actionview 7.0.2.1 → 7.0.2.4
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of actionview might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +21 -0
- data/lib/action_view/gem_version.rb +1 -1
- data/lib/action_view/helpers/tag_helper.rb +40 -8
- metadata +12 -12
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 05b202fb72d79b08cc80097deb5e09fda321f310a8a06c361599e95a76c16cfc
|
4
|
+
data.tar.gz: 64d8271b6a06f9de6f6692b96a1ba3016b53d10b068df1c41db4c81094e642d3
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 42594ba6f50e9611210173d7a4e42351c928acf1024ea33858d91679b20df6d8fb5b49aa7f21ee147827efcf005ffdb60025cc15293d4f462c1927c3c251155e
|
7
|
+
data.tar.gz: ac02f50538a88bc0fec35186567e376c95908cc791b500b24fbcdcbc9ae0a0c839a0f9245e9fae67ea6dde9304e53fe62ad30f0ad4bdf96aced044651df7f4f8
|
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,24 @@
|
|
1
|
+
## Rails 7.0.2.4 (April 26, 2022) ##
|
2
|
+
|
3
|
+
* Fix and add protections for XSS in `ActionView::Helpers` and `ERB::Util`.
|
4
|
+
|
5
|
+
Escape dangerous characters in names of tags and names of attributes in the
|
6
|
+
tag helpers, following the XML specification. Rename the option
|
7
|
+
`:escape_attributes` to `:escape`, to simplify by applying the option to the
|
8
|
+
whole tag.
|
9
|
+
|
10
|
+
*Álvaro Martín Fraguas*
|
11
|
+
|
12
|
+
## Rails 7.0.2.3 (March 08, 2022) ##
|
13
|
+
|
14
|
+
* No changes.
|
15
|
+
|
16
|
+
|
17
|
+
## Rails 7.0.2.2 (February 11, 2022) ##
|
18
|
+
|
19
|
+
* No changes.
|
20
|
+
|
21
|
+
|
1
22
|
## Rails 7.0.2.1 (February 11, 2022) ##
|
2
23
|
|
3
24
|
* No changes.
|
@@ -65,18 +65,25 @@ module ActionView
|
|
65
65
|
tag_string(:p, *arguments, **options, &block)
|
66
66
|
end
|
67
67
|
|
68
|
-
def tag_string(name, content = nil,
|
68
|
+
def tag_string(name, content = nil, **options, &block)
|
69
|
+
escape = handle_deprecated_escape_options(options)
|
70
|
+
|
69
71
|
content = @view_context.capture(self, &block) if block_given?
|
70
72
|
if (HTML_VOID_ELEMENTS.include?(name) || SVG_VOID_ELEMENTS.include?(name)) && content.nil?
|
71
|
-
"<#{name.to_s.dasherize}#{tag_options(options,
|
73
|
+
"<#{name.to_s.dasherize}#{tag_options(options, escape)}>".html_safe
|
72
74
|
else
|
73
|
-
content_tag_string(name.to_s.dasherize, content || "", options,
|
75
|
+
content_tag_string(name.to_s.dasherize, content || "", options, escape)
|
74
76
|
end
|
75
77
|
end
|
76
78
|
|
77
79
|
def content_tag_string(name, content, options, escape = true)
|
78
80
|
tag_options = tag_options(options, escape) if options
|
79
|
-
|
81
|
+
|
82
|
+
if escape
|
83
|
+
name = ERB::Util.xml_name_escape(name)
|
84
|
+
content = ERB::Util.unwrapped_html_escape(content)
|
85
|
+
end
|
86
|
+
|
80
87
|
"<#{name}#{tag_options}>#{PRE_CONTENT_STRINGS[name]}#{content}</#{name}>".html_safe
|
81
88
|
end
|
82
89
|
|
@@ -127,6 +134,8 @@ module ActionView
|
|
127
134
|
end
|
128
135
|
|
129
136
|
def tag_option(key, value, escape)
|
137
|
+
key = ERB::Util.xml_name_escape(key) if escape
|
138
|
+
|
130
139
|
case value
|
131
140
|
when Array, Hash
|
132
141
|
value = TagHelper.build_tag_values(value) if key.to_s == "class"
|
@@ -137,6 +146,7 @@ module ActionView
|
|
137
146
|
value = escape ? ERB::Util.unwrapped_html_escape(value) : value.to_s
|
138
147
|
end
|
139
148
|
value = value.gsub('"', """) if value.include?('"')
|
149
|
+
|
140
150
|
%(#{key}="#{value}")
|
141
151
|
end
|
142
152
|
|
@@ -153,6 +163,27 @@ module ActionView
|
|
153
163
|
true
|
154
164
|
end
|
155
165
|
|
166
|
+
def handle_deprecated_escape_options(options)
|
167
|
+
# The option :escape_attributes has been merged into the options hash to be
|
168
|
+
# able to warn when it is used, so we need to handle default values here.
|
169
|
+
escape_option_provided = options.has_key?(:escape)
|
170
|
+
escape_attributes_option_provided = options.has_key?(:escape_attributes)
|
171
|
+
|
172
|
+
if escape_attributes_option_provided
|
173
|
+
ActiveSupport::Deprecation.warn(<<~MSG)
|
174
|
+
Use of the option :escape_attributes is deprecated. It currently \
|
175
|
+
escapes both names and values of tags and attributes and it is \
|
176
|
+
equivalent to :escape. If any of them are enabled, the escaping \
|
177
|
+
is fully enabled.
|
178
|
+
MSG
|
179
|
+
end
|
180
|
+
|
181
|
+
return true unless escape_option_provided || escape_attributes_option_provided
|
182
|
+
escape_option = options.delete(:escape)
|
183
|
+
escape_attributes_option = options.delete(:escape_attributes)
|
184
|
+
escape_option || escape_attributes_option
|
185
|
+
end
|
186
|
+
|
156
187
|
def method_missing(called, *args, **options, &block)
|
157
188
|
tag_string(called, *args, **options, &block)
|
158
189
|
end
|
@@ -216,13 +247,13 @@ module ActionView
|
|
216
247
|
# tag.div data: { city_state: %w( Chicago IL ) }
|
217
248
|
# # => <div data-city-state="["Chicago","IL"]"></div>
|
218
249
|
#
|
219
|
-
# The generated attributes are escaped by default. This can be disabled using
|
220
|
-
# +
|
250
|
+
# The generated tag names and attributes are escaped by default. This can be disabled using
|
251
|
+
# +escape+.
|
221
252
|
#
|
222
253
|
# tag.img src: 'open & shut.png'
|
223
254
|
# # => <img src="open & shut.png">
|
224
255
|
#
|
225
|
-
# tag.img src: 'open & shut.png',
|
256
|
+
# tag.img src: 'open & shut.png', escape: false
|
226
257
|
# # => <img src="open & shut.png">
|
227
258
|
#
|
228
259
|
# The tag builder respects
|
@@ -300,6 +331,7 @@ module ActionView
|
|
300
331
|
if name.nil?
|
301
332
|
tag_builder
|
302
333
|
else
|
334
|
+
name = ERB::Util.xml_name_escape(name) if escape
|
303
335
|
"<#{name}#{tag_builder.tag_options(options, escape) if options}#{open ? ">" : " />"}".html_safe
|
304
336
|
end
|
305
337
|
end
|
@@ -308,7 +340,7 @@ module ActionView
|
|
308
340
|
# HTML attributes by passing an attributes hash to +options+.
|
309
341
|
# Instead of passing the content as an argument, you can also use a block
|
310
342
|
# in which case, you pass your +options+ as the second parameter.
|
311
|
-
# Set escape to false to disable
|
343
|
+
# Set escape to false to disable escaping.
|
312
344
|
# Note: this is legacy syntax, see +tag+ method description for details.
|
313
345
|
#
|
314
346
|
# ==== Options
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: actionview
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 7.0.2.
|
4
|
+
version: 7.0.2.4
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- David Heinemeier Hansson
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2022-
|
11
|
+
date: 2022-04-26 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: activesupport
|
@@ -16,14 +16,14 @@ dependencies:
|
|
16
16
|
requirements:
|
17
17
|
- - '='
|
18
18
|
- !ruby/object:Gem::Version
|
19
|
-
version: 7.0.2.
|
19
|
+
version: 7.0.2.4
|
20
20
|
type: :runtime
|
21
21
|
prerelease: false
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
23
23
|
requirements:
|
24
24
|
- - '='
|
25
25
|
- !ruby/object:Gem::Version
|
26
|
-
version: 7.0.2.
|
26
|
+
version: 7.0.2.4
|
27
27
|
- !ruby/object:Gem::Dependency
|
28
28
|
name: builder
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
@@ -92,28 +92,28 @@ dependencies:
|
|
92
92
|
requirements:
|
93
93
|
- - '='
|
94
94
|
- !ruby/object:Gem::Version
|
95
|
-
version: 7.0.2.
|
95
|
+
version: 7.0.2.4
|
96
96
|
type: :development
|
97
97
|
prerelease: false
|
98
98
|
version_requirements: !ruby/object:Gem::Requirement
|
99
99
|
requirements:
|
100
100
|
- - '='
|
101
101
|
- !ruby/object:Gem::Version
|
102
|
-
version: 7.0.2.
|
102
|
+
version: 7.0.2.4
|
103
103
|
- !ruby/object:Gem::Dependency
|
104
104
|
name: activemodel
|
105
105
|
requirement: !ruby/object:Gem::Requirement
|
106
106
|
requirements:
|
107
107
|
- - '='
|
108
108
|
- !ruby/object:Gem::Version
|
109
|
-
version: 7.0.2.
|
109
|
+
version: 7.0.2.4
|
110
110
|
type: :development
|
111
111
|
prerelease: false
|
112
112
|
version_requirements: !ruby/object:Gem::Requirement
|
113
113
|
requirements:
|
114
114
|
- - '='
|
115
115
|
- !ruby/object:Gem::Version
|
116
|
-
version: 7.0.2.
|
116
|
+
version: 7.0.2.4
|
117
117
|
description: Simple, battle-tested conventions and helpers for building web pages.
|
118
118
|
email: david@loudthinking.com
|
119
119
|
executables: []
|
@@ -246,10 +246,10 @@ licenses:
|
|
246
246
|
- MIT
|
247
247
|
metadata:
|
248
248
|
bug_tracker_uri: https://github.com/rails/rails/issues
|
249
|
-
changelog_uri: https://github.com/rails/rails/blob/v7.0.2.
|
250
|
-
documentation_uri: https://api.rubyonrails.org/v7.0.2.
|
249
|
+
changelog_uri: https://github.com/rails/rails/blob/v7.0.2.4/actionview/CHANGELOG.md
|
250
|
+
documentation_uri: https://api.rubyonrails.org/v7.0.2.4/
|
251
251
|
mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
|
252
|
-
source_code_uri: https://github.com/rails/rails/tree/v7.0.2.
|
252
|
+
source_code_uri: https://github.com/rails/rails/tree/v7.0.2.4/actionview
|
253
253
|
rubygems_mfa_required: 'true'
|
254
254
|
post_install_message:
|
255
255
|
rdoc_options: []
|
@@ -267,7 +267,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
267
267
|
version: '0'
|
268
268
|
requirements:
|
269
269
|
- none
|
270
|
-
rubygems_version: 3.
|
270
|
+
rubygems_version: 3.1.6
|
271
271
|
signing_key:
|
272
272
|
specification_version: 4
|
273
273
|
summary: Rendering framework putting the V in MVC (part of Rails).
|