actionview 6.1.5 → 6.1.6
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of actionview might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +11 -0
- data/lib/action_view/gem_version.rb +1 -1
- data/lib/action_view/helpers/tag_helper.rb +40 -8
- metadata +14 -14
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: c4bae3a74568f6dbff0e464b74b3fa12cf8b72a41db89c5ec72921245dc89bfd
|
4
|
+
data.tar.gz: 551e402a6910e9a29c4d3c19de8a254539f0208bf9a578cb2f085243aadc299a
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 1c2e9630dca3a438606675bc2214551000d3604b48d2455f4819a33791113bb50d6b04c8d6a7462436dc81462a679fe66a4fb0788bb3b72b7913827fe1234254
|
7
|
+
data.tar.gz: 1e94a23314cf2ea60ccf4f97721c9317540eedfa8258566c5c04bd0068ae5fc6c60eaefd8108d2291418187f151c89f5ac40e705567d9dec2b8f3b46fd5de52c
|
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,14 @@
|
|
1
|
+
## Rails 6.1.5.1 (April 26, 2022) ##
|
2
|
+
|
3
|
+
* Fix and add protections for XSS in `ActionView::Helpers` and `ERB::Util`.
|
4
|
+
|
5
|
+
Escape dangerous characters in names of tags and names of attributes in the
|
6
|
+
tag helpers, following the XML specification. Rename the option
|
7
|
+
`:escape_attributes` to `:escape`, to simplify by applying the option to the
|
8
|
+
whole tag.
|
9
|
+
|
10
|
+
*Álvaro Martín Fraguas*
|
11
|
+
|
1
12
|
## Rails 6.1.5 (March 09, 2022) ##
|
2
13
|
|
3
14
|
* `preload_link_tag` properly inserts `as` attributes for files with `image` MIME
|
@@ -53,18 +53,25 @@ module ActionView
|
|
53
53
|
tag_string(:p, *arguments, **options, &block)
|
54
54
|
end
|
55
55
|
|
56
|
-
def tag_string(name, content = nil,
|
56
|
+
def tag_string(name, content = nil, **options, &block)
|
57
|
+
escape = handle_deprecated_escape_options(options)
|
58
|
+
|
57
59
|
content = @view_context.capture(self, &block) if block_given?
|
58
60
|
if VOID_ELEMENTS.include?(name) && content.nil?
|
59
|
-
"<#{name.to_s.dasherize}#{tag_options(options,
|
61
|
+
"<#{name.to_s.dasherize}#{tag_options(options, escape)}>".html_safe
|
60
62
|
else
|
61
|
-
content_tag_string(name.to_s.dasherize, content || "", options,
|
63
|
+
content_tag_string(name.to_s.dasherize, content || "", options, escape)
|
62
64
|
end
|
63
65
|
end
|
64
66
|
|
65
67
|
def content_tag_string(name, content, options, escape = true)
|
66
68
|
tag_options = tag_options(options, escape) if options
|
67
|
-
|
69
|
+
|
70
|
+
if escape
|
71
|
+
name = ERB::Util.xml_name_escape(name)
|
72
|
+
content = ERB::Util.unwrapped_html_escape(content)
|
73
|
+
end
|
74
|
+
|
68
75
|
"<#{name}#{tag_options}>#{PRE_CONTENT_STRINGS[name]}#{content}</#{name}>".html_safe
|
69
76
|
end
|
70
77
|
|
@@ -115,6 +122,8 @@ module ActionView
|
|
115
122
|
end
|
116
123
|
|
117
124
|
def tag_option(key, value, escape)
|
125
|
+
key = ERB::Util.xml_name_escape(key) if escape
|
126
|
+
|
118
127
|
case value
|
119
128
|
when Array, Hash
|
120
129
|
value = TagHelper.build_tag_values(value) if key.to_s == "class"
|
@@ -123,6 +132,7 @@ module ActionView
|
|
123
132
|
value = escape ? ERB::Util.unwrapped_html_escape(value) : value.to_s
|
124
133
|
end
|
125
134
|
value = value.gsub('"', """) if value.include?('"')
|
135
|
+
|
126
136
|
%(#{key}="#{value}")
|
127
137
|
end
|
128
138
|
|
@@ -139,6 +149,27 @@ module ActionView
|
|
139
149
|
true
|
140
150
|
end
|
141
151
|
|
152
|
+
def handle_deprecated_escape_options(options)
|
153
|
+
# The option :escape_attributes has been merged into the options hash to be
|
154
|
+
# able to warn when it is used, so we need to handle default values here.
|
155
|
+
escape_option_provided = options.has_key?(:escape)
|
156
|
+
escape_attributes_option_provided = options.has_key?(:escape_attributes)
|
157
|
+
|
158
|
+
if escape_attributes_option_provided
|
159
|
+
ActiveSupport::Deprecation.warn(<<~MSG)
|
160
|
+
Use of the option :escape_attributes is deprecated. It currently \
|
161
|
+
escapes both names and values of tags and attributes and it is \
|
162
|
+
equivalent to :escape. If any of them are enabled, the escaping \
|
163
|
+
is fully enabled.
|
164
|
+
MSG
|
165
|
+
end
|
166
|
+
|
167
|
+
return true unless escape_option_provided || escape_attributes_option_provided
|
168
|
+
escape_option = options.delete(:escape)
|
169
|
+
escape_attributes_option = options.delete(:escape_attributes)
|
170
|
+
escape_option || escape_attributes_option
|
171
|
+
end
|
172
|
+
|
142
173
|
def method_missing(called, *args, **options, &block)
|
143
174
|
tag_string(called, *args, **options, &block)
|
144
175
|
end
|
@@ -202,13 +233,13 @@ module ActionView
|
|
202
233
|
# tag.div data: { city_state: %w( Chicago IL ) }
|
203
234
|
# # => <div data-city-state="["Chicago","IL"]"></div>
|
204
235
|
#
|
205
|
-
# The generated attributes are escaped by default. This can be disabled using
|
206
|
-
# +
|
236
|
+
# The generated tag names and attributes are escaped by default. This can be disabled using
|
237
|
+
# +escape+.
|
207
238
|
#
|
208
239
|
# tag.img src: 'open & shut.png'
|
209
240
|
# # => <img src="open & shut.png">
|
210
241
|
#
|
211
|
-
# tag.img src: 'open & shut.png',
|
242
|
+
# tag.img src: 'open & shut.png', escape: false
|
212
243
|
# # => <img src="open & shut.png">
|
213
244
|
#
|
214
245
|
# The tag builder respects
|
@@ -272,6 +303,7 @@ module ActionView
|
|
272
303
|
if name.nil?
|
273
304
|
tag_builder
|
274
305
|
else
|
306
|
+
name = ERB::Util.xml_name_escape(name) if escape
|
275
307
|
"<#{name}#{tag_builder.tag_options(options, escape) if options}#{open ? ">" : " />"}".html_safe
|
276
308
|
end
|
277
309
|
end
|
@@ -280,7 +312,7 @@ module ActionView
|
|
280
312
|
# HTML attributes by passing an attributes hash to +options+.
|
281
313
|
# Instead of passing the content as an argument, you can also use a block
|
282
314
|
# in which case, you pass your +options+ as the second parameter.
|
283
|
-
# Set escape to false to disable
|
315
|
+
# Set escape to false to disable escaping.
|
284
316
|
# Note: this is legacy syntax, see +tag+ method description for details.
|
285
317
|
#
|
286
318
|
# ==== Options
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: actionview
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 6.1.
|
4
|
+
version: 6.1.6
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- David Heinemeier Hansson
|
8
|
-
autorequire:
|
8
|
+
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2022-
|
11
|
+
date: 2022-05-09 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: activesupport
|
@@ -16,14 +16,14 @@ dependencies:
|
|
16
16
|
requirements:
|
17
17
|
- - '='
|
18
18
|
- !ruby/object:Gem::Version
|
19
|
-
version: 6.1.
|
19
|
+
version: 6.1.6
|
20
20
|
type: :runtime
|
21
21
|
prerelease: false
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
23
23
|
requirements:
|
24
24
|
- - '='
|
25
25
|
- !ruby/object:Gem::Version
|
26
|
-
version: 6.1.
|
26
|
+
version: 6.1.6
|
27
27
|
- !ruby/object:Gem::Dependency
|
28
28
|
name: builder
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
@@ -92,28 +92,28 @@ dependencies:
|
|
92
92
|
requirements:
|
93
93
|
- - '='
|
94
94
|
- !ruby/object:Gem::Version
|
95
|
-
version: 6.1.
|
95
|
+
version: 6.1.6
|
96
96
|
type: :development
|
97
97
|
prerelease: false
|
98
98
|
version_requirements: !ruby/object:Gem::Requirement
|
99
99
|
requirements:
|
100
100
|
- - '='
|
101
101
|
- !ruby/object:Gem::Version
|
102
|
-
version: 6.1.
|
102
|
+
version: 6.1.6
|
103
103
|
- !ruby/object:Gem::Dependency
|
104
104
|
name: activemodel
|
105
105
|
requirement: !ruby/object:Gem::Requirement
|
106
106
|
requirements:
|
107
107
|
- - '='
|
108
108
|
- !ruby/object:Gem::Version
|
109
|
-
version: 6.1.
|
109
|
+
version: 6.1.6
|
110
110
|
type: :development
|
111
111
|
prerelease: false
|
112
112
|
version_requirements: !ruby/object:Gem::Requirement
|
113
113
|
requirements:
|
114
114
|
- - '='
|
115
115
|
- !ruby/object:Gem::Version
|
116
|
-
version: 6.1.
|
116
|
+
version: 6.1.6
|
117
117
|
description: Simple, battle-tested conventions and helpers for building web pages.
|
118
118
|
email: david@loudthinking.com
|
119
119
|
executables: []
|
@@ -239,12 +239,12 @@ licenses:
|
|
239
239
|
- MIT
|
240
240
|
metadata:
|
241
241
|
bug_tracker_uri: https://github.com/rails/rails/issues
|
242
|
-
changelog_uri: https://github.com/rails/rails/blob/v6.1.
|
243
|
-
documentation_uri: https://api.rubyonrails.org/v6.1.
|
242
|
+
changelog_uri: https://github.com/rails/rails/blob/v6.1.6/actionview/CHANGELOG.md
|
243
|
+
documentation_uri: https://api.rubyonrails.org/v6.1.6/
|
244
244
|
mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
|
245
|
-
source_code_uri: https://github.com/rails/rails/tree/v6.1.
|
245
|
+
source_code_uri: https://github.com/rails/rails/tree/v6.1.6/actionview
|
246
246
|
rubygems_mfa_required: 'true'
|
247
|
-
post_install_message:
|
247
|
+
post_install_message:
|
248
248
|
rdoc_options: []
|
249
249
|
require_paths:
|
250
250
|
- lib
|
@@ -261,7 +261,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
261
261
|
requirements:
|
262
262
|
- none
|
263
263
|
rubygems_version: 3.3.7
|
264
|
-
signing_key:
|
264
|
+
signing_key:
|
265
265
|
specification_version: 4
|
266
266
|
summary: Rendering framework putting the V in MVC (part of Rails).
|
267
267
|
test_files: []
|