actionview 7.0.2.3 → 7.0.2.4

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of actionview might be problematic. Click here for more details.

checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 251f6215ecece9893afc3c32cf8be93d5f6861c0bd586e06224fc49448e6bf61
4
- data.tar.gz: 04bf493f8468bccd4baedd09ce7d6e191ad858a5f9aaaf12fe4ff5a975576795
3
+ metadata.gz: 05b202fb72d79b08cc80097deb5e09fda321f310a8a06c361599e95a76c16cfc
4
+ data.tar.gz: 64d8271b6a06f9de6f6692b96a1ba3016b53d10b068df1c41db4c81094e642d3
5
5
  SHA512:
6
- metadata.gz: f0b699134a272f0c159eb8b49c5be6cd93bbaa50da1e087fad690a38aab780f49dae1d47dba6547b071845ef4ea07cde1a19f0ee1db4f9699feda6c0f8d5704b
7
- data.tar.gz: 50d6ef0114c3475db58197222335b332933a5993b4386372a63a5a38b24b2b37a52a83d627ebee54bdebd2180c74783912305138f647d199daa544c519a591cf
6
+ metadata.gz: 42594ba6f50e9611210173d7a4e42351c928acf1024ea33858d91679b20df6d8fb5b49aa7f21ee147827efcf005ffdb60025cc15293d4f462c1927c3c251155e
7
+ data.tar.gz: ac02f50538a88bc0fec35186567e376c95908cc791b500b24fbcdcbc9ae0a0c839a0f9245e9fae67ea6dde9304e53fe62ad30f0ad4bdf96aced044651df7f4f8
data/CHANGELOG.md CHANGED
@@ -1,3 +1,14 @@
1
+ ## Rails 7.0.2.4 (April 26, 2022) ##
2
+
3
+ * Fix and add protections for XSS in `ActionView::Helpers` and `ERB::Util`.
4
+
5
+ Escape dangerous characters in names of tags and names of attributes in the
6
+ tag helpers, following the XML specification. Rename the option
7
+ `:escape_attributes` to `:escape`, to simplify by applying the option to the
8
+ whole tag.
9
+
10
+ *Álvaro Martín Fraguas*
11
+
1
12
  ## Rails 7.0.2.3 (March 08, 2022) ##
2
13
 
3
14
  * No changes.
@@ -10,7 +10,7 @@ module ActionView
10
10
  MAJOR = 7
11
11
  MINOR = 0
12
12
  TINY = 2
13
- PRE = "3"
13
+ PRE = "4"
14
14
 
15
15
  STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
16
16
  end
@@ -65,18 +65,25 @@ module ActionView
65
65
  tag_string(:p, *arguments, **options, &block)
66
66
  end
67
67
 
68
- def tag_string(name, content = nil, escape_attributes: true, **options, &block)
68
+ def tag_string(name, content = nil, **options, &block)
69
+ escape = handle_deprecated_escape_options(options)
70
+
69
71
  content = @view_context.capture(self, &block) if block_given?
70
72
  if (HTML_VOID_ELEMENTS.include?(name) || SVG_VOID_ELEMENTS.include?(name)) && content.nil?
71
- "<#{name.to_s.dasherize}#{tag_options(options, escape_attributes)}>".html_safe
73
+ "<#{name.to_s.dasherize}#{tag_options(options, escape)}>".html_safe
72
74
  else
73
- content_tag_string(name.to_s.dasherize, content || "", options, escape_attributes)
75
+ content_tag_string(name.to_s.dasherize, content || "", options, escape)
74
76
  end
75
77
  end
76
78
 
77
79
  def content_tag_string(name, content, options, escape = true)
78
80
  tag_options = tag_options(options, escape) if options
79
- content = ERB::Util.unwrapped_html_escape(content) if escape
81
+
82
+ if escape
83
+ name = ERB::Util.xml_name_escape(name)
84
+ content = ERB::Util.unwrapped_html_escape(content)
85
+ end
86
+
80
87
  "<#{name}#{tag_options}>#{PRE_CONTENT_STRINGS[name]}#{content}</#{name}>".html_safe
81
88
  end
82
89
 
@@ -127,6 +134,8 @@ module ActionView
127
134
  end
128
135
 
129
136
  def tag_option(key, value, escape)
137
+ key = ERB::Util.xml_name_escape(key) if escape
138
+
130
139
  case value
131
140
  when Array, Hash
132
141
  value = TagHelper.build_tag_values(value) if key.to_s == "class"
@@ -137,6 +146,7 @@ module ActionView
137
146
  value = escape ? ERB::Util.unwrapped_html_escape(value) : value.to_s
138
147
  end
139
148
  value = value.gsub('"', "&quot;") if value.include?('"')
149
+
140
150
  %(#{key}="#{value}")
141
151
  end
142
152
 
@@ -153,6 +163,27 @@ module ActionView
153
163
  true
154
164
  end
155
165
 
166
+ def handle_deprecated_escape_options(options)
167
+ # The option :escape_attributes has been merged into the options hash to be
168
+ # able to warn when it is used, so we need to handle default values here.
169
+ escape_option_provided = options.has_key?(:escape)
170
+ escape_attributes_option_provided = options.has_key?(:escape_attributes)
171
+
172
+ if escape_attributes_option_provided
173
+ ActiveSupport::Deprecation.warn(<<~MSG)
174
+ Use of the option :escape_attributes is deprecated. It currently \
175
+ escapes both names and values of tags and attributes and it is \
176
+ equivalent to :escape. If any of them are enabled, the escaping \
177
+ is fully enabled.
178
+ MSG
179
+ end
180
+
181
+ return true unless escape_option_provided || escape_attributes_option_provided
182
+ escape_option = options.delete(:escape)
183
+ escape_attributes_option = options.delete(:escape_attributes)
184
+ escape_option || escape_attributes_option
185
+ end
186
+
156
187
  def method_missing(called, *args, **options, &block)
157
188
  tag_string(called, *args, **options, &block)
158
189
  end
@@ -216,13 +247,13 @@ module ActionView
216
247
  # tag.div data: { city_state: %w( Chicago IL ) }
217
248
  # # => <div data-city-state="[&quot;Chicago&quot;,&quot;IL&quot;]"></div>
218
249
  #
219
- # The generated attributes are escaped by default. This can be disabled using
220
- # +escape_attributes+.
250
+ # The generated tag names and attributes are escaped by default. This can be disabled using
251
+ # +escape+.
221
252
  #
222
253
  # tag.img src: 'open & shut.png'
223
254
  # # => <img src="open &amp; shut.png">
224
255
  #
225
- # tag.img src: 'open & shut.png', escape_attributes: false
256
+ # tag.img src: 'open & shut.png', escape: false
226
257
  # # => <img src="open & shut.png">
227
258
  #
228
259
  # The tag builder respects
@@ -300,6 +331,7 @@ module ActionView
300
331
  if name.nil?
301
332
  tag_builder
302
333
  else
334
+ name = ERB::Util.xml_name_escape(name) if escape
303
335
  "<#{name}#{tag_builder.tag_options(options, escape) if options}#{open ? ">" : " />"}".html_safe
304
336
  end
305
337
  end
@@ -308,7 +340,7 @@ module ActionView
308
340
  # HTML attributes by passing an attributes hash to +options+.
309
341
  # Instead of passing the content as an argument, you can also use a block
310
342
  # in which case, you pass your +options+ as the second parameter.
311
- # Set escape to false to disable attribute value escaping.
343
+ # Set escape to false to disable escaping.
312
344
  # Note: this is legacy syntax, see +tag+ method description for details.
313
345
  #
314
346
  # ==== Options
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: actionview
3
3
  version: !ruby/object:Gem::Version
4
- version: 7.0.2.3
4
+ version: 7.0.2.4
5
5
  platform: ruby
6
6
  authors:
7
7
  - David Heinemeier Hansson
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2022-03-08 00:00:00.000000000 Z
11
+ date: 2022-04-26 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: activesupport
@@ -16,14 +16,14 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 7.0.2.3
19
+ version: 7.0.2.4
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 7.0.2.3
26
+ version: 7.0.2.4
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: builder
29
29
  requirement: !ruby/object:Gem::Requirement
@@ -92,28 +92,28 @@ dependencies:
92
92
  requirements:
93
93
  - - '='
94
94
  - !ruby/object:Gem::Version
95
- version: 7.0.2.3
95
+ version: 7.0.2.4
96
96
  type: :development
97
97
  prerelease: false
98
98
  version_requirements: !ruby/object:Gem::Requirement
99
99
  requirements:
100
100
  - - '='
101
101
  - !ruby/object:Gem::Version
102
- version: 7.0.2.3
102
+ version: 7.0.2.4
103
103
  - !ruby/object:Gem::Dependency
104
104
  name: activemodel
105
105
  requirement: !ruby/object:Gem::Requirement
106
106
  requirements:
107
107
  - - '='
108
108
  - !ruby/object:Gem::Version
109
- version: 7.0.2.3
109
+ version: 7.0.2.4
110
110
  type: :development
111
111
  prerelease: false
112
112
  version_requirements: !ruby/object:Gem::Requirement
113
113
  requirements:
114
114
  - - '='
115
115
  - !ruby/object:Gem::Version
116
- version: 7.0.2.3
116
+ version: 7.0.2.4
117
117
  description: Simple, battle-tested conventions and helpers for building web pages.
118
118
  email: david@loudthinking.com
119
119
  executables: []
@@ -246,10 +246,10 @@ licenses:
246
246
  - MIT
247
247
  metadata:
248
248
  bug_tracker_uri: https://github.com/rails/rails/issues
249
- changelog_uri: https://github.com/rails/rails/blob/v7.0.2.3/actionview/CHANGELOG.md
250
- documentation_uri: https://api.rubyonrails.org/v7.0.2.3/
249
+ changelog_uri: https://github.com/rails/rails/blob/v7.0.2.4/actionview/CHANGELOG.md
250
+ documentation_uri: https://api.rubyonrails.org/v7.0.2.4/
251
251
  mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
252
- source_code_uri: https://github.com/rails/rails/tree/v7.0.2.3/actionview
252
+ source_code_uri: https://github.com/rails/rails/tree/v7.0.2.4/actionview
253
253
  rubygems_mfa_required: 'true'
254
254
  post_install_message:
255
255
  rdoc_options: []