RubyGems - actionview - Versions diffs - 5.2.4.3 → 5.2.4.4 - Mend

actionview 5.2.4.3 → 5.2.4.4

Potentially problematic release.

This version of actionview might be problematic. Click here for more details.

Files changed (5) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +7 -0
data/lib/action_view/gem_version.rb +1 -1
data/lib/action_view/helpers/translation_helper.rb +12 -1
metadata +10 -10

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 970fa5ee0784974b9e80c2704b8176f662061e74cb3130c239a17ceaf27039b2
-  data.tar.gz: 5e578501d9ec2274c1169fca0971b5fbb5aa7ac61a26feaa4583c7301ebdc4dc
+  metadata.gz: 285d9a982fd985cc0c7b694548154f3e7b52dac3dfa42c9c7dbbd61d07f6ed81
+  data.tar.gz: e877ec1372d604047b00f5a665397a42952ca07f7ed470a7c64a7c8913630f1e
 SHA512:
-  metadata.gz: 711725496a5ac1db4cfd2dc2755b16d765db5a43a5c6876cacd36bf3ccc4e851ca5b8281729b5f4e3b958f1c692f5dd84fc065a78d49ab9df37abb5557bd7bb2
-  data.tar.gz: 2ca971038b23b0f5a82aff0912cd7ffd3f8f24033e14d23cbad00874f6ff216fd1b09768168464b207bc7a1192b782cc7cfc6a7bedb7fdfa032dbef368d7513f
+  metadata.gz: 6293206a2f96b9a349fe3f40f1f42fa81727e38e8333149b60df3bfd56afb39fced4f23c2643eb6fd477bf5b8095e1b31b70cd8f5abbe9d7c577fab225fadfa5
+  data.tar.gz: b5bffb0c64df5ba0640b1fbc0d4b75ca3e672f3172a4cd9c97280a35681be4419e82ac93b4093c6b2889c05fb26dd02e651e14c75e0aed98006ddadda2ca181d

data/CHANGELOG.md CHANGED

@@ -1,3 +1,10 @@
+## Rails 5.2.4.4 (September 09, 2020) ##
+*   [CVE-2020-15169] Fix potential XSS vulnerability in the `translate`/`t` helper
+    *Jonathan Hefner*
 ## Rails 5.2.4.3 (May 18, 2020) ##
 *   [CVE-2020-8167] Check that request is same-origin prior to including CSRF token in XHRs

data/lib/action_view/gem_version.rb CHANGED

@@ -10,7 +10,7 @@ module ActionView
     MAJOR = 5
     MINOR = 2
     TINY  = 4
-    PRE   = "3"
+    PRE   = "4"
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

data/lib/action_view/helpers/translation_helper.rb CHANGED

@@ -79,14 +79,22 @@ module ActionView
         if html_safe_translation_key?(key)
           html_safe_options = options.dup
           options.except(*I18n::RESERVED_KEYS).each do |name, value|
             unless name == :count && value.is_a?(Numeric)
               html_safe_options[name] = ERB::Util.html_escape(value.to_s)
             end
           end
+          html_safe_options[:default] = MISSING_TRANSLATION unless html_safe_options[:default].blank?
           translation = I18n.translate(scope_key_by_partial(key), html_safe_options.merge(raise: i18n_raise))
-          translation.respond_to?(:html_safe) ? translation.html_safe : translation
+          if translation.equal?(MISSING_TRANSLATION)
+            options[:default].first
+          else
+            translation.respond_to?(:html_safe) ? translation.html_safe : translation
+          end
         else
           I18n.translate(scope_key_by_partial(key), options.merge(raise: i18n_raise))
         end
@@ -121,6 +129,9 @@ module ActionView
       alias :l :localize
       private
+        MISSING_TRANSLATION = Object.new
+        private_constant :MISSING_TRANSLATION
         def scope_key_by_partial(key)
           if key.to_s.first == "."
             if @virtual_path

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: actionview
 version: !ruby/object:Gem::Version
-  version: 5.2.4.3
+  version: 5.2.4.4
 platform: ruby
 authors:
 - David Heinemeier Hansson
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-05-18 00:00:00.000000000 Z
+date: 2020-09-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 5.2.4.3
+        version: 5.2.4.4
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 5.2.4.3
+        version: 5.2.4.4
 - !ruby/object:Gem::Dependency
   name: builder
   requirement: !ruby/object:Gem::Requirement
@@ -92,28 +92,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 5.2.4.3
+        version: 5.2.4.4
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 5.2.4.3
+        version: 5.2.4.4
 - !ruby/object:Gem::Dependency
   name: activemodel
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 5.2.4.3
+        version: 5.2.4.4
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 5.2.4.3
+        version: 5.2.4.4
 description: Simple, battle-tested conventions and helpers for building web pages.
 email: david@loudthinking.com
 executables: []
@@ -230,8 +230,8 @@ homepage: http://rubyonrails.org
 licenses:
 - MIT
 metadata:
-  source_code_uri: https://github.com/rails/rails/tree/v5.2.4.3/actionview
-  changelog_uri: https://github.com/rails/rails/blob/v5.2.4.3/actionview/CHANGELOG.md
+  source_code_uri: https://github.com/rails/rails/tree/v5.2.4.4/actionview
+  changelog_uri: https://github.com/rails/rails/blob/v5.2.4.4/actionview/CHANGELOG.md
 post_install_message:
 rdoc_options: []
 require_paths: