actionview 7.0.2.3 → 7.0.2.4
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +11 -0
- data/lib/action_view/gem_version.rb +1 -1
- data/lib/action_view/helpers/tag_helper.rb +40 -8
- metadata +11 -11
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 05b202fb72d79b08cc80097deb5e09fda321f310a8a06c361599e95a76c16cfc
|
4
|
+
data.tar.gz: 64d8271b6a06f9de6f6692b96a1ba3016b53d10b068df1c41db4c81094e642d3
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 42594ba6f50e9611210173d7a4e42351c928acf1024ea33858d91679b20df6d8fb5b49aa7f21ee147827efcf005ffdb60025cc15293d4f462c1927c3c251155e
|
7
|
+
data.tar.gz: ac02f50538a88bc0fec35186567e376c95908cc791b500b24fbcdcbc9ae0a0c839a0f9245e9fae67ea6dde9304e53fe62ad30f0ad4bdf96aced044651df7f4f8
|
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,14 @@
|
|
1
|
+
## Rails 7.0.2.4 (April 26, 2022) ##
|
2
|
+
|
3
|
+
* Fix and add protections for XSS in `ActionView::Helpers` and `ERB::Util`.
|
4
|
+
|
5
|
+
Escape dangerous characters in names of tags and names of attributes in the
|
6
|
+
tag helpers, following the XML specification. Rename the option
|
7
|
+
`:escape_attributes` to `:escape`, to simplify by applying the option to the
|
8
|
+
whole tag.
|
9
|
+
|
10
|
+
*Álvaro Martín Fraguas*
|
11
|
+
|
1
12
|
## Rails 7.0.2.3 (March 08, 2022) ##
|
2
13
|
|
3
14
|
* No changes.
|
@@ -65,18 +65,25 @@ module ActionView
|
|
65
65
|
tag_string(:p, *arguments, **options, &block)
|
66
66
|
end
|
67
67
|
|
68
|
-
def tag_string(name, content = nil,
|
68
|
+
def tag_string(name, content = nil, **options, &block)
|
69
|
+
escape = handle_deprecated_escape_options(options)
|
70
|
+
|
69
71
|
content = @view_context.capture(self, &block) if block_given?
|
70
72
|
if (HTML_VOID_ELEMENTS.include?(name) || SVG_VOID_ELEMENTS.include?(name)) && content.nil?
|
71
|
-
"<#{name.to_s.dasherize}#{tag_options(options,
|
73
|
+
"<#{name.to_s.dasherize}#{tag_options(options, escape)}>".html_safe
|
72
74
|
else
|
73
|
-
content_tag_string(name.to_s.dasherize, content || "", options,
|
75
|
+
content_tag_string(name.to_s.dasherize, content || "", options, escape)
|
74
76
|
end
|
75
77
|
end
|
76
78
|
|
77
79
|
def content_tag_string(name, content, options, escape = true)
|
78
80
|
tag_options = tag_options(options, escape) if options
|
79
|
-
|
81
|
+
|
82
|
+
if escape
|
83
|
+
name = ERB::Util.xml_name_escape(name)
|
84
|
+
content = ERB::Util.unwrapped_html_escape(content)
|
85
|
+
end
|
86
|
+
|
80
87
|
"<#{name}#{tag_options}>#{PRE_CONTENT_STRINGS[name]}#{content}</#{name}>".html_safe
|
81
88
|
end
|
82
89
|
|
@@ -127,6 +134,8 @@ module ActionView
|
|
127
134
|
end
|
128
135
|
|
129
136
|
def tag_option(key, value, escape)
|
137
|
+
key = ERB::Util.xml_name_escape(key) if escape
|
138
|
+
|
130
139
|
case value
|
131
140
|
when Array, Hash
|
132
141
|
value = TagHelper.build_tag_values(value) if key.to_s == "class"
|
@@ -137,6 +146,7 @@ module ActionView
|
|
137
146
|
value = escape ? ERB::Util.unwrapped_html_escape(value) : value.to_s
|
138
147
|
end
|
139
148
|
value = value.gsub('"', """) if value.include?('"')
|
149
|
+
|
140
150
|
%(#{key}="#{value}")
|
141
151
|
end
|
142
152
|
|
@@ -153,6 +163,27 @@ module ActionView
|
|
153
163
|
true
|
154
164
|
end
|
155
165
|
|
166
|
+
def handle_deprecated_escape_options(options)
|
167
|
+
# The option :escape_attributes has been merged into the options hash to be
|
168
|
+
# able to warn when it is used, so we need to handle default values here.
|
169
|
+
escape_option_provided = options.has_key?(:escape)
|
170
|
+
escape_attributes_option_provided = options.has_key?(:escape_attributes)
|
171
|
+
|
172
|
+
if escape_attributes_option_provided
|
173
|
+
ActiveSupport::Deprecation.warn(<<~MSG)
|
174
|
+
Use of the option :escape_attributes is deprecated. It currently \
|
175
|
+
escapes both names and values of tags and attributes and it is \
|
176
|
+
equivalent to :escape. If any of them are enabled, the escaping \
|
177
|
+
is fully enabled.
|
178
|
+
MSG
|
179
|
+
end
|
180
|
+
|
181
|
+
return true unless escape_option_provided || escape_attributes_option_provided
|
182
|
+
escape_option = options.delete(:escape)
|
183
|
+
escape_attributes_option = options.delete(:escape_attributes)
|
184
|
+
escape_option || escape_attributes_option
|
185
|
+
end
|
186
|
+
|
156
187
|
def method_missing(called, *args, **options, &block)
|
157
188
|
tag_string(called, *args, **options, &block)
|
158
189
|
end
|
@@ -216,13 +247,13 @@ module ActionView
|
|
216
247
|
# tag.div data: { city_state: %w( Chicago IL ) }
|
217
248
|
# # => <div data-city-state="["Chicago","IL"]"></div>
|
218
249
|
#
|
219
|
-
# The generated attributes are escaped by default. This can be disabled using
|
220
|
-
# +
|
250
|
+
# The generated tag names and attributes are escaped by default. This can be disabled using
|
251
|
+
# +escape+.
|
221
252
|
#
|
222
253
|
# tag.img src: 'open & shut.png'
|
223
254
|
# # => <img src="open & shut.png">
|
224
255
|
#
|
225
|
-
# tag.img src: 'open & shut.png',
|
256
|
+
# tag.img src: 'open & shut.png', escape: false
|
226
257
|
# # => <img src="open & shut.png">
|
227
258
|
#
|
228
259
|
# The tag builder respects
|
@@ -300,6 +331,7 @@ module ActionView
|
|
300
331
|
if name.nil?
|
301
332
|
tag_builder
|
302
333
|
else
|
334
|
+
name = ERB::Util.xml_name_escape(name) if escape
|
303
335
|
"<#{name}#{tag_builder.tag_options(options, escape) if options}#{open ? ">" : " />"}".html_safe
|
304
336
|
end
|
305
337
|
end
|
@@ -308,7 +340,7 @@ module ActionView
|
|
308
340
|
# HTML attributes by passing an attributes hash to +options+.
|
309
341
|
# Instead of passing the content as an argument, you can also use a block
|
310
342
|
# in which case, you pass your +options+ as the second parameter.
|
311
|
-
# Set escape to false to disable
|
343
|
+
# Set escape to false to disable escaping.
|
312
344
|
# Note: this is legacy syntax, see +tag+ method description for details.
|
313
345
|
#
|
314
346
|
# ==== Options
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: actionview
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 7.0.2.
|
4
|
+
version: 7.0.2.4
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- David Heinemeier Hansson
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2022-
|
11
|
+
date: 2022-04-26 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: activesupport
|
@@ -16,14 +16,14 @@ dependencies:
|
|
16
16
|
requirements:
|
17
17
|
- - '='
|
18
18
|
- !ruby/object:Gem::Version
|
19
|
-
version: 7.0.2.
|
19
|
+
version: 7.0.2.4
|
20
20
|
type: :runtime
|
21
21
|
prerelease: false
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
23
23
|
requirements:
|
24
24
|
- - '='
|
25
25
|
- !ruby/object:Gem::Version
|
26
|
-
version: 7.0.2.
|
26
|
+
version: 7.0.2.4
|
27
27
|
- !ruby/object:Gem::Dependency
|
28
28
|
name: builder
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
@@ -92,28 +92,28 @@ dependencies:
|
|
92
92
|
requirements:
|
93
93
|
- - '='
|
94
94
|
- !ruby/object:Gem::Version
|
95
|
-
version: 7.0.2.
|
95
|
+
version: 7.0.2.4
|
96
96
|
type: :development
|
97
97
|
prerelease: false
|
98
98
|
version_requirements: !ruby/object:Gem::Requirement
|
99
99
|
requirements:
|
100
100
|
- - '='
|
101
101
|
- !ruby/object:Gem::Version
|
102
|
-
version: 7.0.2.
|
102
|
+
version: 7.0.2.4
|
103
103
|
- !ruby/object:Gem::Dependency
|
104
104
|
name: activemodel
|
105
105
|
requirement: !ruby/object:Gem::Requirement
|
106
106
|
requirements:
|
107
107
|
- - '='
|
108
108
|
- !ruby/object:Gem::Version
|
109
|
-
version: 7.0.2.
|
109
|
+
version: 7.0.2.4
|
110
110
|
type: :development
|
111
111
|
prerelease: false
|
112
112
|
version_requirements: !ruby/object:Gem::Requirement
|
113
113
|
requirements:
|
114
114
|
- - '='
|
115
115
|
- !ruby/object:Gem::Version
|
116
|
-
version: 7.0.2.
|
116
|
+
version: 7.0.2.4
|
117
117
|
description: Simple, battle-tested conventions and helpers for building web pages.
|
118
118
|
email: david@loudthinking.com
|
119
119
|
executables: []
|
@@ -246,10 +246,10 @@ licenses:
|
|
246
246
|
- MIT
|
247
247
|
metadata:
|
248
248
|
bug_tracker_uri: https://github.com/rails/rails/issues
|
249
|
-
changelog_uri: https://github.com/rails/rails/blob/v7.0.2.
|
250
|
-
documentation_uri: https://api.rubyonrails.org/v7.0.2.
|
249
|
+
changelog_uri: https://github.com/rails/rails/blob/v7.0.2.4/actionview/CHANGELOG.md
|
250
|
+
documentation_uri: https://api.rubyonrails.org/v7.0.2.4/
|
251
251
|
mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
|
252
|
-
source_code_uri: https://github.com/rails/rails/tree/v7.0.2.
|
252
|
+
source_code_uri: https://github.com/rails/rails/tree/v7.0.2.4/actionview
|
253
253
|
rubygems_mfa_required: 'true'
|
254
254
|
post_install_message:
|
255
255
|
rdoc_options: []
|