actionview 6.1.4.6 → 6.1.5.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: fe53fe4c85e73a08f9dcadefd08ce267e0617f6336ee0bf758757e35ac11224c
-  data.tar.gz: 9f82b0e20785f3775159cf270571c612321402ac935aedb228b948c13177a1a5
+  metadata.gz: 347465d701c1688d4e91d033d1f29b16f6f284005f9aaeefc71a36ef0ff439a8
+  data.tar.gz: de5710a75c9b8aa8bcf02e34bb62efc0818f9069c71600a8b50cedf31c0ed94f
 SHA512:
-  metadata.gz: 2084fd88f1356420e4a4fef1725ff780c5db3e916c473079cf52ea775b7f8891928e03878b8a1881cc0ea901429712b86934217e85b486b4d51ee2a0046bedd2
-  data.tar.gz: 7ad9a864dd2dc237229a0f23f4f45951c215e13d0d35b4bdfe662635132861c37a91728f60578048f5d778fad5ff044fc31f10bac73962447d4992efa7e584a7
+  metadata.gz: cbe1e77c8db14198627aafa50b6e8438446828ddf6ecfed37732fb2cc72db2ff03a344a8bee860677a98eb2d6d85875b626b7119e92ac20884631547e7957309
+  data.tar.gz: 890f5eb3fa70152816e5397b39745836ad36efe145eeff80df744dfc09878abbaa3707472eeb53025049dc3ab4e02e0766668ea56cd658f001f9a3f4a3b8514b

data/CHANGELOG.md

@@ -1,3 +1,42 @@
+## Rails 6.1.5.1 (April 26, 2022) ##
+
+*   Fix and add protections for XSS in `ActionView::Helpers` and `ERB::Util`.
+
+    Escape dangerous characters in names of tags and names of attributes in the
+    tag helpers, following the XML specification. Rename the option
+    `:escape_attributes` to `:escape`, to simplify by applying the option to the
+    whole tag.
+
+    *Álvaro Martín Fraguas*
+
+## Rails 6.1.5 (March 09, 2022) ##
+
+*   `preload_link_tag` properly inserts `as` attributes for files with `image` MIME
+    types, such as JPG or SVG.
+
+    *Nate Berkopec*
+
+*   Add `autocomplete="off"` to all generated hidden fields.
+
+    Fixes #42610.
+
+    *Ryan Baumann*
+
+*   Fix `current_page?` when URL has trailing slash.
+
+    This fixes the `current_page?` helper when the given URL has a trailing slash,
+    and is an absolute URL or also has query params.
+
+    Fixes #33956.
+
+    *Jonathan Hefner*
+
+
+## Rails 6.1.4.7 (March 08, 2022) ##
+
+*   No changes.
+
+
 ## Rails 6.1.4.6 (February 11, 2022) ##
 
 *   No changes.

data/MIT-LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2004-2020 David Heinemeier Hansson
+Copyright (c) 2004-2022 David Heinemeier Hansson
 
 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the
@@ -18,4 +18,3 @@ NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
 LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
 OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
 WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-

data/lib/action_view/gem_version.rb

@@ -9,8 +9,8 @@ module ActionView
   module VERSION
     MAJOR = 6
     MINOR = 1
-    TINY  = 4
-    PRE   = "6"
+    TINY  = 5
+    PRE   = "1"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

data/lib/action_view/helpers/asset_tag_helper.rb

@@ -509,7 +509,7 @@ module ActionView
             "style"
           elsif extname == "vtt"
             "track"
-          elsif (type = mime_type.to_s.split("/")[0]) && type.in?(%w(audio video font))
+          elsif (type = mime_type.to_s.split("/")[0]) && type.in?(%w(audio video font image))
             type
           end
         end

data/lib/action_view/helpers/date_helper.rb

@@ -1101,7 +1101,8 @@ module ActionView
             type: "hidden",
             id: input_id_from_type(type),
             name: input_name_from_type(type),
-            value: value
+            value: value,
+            autocomplete: "off"
           }.merge!(@html_options.slice(:disabled))
           select_options[:disabled] = "disabled" if @options[:disabled]
 

data/lib/action_view/helpers/form_tag_helper.rb

@@ -241,7 +241,7 @@ module ActionView
       #   # => <input id="collected_input" name="collected_input" onchange="alert('Input collected!')"
       #   #    type="hidden" value="" />
       def hidden_field_tag(name, value = nil, options = {})
-        text_field_tag(name, value, options.merge(type: :hidden))
+        text_field_tag(name, value, options.merge(type: :hidden, autocomplete: "off"))
       end
 
       # Creates a file upload field. If you are using file uploads then you will also need
@@ -823,7 +823,7 @@ module ActionView
         # Use raw HTML to ensure the value is written as an HTML entity; it
         # needs to be the right character regardless of which encoding the
         # browser infers.
-        '<input name="utf8" type="hidden" value="&#x2713;" />'.html_safe
+        '<input name="utf8" type="hidden" value="&#x2713;" autocomplete="off" />'.html_safe
       end
 
       private

data/lib/action_view/helpers/tag_helper.rb

@@ -53,18 +53,25 @@ module ActionView
           tag_string(:p, *arguments, **options, &block)
         end
 
-        def tag_string(name, content = nil, escape_attributes: true, **options, &block)
+        def tag_string(name, content = nil, **options, &block)
+          escape = handle_deprecated_escape_options(options)
+
           content = @view_context.capture(self, &block) if block_given?
           if VOID_ELEMENTS.include?(name) && content.nil?
-            "<#{name.to_s.dasherize}#{tag_options(options, escape_attributes)}>".html_safe
+            "<#{name.to_s.dasherize}#{tag_options(options, escape)}>".html_safe
           else
-            content_tag_string(name.to_s.dasherize, content || "", options, escape_attributes)
+            content_tag_string(name.to_s.dasherize, content || "", options, escape)
           end
         end
 
         def content_tag_string(name, content, options, escape = true)
           tag_options = tag_options(options, escape) if options
-          content     = ERB::Util.unwrapped_html_escape(content) if escape
+
+          if escape
+            name = ERB::Util.xml_name_escape(name)
+            content = ERB::Util.unwrapped_html_escape(content)
+          end
+
           "<#{name}#{tag_options}>#{PRE_CONTENT_STRINGS[name]}#{content}</#{name}>".html_safe
         end
 
@@ -115,6 +122,8 @@ module ActionView
         end
 
         def tag_option(key, value, escape)
+          key = ERB::Util.xml_name_escape(key) if escape
+
           case value
           when Array, Hash
             value = TagHelper.build_tag_values(value) if key.to_s == "class"
@@ -123,6 +132,7 @@ module ActionView
             value = escape ? ERB::Util.unwrapped_html_escape(value) : value.to_s
           end
           value = value.gsub('"', "&quot;") if value.include?('"')
+
           %(#{key}="#{value}")
         end
 
@@ -139,6 +149,27 @@ module ActionView
             true
           end
 
+          def handle_deprecated_escape_options(options)
+            # The option :escape_attributes has been merged into the options hash to be
+            # able to warn when it is used, so we need to handle default values here.
+            escape_option_provided = options.has_key?(:escape)
+            escape_attributes_option_provided = options.has_key?(:escape_attributes)
+
+            if escape_attributes_option_provided
+              ActiveSupport::Deprecation.warn(<<~MSG)
+                Use of the option :escape_attributes is deprecated. It currently \
+                escapes both names and values of tags and attributes and it is \
+                equivalent to :escape. If any of them are enabled, the escaping \
+                is fully enabled.
+              MSG
+            end
+
+            return true unless escape_option_provided || escape_attributes_option_provided
+            escape_option = options.delete(:escape)
+            escape_attributes_option = options.delete(:escape_attributes)
+            escape_option || escape_attributes_option
+          end
+
           def method_missing(called, *args, **options, &block)
             tag_string(called, *args, **options, &block)
           end
@@ -202,13 +233,13 @@ module ActionView
       #   tag.div data: { city_state: %w( Chicago IL ) }
       #   # => <div data-city-state="[&quot;Chicago&quot;,&quot;IL&quot;]"></div>
       #
-      # The generated attributes are escaped by default. This can be disabled using
-      # +escape_attributes+.
+      # The generated tag names and attributes are escaped by default. This can be disabled using
+      # +escape+.
       #
       #   tag.img src: 'open & shut.png'
       #   # => <img src="open &amp; shut.png">
       #
-      #   tag.img src: 'open & shut.png', escape_attributes: false
+      #   tag.img src: 'open & shut.png', escape: false
       #   # => <img src="open & shut.png">
       #
       # The tag builder respects
@@ -272,6 +303,7 @@ module ActionView
         if name.nil?
           tag_builder
         else
+          name = ERB::Util.xml_name_escape(name) if escape
           "<#{name}#{tag_builder.tag_options(options, escape) if options}#{open ? ">" : " />"}".html_safe
         end
       end
@@ -280,7 +312,7 @@ module ActionView
       # HTML attributes by passing an attributes hash to +options+.
       # Instead of passing the content as an argument, you can also use a block
       # in which case, you pass your +options+ as the second parameter.
-      # Set escape to false to disable attribute value escaping.
+      # Set escape to false to disable escaping.
       # Note: this is legacy syntax, see +tag+ method description for details.
       #
       # ==== Options

data/lib/action_view/helpers/tags/base.rb

@@ -153,7 +153,7 @@ module ActionView
             select = content_tag("select", add_options(option_tags, options, value), html_options)
 
             if html_options["multiple"] && options.fetch(:include_hidden, true)
-              tag("input", disabled: html_options["disabled"], name: html_options["name"], type: "hidden", value: "") + select
+              tag("input", disabled: html_options["disabled"], name: html_options["name"], type: "hidden", value: "", autocomplete: "off") + select
             else
               select
             end

data/lib/action_view/helpers/tags/check_box.rb

@@ -57,7 +57,7 @@ module ActionView
           end
 
           def hidden_field_for_checkbox(options)
-            @unchecked_value ? tag("input", options.slice("name", "disabled", "form").merge!("type" => "hidden", "value" => @unchecked_value)) : "".html_safe
+            @unchecked_value ? tag("input", options.slice("name", "disabled", "form").merge!("type" => "hidden", "value" => @unchecked_value, "autocomplete" => "off")) : "".html_safe
           end
       end
     end

data/lib/action_view/helpers/tags/hidden_field.rb

@@ -4,6 +4,10 @@ module ActionView
   module Helpers
     module Tags # :nodoc:
       class HiddenField < TextField # :nodoc:
+        def render
+          @options[:autocomplete] = "off"
+          super
+        end
       end
     end
   end

data/lib/action_view/helpers/url_helper.rb

@@ -337,7 +337,8 @@ module ActionView
         inner_tags = method_tag.safe_concat(button).safe_concat(request_token_tag)
         if params
           to_form_params(params).each do |param|
-            inner_tags.safe_concat tag(:input, type: "hidden", name: param[:name], value: param[:value])
+            inner_tags.safe_concat tag(:input, type: "hidden", name: param[:name], value: param[:value],
+                                       autocomplete: "off")
           end
         end
         content_tag("form", inner_tags, form_options)
@@ -559,16 +560,14 @@ module ActionView
         request_uri = url_string.index("?") || check_parameters ? request.fullpath : request.path
         request_uri = URI::DEFAULT_PARSER.unescape(request_uri).force_encoding(Encoding::BINARY)
 
-        if url_string.start_with?("/") && url_string != "/"
-          url_string.chomp!("/")
-          request_uri.chomp!("/")
-        end
-
         if %r{^\w+://}.match?(url_string)
-          url_string == "#{request.protocol}#{request.host_with_port}#{request_uri}"
-        else
-          url_string == request_uri
+          request_uri = +"#{request.protocol}#{request.host_with_port}#{request_uri}"
         end
+
+        remove_trailing_slash!(url_string)
+        remove_trailing_slash!(request_uri)
+
+        url_string == request_uri
       end
 
       if RUBY_VERSION.start_with?("2.7")
@@ -728,14 +727,14 @@ module ActionView
         def token_tag(token = nil, form_options: {})
           if token != false && defined?(protect_against_forgery?) && protect_against_forgery?
             token ||= form_authenticity_token(form_options: form_options)
-            tag(:input, type: "hidden", name: request_forgery_protection_token.to_s, value: token)
+            tag(:input, type: "hidden", name: request_forgery_protection_token.to_s, value: token, autocomplete: "off")
           else
             ""
           end
         end
 
         def method_tag(method)
-          tag("input", type: "hidden", name: "_method", value: method.to_s)
+          tag("input", type: "hidden", name: "_method", value: method.to_s, autocomplete: "off")
         end
 
         # Returns an array of hashes each containing :name and :value keys
@@ -779,6 +778,11 @@ module ActionView
 
           params.sort_by { |pair| pair[:name] }
         end
+
+        def remove_trailing_slash!(url_string)
+          trailing_index = (url_string.index("?") || 0) - 1
+          url_string[trailing_index] = "" if url_string[trailing_index] == "/"
+        end
     end
   end
 end

data/lib/action_view/railtie.rb

@@ -46,7 +46,7 @@ module ActionView
         app.config.action_view.each do |k, v|
           if k == :raise_on_missing_translations
             ActiveSupport::Deprecation.warn \
-              "action_view.raise_on_missing_translations is deprecated and will be removed in Rails 6.2. " \
+              "action_view.raise_on_missing_translations is deprecated and will be removed in Rails 7.0. " \
               "Set i18n.raise_on_missing_translations instead. " \
               "Note that this new setting also affects how missing translations are handled in controllers."
           end

data/lib/action_view.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 #--
-# Copyright (c) 2004-2020 David Heinemeier Hansson
+# Copyright (c) 2004-2022 David Heinemeier Hansson
 #
 # Permission is hereby granted, free of charge, to any person obtaining
 # a copy of this software and associated documentation files (the

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: actionview
 version: !ruby/object:Gem::Version
-  version: 6.1.4.6
+  version: 6.1.5.1
 platform: ruby
 authors:
 - David Heinemeier Hansson
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-02-11 00:00:00.000000000 Z
+date: 2022-04-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.1.4.6
+        version: 6.1.5.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.1.4.6
+        version: 6.1.5.1
 - !ruby/object:Gem::Dependency
   name: builder
   requirement: !ruby/object:Gem::Requirement
@@ -92,28 +92,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.1.4.6
+        version: 6.1.5.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.1.4.6
+        version: 6.1.5.1
 - !ruby/object:Gem::Dependency
   name: activemodel
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.1.4.6
+        version: 6.1.5.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.1.4.6
+        version: 6.1.5.1
 description: Simple, battle-tested conventions and helpers for building web pages.
 email: david@loudthinking.com
 executables: []
@@ -239,10 +239,11 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/rails/rails/issues
-  changelog_uri: https://github.com/rails/rails/blob/v6.1.4.6/actionview/CHANGELOG.md
-  documentation_uri: https://api.rubyonrails.org/v6.1.4.6/
+  changelog_uri: https://github.com/rails/rails/blob/v6.1.5.1/actionview/CHANGELOG.md
+  documentation_uri: https://api.rubyonrails.org/v6.1.5.1/
   mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
-  source_code_uri: https://github.com/rails/rails/tree/v6.1.4.6/actionview
+  source_code_uri: https://github.com/rails/rails/tree/v6.1.5.1/actionview
+  rubygems_mfa_required: 'true'
 post_install_message:
 rdoc_options: []
 require_paths:
@@ -259,7 +260,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements:
 - none
-rubygems_version: 3.2.22
+rubygems_version: 3.1.6
 signing_key:
 specification_version: 4
 summary: Rendering framework putting the V in MVC (part of Rails).