actionview 5.2.7 → 5.2.7.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9b5c95d9da13c30d994f7b054cbcf5d8857be02ed3853c6a0a9e9c9cfc92c437
-  data.tar.gz: 43a055a269ecefdfc2a7c2b1d65cdad59ecb6f3ec59712d2c7b46c2da408c741
+  metadata.gz: 0b2a6c8b465b9914ab6831b8972018525cb2fc2a0c7f950a693ba7895ff52923
+  data.tar.gz: 1e9b4548ad481fed3e2b7dec7d256a611e858c8eee70e118d38daaa93f72f7b8
 SHA512:
-  metadata.gz: dda4aa565a765b022e9c428cdf52d8c7fd250b15d8cfb17b2bbb569b49249c0684515081f3dc6978c41d6c837c89d30dc33d129a6e300e8ef4b08caccae70840
-  data.tar.gz: a1e4cea4e509ebdfc60a69340c7796060786fc958d85b1ed1484447360260dff5697cbd86b95e10ab13fc15822e58be3a13066bb72f0e7a515b8ff60b02ba1ee
+  metadata.gz: a2e838a423037a30cf4e4e12e8aab64c8e8493f1a370f921be0f7cfbfa92669da4f13cf7cd3c03c42d2c3a2f516b661ba1ca7baa4cf409bf3709b12d3b9692af
+  data.tar.gz: a705450df376aa7abcdd1762ee4f5a9cfc3165bd5102c7c82a7209f8910bd8d46f52d014c3a3feb5f22bfac327414dfeacd75d948b0e2f0ae5d746f0aab71dc7

data/CHANGELOG.md

@@ -1,3 +1,15 @@
+## Rails 5.2.7.1 (April 26, 2022) ##
+
+*   Fix and add protections for XSS in `ActionView::Helpers` and `ERB::Util`.
+
+    Escape dangerous characters in names of tags and names of attributes in the
+    tag helpers, following the XML specification. Rename the option
+    `:escape_attributes` to `:escape`, to simplify by applying the option to the
+    whole tag.
+
+    *Álvaro Martín Fraguas*
+
+
 ## Rails 5.2.7 (March 10, 2022) ##
 
 *   No changes.

data/lib/action_view/gem_version.rb

@@ -10,7 +10,7 @@ module ActionView
     MAJOR = 5
     MINOR = 2
     TINY  = 7
-    PRE   = nil
+    PRE   = "1"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

data/lib/action_view/helpers/tag_helper.rb

@@ -41,18 +41,25 @@ module ActionView
           @view_context = view_context
         end
 
-        def tag_string(name, content = nil, escape_attributes: true, **options, &block)
+        def tag_string(name, content = nil, **options, &block)
+          escape = handle_deprecated_escape_options(options)
           content = @view_context.capture(self, &block) if block_given?
+
           if VOID_ELEMENTS.include?(name) && content.nil?
-            "<#{name.to_s.dasherize}#{tag_options(options, escape_attributes)}>".html_safe
+            "<#{name.to_s.dasherize}#{tag_options(options, escape)}>".html_safe
           else
-            content_tag_string(name.to_s.dasherize, content || "", options, escape_attributes)
+            content_tag_string(name.to_s.dasherize, content || "", options, escape)
           end
         end
 
         def content_tag_string(name, content, options, escape = true)
           tag_options = tag_options(options, escape) if options
-          content     = ERB::Util.unwrapped_html_escape(content) if escape
+
+          if escape
+            name = ERB::Util.xml_name_escape(name)
+            content = ERB::Util.unwrapped_html_escape(content)
+          end
+
           "<#{name}#{tag_options}>#{PRE_CONTENT_STRINGS[name]}#{content}</#{name}>".html_safe
         end
 
@@ -85,6 +92,8 @@ module ActionView
         end
 
         def tag_option(key, value, escape)
+          key = ERB::Util.xml_name_escape(key) if escape
+
           if value.is_a?(Array)
             value = escape ? safe_join(value, " ".freeze) : value.join(" ".freeze)
           else
@@ -106,8 +115,29 @@ module ActionView
             true
           end
 
-          def method_missing(called, *args, &block)
-            tag_string(called, *args, &block)
+          def handle_deprecated_escape_options(options)
+            # The option :escape_attributes has been merged into the options hash to be
+            # able to warn when it is used, so we need to handle default values here.
+            escape_option_provided = options.has_key?(:escape)
+            escape_attributes_option_provided = options.has_key?(:escape_attributes)
+
+            if escape_attributes_option_provided
+              ActiveSupport::Deprecation.warn(<<~MSG)
+                Use of the option :escape_attributes is deprecated. It currently \
+                escapes both names and values of tags and attributes and it is \
+                equivalent to :escape. If any of them are enabled, the escaping \
+                is fully enabled.
+              MSG
+            end
+
+            return true unless escape_option_provided || escape_attributes_option_provided
+            escape_option = options.delete(:escape)
+            escape_attributes_option = options.delete(:escape_attributes)
+            escape_option || escape_attributes_option
+          end
+
+          def method_missing(called, *args, **options, &block)
+            tag_string(called, *args, **options, &block)
           end
       end
 
@@ -236,6 +266,7 @@ module ActionView
         if name.nil?
           tag_builder
         else
+          name = ERB::Util.xml_name_escape(name) if escape
           "<#{name}#{tag_builder.tag_options(options, escape) if options}#{open ? ">" : " />"}".html_safe
         end
       end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: actionview
 version: !ruby/object:Gem::Version
-  version: 5.2.7
+  version: 5.2.7.1
 platform: ruby
 authors:
 - David Heinemeier Hansson
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-03-10 00:00:00.000000000 Z
+date: 2022-04-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 5.2.7
+        version: 5.2.7.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 5.2.7
+        version: 5.2.7.1
 - !ruby/object:Gem::Dependency
   name: builder
   requirement: !ruby/object:Gem::Requirement
@@ -92,28 +92,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 5.2.7
+        version: 5.2.7.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 5.2.7
+        version: 5.2.7.1
 - !ruby/object:Gem::Dependency
   name: activemodel
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 5.2.7
+        version: 5.2.7.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 5.2.7
+        version: 5.2.7.1
 description: Simple, battle-tested conventions and helpers for building web pages.
 email: david@loudthinking.com
 executables: []
@@ -230,9 +230,9 @@ homepage: http://rubyonrails.org
 licenses:
 - MIT
 metadata:
-  source_code_uri: https://github.com/rails/rails/tree/v5.2.7/actionview
-  changelog_uri: https://github.com/rails/rails/blob/v5.2.7/actionview/CHANGELOG.md
-post_install_message: 
+  source_code_uri: https://github.com/rails/rails/tree/v5.2.7.1/actionview
+  changelog_uri: https://github.com/rails/rails/blob/v5.2.7.1/actionview/CHANGELOG.md
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -249,7 +249,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
 requirements:
 - none
 rubygems_version: 3.1.6
-signing_key: 
+signing_key:
 specification_version: 4
 summary: Rendering framework putting the V in MVC (part of Rails).
 test_files: []