '='
|
|
108
108
|
- !ruby/object:Gem::Version
|
|
109
|
-
version: 5.2.
|
|
109
|
+
version: 5.2.7.1
|
|
110
110
|
type: :development
|
|
111
111
|
prerelease: false
|
|
112
112
|
version_requirements: !ruby/object:Gem::Requirement
|
|
113
113
|
requirements:
|
|
114
114
|
- - '='
|
|
115
115
|
- !ruby/object:Gem::Version
|
|
116
|
-
version: 5.2.
|
|
116
|
+
version: 5.2.7.1
|
|
117
117
|
description: Simple, battle-tested conventions and helpers for building web pages.
|
|
118
118
|
email: david@loudthinking.com
|
|
119
119
|
executables: []
|
|
@@ -230,8 +230,8 @@ homepage: http://rubyonrails.org
|
|
|
230
230
|
licenses:
|
|
231
231
|
- MIT
|
|
232
232
|
metadata:
|
|
233
|
-
source_code_uri: https://github.com/rails/rails/tree/v5.2.
|
|
234
|
-
changelog_uri: https://github.com/rails/rails/blob/v5.2.
|
|
233
|
+
source_code_uri: https://github.com/rails/rails/tree/v5.2.7.1/actionview
|
|
234
|
+
changelog_uri: https://github.com/rails/rails/blob/v5.2.7.1/actionview/CHANGELOG.md
|
|
235
235
|
post_install_message:
|
|
236
236
|
rdoc_options: []
|
|
237
237
|
require_paths:
|