actionview 5.2.7 → 5.2.7.1

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of actionview might be problematic. Click here for more details.

checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 9b5c95d9da13c30d994f7b054cbcf5d8857be02ed3853c6a0a9e9c9cfc92c437
4
- data.tar.gz: 43a055a269ecefdfc2a7c2b1d65cdad59ecb6f3ec59712d2c7b46c2da408c741
3
+ metadata.gz: 0b2a6c8b465b9914ab6831b8972018525cb2fc2a0c7f950a693ba7895ff52923
4
+ data.tar.gz: 1e9b4548ad481fed3e2b7dec7d256a611e858c8eee70e118d38daaa93f72f7b8
5
5
  SHA512:
6
- metadata.gz: dda4aa565a765b022e9c428cdf52d8c7fd250b15d8cfb17b2bbb569b49249c0684515081f3dc6978c41d6c837c89d30dc33d129a6e300e8ef4b08caccae70840
7
- data.tar.gz: a1e4cea4e509ebdfc60a69340c7796060786fc958d85b1ed1484447360260dff5697cbd86b95e10ab13fc15822e58be3a13066bb72f0e7a515b8ff60b02ba1ee
6
+ metadata.gz: a2e838a423037a30cf4e4e12e8aab64c8e8493f1a370f921be0f7cfbfa92669da4f13cf7cd3c03c42d2c3a2f516b661ba1ca7baa4cf409bf3709b12d3b9692af
7
+ data.tar.gz: a705450df376aa7abcdd1762ee4f5a9cfc3165bd5102c7c82a7209f8910bd8d46f52d014c3a3feb5f22bfac327414dfeacd75d948b0e2f0ae5d746f0aab71dc7
data/CHANGELOG.md CHANGED
@@ -1,3 +1,15 @@
1
+ ## Rails 5.2.7.1 (April 26, 2022) ##
2
+
3
+ * Fix and add protections for XSS in `ActionView::Helpers` and `ERB::Util`.
4
+
5
+ Escape dangerous characters in names of tags and names of attributes in the
6
+ tag helpers, following the XML specification. Rename the option
7
+ `:escape_attributes` to `:escape`, to simplify by applying the option to the
8
+ whole tag.
9
+
10
+ *Álvaro Martín Fraguas*
11
+
12
+
1
13
  ## Rails 5.2.7 (March 10, 2022) ##
2
14
 
3
15
  * No changes.
@@ -10,7 +10,7 @@ module ActionView
10
10
  MAJOR = 5
11
11
  MINOR = 2
12
12
  TINY = 7
13
- PRE = nil
13
+ PRE = "1"
14
14
 
15
15
  STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
16
16
  end
@@ -41,18 +41,25 @@ module ActionView
41
41
  @view_context = view_context
42
42
  end
43
43
 
44
- def tag_string(name, content = nil, escape_attributes: true, **options, &block)
44
+ def tag_string(name, content = nil, **options, &block)
45
+ escape = handle_deprecated_escape_options(options)
45
46
  content = @view_context.capture(self, &block) if block_given?
47
+
46
48
  if VOID_ELEMENTS.include?(name) && content.nil?
47
- "<#{name.to_s.dasherize}#{tag_options(options, escape_attributes)}>".html_safe
49
+ "<#{name.to_s.dasherize}#{tag_options(options, escape)}>".html_safe
48
50
  else
49
- content_tag_string(name.to_s.dasherize, content || "", options, escape_attributes)
51
+ content_tag_string(name.to_s.dasherize, content || "", options, escape)
50
52
  end
51
53
  end
52
54
 
53
55
  def content_tag_string(name, content, options, escape = true)
54
56
  tag_options = tag_options(options, escape) if options
55
- content = ERB::Util.unwrapped_html_escape(content) if escape
57
+
58
+ if escape
59
+ name = ERB::Util.xml_name_escape(name)
60
+ content = ERB::Util.unwrapped_html_escape(content)
61
+ end
62
+
56
63
  "<#{name}#{tag_options}>#{PRE_CONTENT_STRINGS[name]}#{content}</#{name}>".html_safe
57
64
  end
58
65
 
@@ -85,6 +92,8 @@ module ActionView
85
92
  end
86
93
 
87
94
  def tag_option(key, value, escape)
95
+ key = ERB::Util.xml_name_escape(key) if escape
96
+
88
97
  if value.is_a?(Array)
89
98
  value = escape ? safe_join(value, " ".freeze) : value.join(" ".freeze)
90
99
  else
@@ -106,8 +115,29 @@ module ActionView
106
115
  true
107
116
  end
108
117
 
109
- def method_missing(called, *args, &block)
110
- tag_string(called, *args, &block)
118
+ def handle_deprecated_escape_options(options)
119
+ # The option :escape_attributes has been merged into the options hash to be
120
+ # able to warn when it is used, so we need to handle default values here.
121
+ escape_option_provided = options.has_key?(:escape)
122
+ escape_attributes_option_provided = options.has_key?(:escape_attributes)
123
+
124
+ if escape_attributes_option_provided
125
+ ActiveSupport::Deprecation.warn(<<~MSG)
126
+ Use of the option :escape_attributes is deprecated. It currently \
127
+ escapes both names and values of tags and attributes and it is \
128
+ equivalent to :escape. If any of them are enabled, the escaping \
129
+ is fully enabled.
130
+ MSG
131
+ end
132
+
133
+ return true unless escape_option_provided || escape_attributes_option_provided
134
+ escape_option = options.delete(:escape)
135
+ escape_attributes_option = options.delete(:escape_attributes)
136
+ escape_option || escape_attributes_option
137
+ end
138
+
139
+ def method_missing(called, *args, **options, &block)
140
+ tag_string(called, *args, **options, &block)
111
141
  end
112
142
  end
113
143
 
@@ -236,6 +266,7 @@ module ActionView
236
266
  if name.nil?
237
267
  tag_builder
238
268
  else
269
+ name = ERB::Util.xml_name_escape(name) if escape
239
270
  "<#{name}#{tag_builder.tag_options(options, escape) if options}#{open ? ">" : " />"}".html_safe
240
271
  end
241
272
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: actionview
3
3
  version: !ruby/object:Gem::Version
4
- version: 5.2.7
4
+ version: 5.2.7.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - David Heinemeier Hansson
8
- autorequire:
8
+ autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2022-03-10 00:00:00.000000000 Z
11
+ date: 2022-04-26 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: activesupport
@@ -16,14 +16,14 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 5.2.7
19
+ version: 5.2.7.1
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 5.2.7
26
+ version: 5.2.7.1
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: builder
29
29
  requirement: !ruby/object:Gem::Requirement
@@ -92,28 +92,28 @@ dependencies:
92
92
  requirements:
93
93
  - - '='
94
94
  - !ruby/object:Gem::Version
95
- version: 5.2.7
95
+ version: 5.2.7.1
96
96
  type: :development
97
97
  prerelease: false
98
98
  version_requirements: !ruby/object:Gem::Requirement
99
99
  requirements:
100
100
  - - '='
101
101
  - !ruby/object:Gem::Version
102
- version: 5.2.7
102
+ version: 5.2.7.1
103
103
  - !ruby/object:Gem::Dependency
104
104
  name: activemodel
105
105
  requirement: !ruby/object:Gem::Requirement
106
106
  requirements:
107
107
  - - '='
108
108
  - !ruby/object:Gem::Version
109
- version: 5.2.7
109
+ version: 5.2.7.1
110
110
  type: :development
111
111
  prerelease: false
112
112
  version_requirements: !ruby/object:Gem::Requirement
113
113
  requirements:
114
114
  - - '='
115
115
  - !ruby/object:Gem::Version
116
- version: 5.2.7
116
+ version: 5.2.7.1
117
117
  description: Simple, battle-tested conventions and helpers for building web pages.
118
118
  email: david@loudthinking.com
119
119
  executables: []
@@ -230,9 +230,9 @@ homepage: http://rubyonrails.org
230
230
  licenses:
231
231
  - MIT
232
232
  metadata:
233
- source_code_uri: https://github.com/rails/rails/tree/v5.2.7/actionview
234
- changelog_uri: https://github.com/rails/rails/blob/v5.2.7/actionview/CHANGELOG.md
235
- post_install_message:
233
+ source_code_uri: https://github.com/rails/rails/tree/v5.2.7.1/actionview
234
+ changelog_uri: https://github.com/rails/rails/blob/v5.2.7.1/actionview/CHANGELOG.md
235
+ post_install_message:
236
236
  rdoc_options: []
237
237
  require_paths:
238
238
  - lib
@@ -249,7 +249,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
249
249
  requirements:
250
250
  - none
251
251
  rubygems_version: 3.1.6
252
- signing_key:
252
+ signing_key:
253
253
  specification_version: 4
254
254
  summary: Rendering framework putting the V in MVC (part of Rails).
255
255
  test_files: []