actionview 7.0.2.1 → 7.0.2.4

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 2514d4c995366fdadafe620566090029761c449aa25b400802ab8150616451bb
4
- data.tar.gz: e386f9582ec067004ac317616d519e11342cba217850721eb9b0164a52d64f27
3
+ metadata.gz: 05b202fb72d79b08cc80097deb5e09fda321f310a8a06c361599e95a76c16cfc
4
+ data.tar.gz: 64d8271b6a06f9de6f6692b96a1ba3016b53d10b068df1c41db4c81094e642d3
5
5
  SHA512:
6
- metadata.gz: c2a769ea93e6f037039d3414f81785ce58b67cd762a11a3bf406c60aadc953e8ff8fd1b8a44bf8cd45d69fca7d330122de44a381ba514d9197de6fc640e089e2
7
- data.tar.gz: bfbd0a092409bbe748e973d3d3d42ad5cd7fbc8f314866395a6a5bd368ff7aa49c7d6b78f063cc5249a68b90ada4f6192a76cfde838f98cbd9abacbcb1f0b837
6
+ metadata.gz: 42594ba6f50e9611210173d7a4e42351c928acf1024ea33858d91679b20df6d8fb5b49aa7f21ee147827efcf005ffdb60025cc15293d4f462c1927c3c251155e
7
+ data.tar.gz: ac02f50538a88bc0fec35186567e376c95908cc791b500b24fbcdcbc9ae0a0c839a0f9245e9fae67ea6dde9304e53fe62ad30f0ad4bdf96aced044651df7f4f8
data/CHANGELOG.md CHANGED
@@ -1,3 +1,24 @@
1
+ ## Rails 7.0.2.4 (April 26, 2022) ##
2
+
3
+ * Fix and add protections for XSS in `ActionView::Helpers` and `ERB::Util`.
4
+
5
+ Escape dangerous characters in names of tags and names of attributes in the
6
+ tag helpers, following the XML specification. Rename the option
7
+ `:escape_attributes` to `:escape`, to simplify by applying the option to the
8
+ whole tag.
9
+
10
+ *Álvaro Martín Fraguas*
11
+
12
+ ## Rails 7.0.2.3 (March 08, 2022) ##
13
+
14
+ * No changes.
15
+
16
+
17
+ ## Rails 7.0.2.2 (February 11, 2022) ##
18
+
19
+ * No changes.
20
+
21
+
1
22
  ## Rails 7.0.2.1 (February 11, 2022) ##
2
23
 
3
24
  * No changes.
@@ -10,7 +10,7 @@ module ActionView
10
10
  MAJOR = 7
11
11
  MINOR = 0
12
12
  TINY = 2
13
- PRE = "1"
13
+ PRE = "4"
14
14
 
15
15
  STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
16
16
  end
@@ -65,18 +65,25 @@ module ActionView
65
65
  tag_string(:p, *arguments, **options, &block)
66
66
  end
67
67
 
68
- def tag_string(name, content = nil, escape_attributes: true, **options, &block)
68
+ def tag_string(name, content = nil, **options, &block)
69
+ escape = handle_deprecated_escape_options(options)
70
+
69
71
  content = @view_context.capture(self, &block) if block_given?
70
72
  if (HTML_VOID_ELEMENTS.include?(name) || SVG_VOID_ELEMENTS.include?(name)) && content.nil?
71
- "<#{name.to_s.dasherize}#{tag_options(options, escape_attributes)}>".html_safe
73
+ "<#{name.to_s.dasherize}#{tag_options(options, escape)}>".html_safe
72
74
  else
73
- content_tag_string(name.to_s.dasherize, content || "", options, escape_attributes)
75
+ content_tag_string(name.to_s.dasherize, content || "", options, escape)
74
76
  end
75
77
  end
76
78
 
77
79
  def content_tag_string(name, content, options, escape = true)
78
80
  tag_options = tag_options(options, escape) if options
79
- content = ERB::Util.unwrapped_html_escape(content) if escape
81
+
82
+ if escape
83
+ name = ERB::Util.xml_name_escape(name)
84
+ content = ERB::Util.unwrapped_html_escape(content)
85
+ end
86
+
80
87
  "<#{name}#{tag_options}>#{PRE_CONTENT_STRINGS[name]}#{content}</#{name}>".html_safe
81
88
  end
82
89
 
@@ -127,6 +134,8 @@ module ActionView
127
134
  end
128
135
 
129
136
  def tag_option(key, value, escape)
137
+ key = ERB::Util.xml_name_escape(key) if escape
138
+
130
139
  case value
131
140
  when Array, Hash
132
141
  value = TagHelper.build_tag_values(value) if key.to_s == "class"
@@ -137,6 +146,7 @@ module ActionView
137
146
  value = escape ? ERB::Util.unwrapped_html_escape(value) : value.to_s
138
147
  end
139
148
  value = value.gsub('"', "&quot;") if value.include?('"')
149
+
140
150
  %(#{key}="#{value}")
141
151
  end
142
152
 
@@ -153,6 +163,27 @@ module ActionView
153
163
  true
154
164
  end
155
165
 
166
+ def handle_deprecated_escape_options(options)
167
+ # The option :escape_attributes has been merged into the options hash to be
168
+ # able to warn when it is used, so we need to handle default values here.
169
+ escape_option_provided = options.has_key?(:escape)
170
+ escape_attributes_option_provided = options.has_key?(:escape_attributes)
171
+
172
+ if escape_attributes_option_provided
173
+ ActiveSupport::Deprecation.warn(<<~MSG)
174
+ Use of the option :escape_attributes is deprecated. It currently \
175
+ escapes both names and values of tags and attributes and it is \
176
+ equivalent to :escape. If any of them are enabled, the escaping \
177
+ is fully enabled.
178
+ MSG
179
+ end
180
+
181
+ return true unless escape_option_provided || escape_attributes_option_provided
182
+ escape_option = options.delete(:escape)
183
+ escape_attributes_option = options.delete(:escape_attributes)
184
+ escape_option || escape_attributes_option
185
+ end
186
+
156
187
  def method_missing(called, *args, **options, &block)
157
188
  tag_string(called, *args, **options, &block)
158
189
  end
@@ -216,13 +247,13 @@ module ActionView
216
247
  # tag.div data: { city_state: %w( Chicago IL ) }
217
248
  # # => <div data-city-state="[&quot;Chicago&quot;,&quot;IL&quot;]"></div>
218
249
  #
219
- # The generated attributes are escaped by default. This can be disabled using
220
- # +escape_attributes+.
250
+ # The generated tag names and attributes are escaped by default. This can be disabled using
251
+ # +escape+.
221
252
  #
222
253
  # tag.img src: 'open & shut.png'
223
254
  # # => <img src="open &amp; shut.png">
224
255
  #
225
- # tag.img src: 'open & shut.png', escape_attributes: false
256
+ # tag.img src: 'open & shut.png', escape: false
226
257
  # # => <img src="open & shut.png">
227
258
  #
228
259
  # The tag builder respects
@@ -300,6 +331,7 @@ module ActionView
300
331
  if name.nil?
301
332
  tag_builder
302
333
  else
334
+ name = ERB::Util.xml_name_escape(name) if escape
303
335
  "<#{name}#{tag_builder.tag_options(options, escape) if options}#{open ? ">" : " />"}".html_safe
304
336
  end
305
337
  end
@@ -308,7 +340,7 @@ module ActionView
308
340
  # HTML attributes by passing an attributes hash to +options+.
309
341
  # Instead of passing the content as an argument, you can also use a block
310
342
  # in which case, you pass your +options+ as the second parameter.
311
- # Set escape to false to disable attribute value escaping.
343
+ # Set escape to false to disable escaping.
312
344
  # Note: this is legacy syntax, see +tag+ method description for details.
313
345
  #
314
346
  # ==== Options
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: actionview
3
3
  version: !ruby/object:Gem::Version
4
- version: 7.0.2.1
4
+ version: 7.0.2.4
5
5
  platform: ruby
6
6
  authors:
7
7
  - David Heinemeier Hansson
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2022-02-11 00:00:00.000000000 Z
11
+ date: 2022-04-26 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: activesupport
@@ -16,14 +16,14 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 7.0.2.1
19
+ version: 7.0.2.4
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 7.0.2.1
26
+ version: 7.0.2.4
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: builder
29
29
  requirement: !ruby/object:Gem::Requirement
@@ -92,28 +92,28 @@ dependencies:
92
92
  requirements:
93
93
  - - '='
94
94
  - !ruby/object:Gem::Version
95
- version: 7.0.2.1
95
+ version: 7.0.2.4
96
96
  type: :development
97
97
  prerelease: false
98
98
  version_requirements: !ruby/object:Gem::Requirement
99
99
  requirements:
100
100
  - - '='
101
101
  - !ruby/object:Gem::Version
102
- version: 7.0.2.1
102
+ version: 7.0.2.4
103
103
  - !ruby/object:Gem::Dependency
104
104
  name: activemodel
105
105
  requirement: !ruby/object:Gem::Requirement
106
106
  requirements:
107
107
  - - '='
108
108
  - !ruby/object:Gem::Version
109
- version: 7.0.2.1
109
+ version: 7.0.2.4
110
110
  type: :development
111
111
  prerelease: false
112
112
  version_requirements: !ruby/object:Gem::Requirement
113
113
  requirements:
114
114
  - - '='
115
115
  - !ruby/object:Gem::Version
116
- version: 7.0.2.1
116
+ version: 7.0.2.4
117
117
  description: Simple, battle-tested conventions and helpers for building web pages.
118
118
  email: david@loudthinking.com
119
119
  executables: []
@@ -246,10 +246,10 @@ licenses:
246
246
  - MIT
247
247
  metadata:
248
248
  bug_tracker_uri: https://github.com/rails/rails/issues
249
- changelog_uri: https://github.com/rails/rails/blob/v7.0.2.1/actionview/CHANGELOG.md
250
- documentation_uri: https://api.rubyonrails.org/v7.0.2.1/
249
+ changelog_uri: https://github.com/rails/rails/blob/v7.0.2.4/actionview/CHANGELOG.md
250
+ documentation_uri: https://api.rubyonrails.org/v7.0.2.4/
251
251
  mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
252
- source_code_uri: https://github.com/rails/rails/tree/v7.0.2.1/actionview
252
+ source_code_uri: https://github.com/rails/rails/tree/v7.0.2.4/actionview
253
253
  rubygems_mfa_required: 'true'
254
254
  post_install_message:
255
255
  rdoc_options: []
@@ -267,7 +267,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
267
267
  version: '0'
268
268
  requirements:
269
269
  - none
270
- rubygems_version: 3.2.22
270
+ rubygems_version: 3.1.6
271
271
  signing_key:
272
272
  specification_version: 4
273
273
  summary: Rendering framework putting the V in MVC (part of Rails).