RubyGems - activesupport - Versions diffs - 5.2.6.2 → 5.2.7.1 - Mend

activesupport 5.2.6.2 → 5.2.7.1

Potentially problematic release.

This version of activesupport might be problematic. Click here for more details.

Files changed (6) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +22 -0
data/lib/active_support/core_ext/string/output_safety.rb +28 -0
data/lib/active_support/execution_wrapper.rb +1 -1
data/lib/active_support/gem_version.rb +2 -2
metadata +4 -4

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7064b7c29850882af63657ca21981ff9b328f05205035d5708003f7afe68d3cc
-  data.tar.gz: cd0c59a687910eb495507cdad5b6ee9b6a3742b75567bc07c44586ce523dfad0
+  metadata.gz: aa79e8148b74284648f6d5c9dc1694bdb052857b790a8e0cf2cee73f624cb0f6
+  data.tar.gz: 8feca76c0bcf709b1945fdbbe9400230c0b1404c42123782b7a594ff941f79ee
 SHA512:
-  metadata.gz: ad8749d13d3707110dff8cd9efed02b92199deb890f28c8c085b29dcb6e44b594096c2a48f60eb3496f9e8a1ceda24b5eb539f2d3c649d6871f5b1111cdc02ee
-  data.tar.gz: b1a7cc698f146647647e0c936eb523bff63c0c8283efbde4926e2aaceb811cb98d83d83fddb30727714956f5a4a2fcca4b6c0ce033485eaf6d17301c0f26c614
+  metadata.gz: ff6874567bd990b8598c9ad44ef9106c17d1057f1868d8b8b0be55ff165b130bb60203ea6694d00e050ebd7c076704a2a17632bf1bfe2e6736ea0abab494ec6e
+  data.tar.gz: bc15910b72defa9b95871d049dfb30b12fa9de7eeadb3148246560f1e57963c467e83ae923670467eae945fc82c9fc55f314372b7b4f0fa7d3a1e800e026641a

data/CHANGELOG.md CHANGED Viewed

@@ -1,3 +1,25 @@
+## Rails 5.2.7.1 (April 26, 2022) ##
+*   Fix and add protections for XSS in `ActionView::Helpers` and `ERB::Util`.
+    Add the method `ERB::Util.xml_name_escape` to escape dangerous characters
+    in names of tags and names of attributes, following the specification of XML.
+    *Álvaro Martín Fraguas*
+## Rails 5.2.7 (March 10, 2022) ##
+*   Restore support to Ruby 2.2.
+    *ojab*
+## Rails 5.2.6.3 (March 08, 2022) ##
+*   No changes.
 ## Rails 5.2.6.2 (February 11, 2022) ##
 *   Fix Reloader method signature to work with the new Executor signature

data/lib/active_support/core_ext/string/output_safety.rb CHANGED Viewed

@@ -12,6 +12,14 @@ class ERB
     HTML_ESCAPE_ONCE_REGEXP = /["><']|&(?!([a-zA-Z]+|(#\d+)|(#[xX][\dA-Fa-f]+));)/
     JSON_ESCAPE_REGEXP = /[\u2028\u2029&><]/u
+    # Following XML requirements: https://www.w3.org/TR/REC-xml/#NT-Name
+    TAG_NAME_START_REGEXP_SET = ":A-Z_a-z\u{C0}-\u{D6}\u{D8}-\u{F6}\u{F8}-\u{2FF}\u{370}-\u{37D}\u{37F}-\u{1FFF}" \
+                                "\u{200C}-\u{200D}\u{2070}-\u{218F}\u{2C00}-\u{2FEF}\u{3001}-\u{D7FF}\u{F900}-\u{FDCF}" \
+                                "\u{FDF0}-\u{FFFD}\u{10000}-\u{EFFFF}"
+    TAG_NAME_START_REGEXP = /[^#{TAG_NAME_START_REGEXP_SET}]/
+    TAG_NAME_FOLLOWING_REGEXP = /[^#{TAG_NAME_START_REGEXP_SET}\-.0-9\u{B7}\u{0300}-\u{036F}\u{203F}-\u{2040}]/
+    TAG_NAME_REPLACEMENT_CHAR = "_"
     # A utility method for escaping HTML tag characters.
     # This method is also aliased as <tt>h</tt>.
     #
@@ -116,6 +124,26 @@ class ERB
     end
     module_function :json_escape
+    # A utility method for escaping XML names of tags and names of attributes.
+    #
+    #   xml_name_escape('1 < 2 & 3')
+    #   # => "1___2___3"
+    #
+    # It follows the requirements of the specification: https://www.w3.org/TR/REC-xml/#NT-Name
+    def xml_name_escape(name)
+      name = name.to_s
+      return "" if name.blank?
+      starting_char = name[0].gsub(TAG_NAME_START_REGEXP, TAG_NAME_REPLACEMENT_CHAR)
+      return starting_char if name.size == 1
+      following_chars = name[1..-1].gsub(TAG_NAME_FOLLOWING_REGEXP, TAG_NAME_REPLACEMENT_CHAR)
+      starting_char + following_chars
+    end
+    module_function :xml_name_escape
   end
 end

data/lib/active_support/execution_wrapper.rb CHANGED Viewed

@@ -65,7 +65,7 @@ module ActiveSupport
     def self.run!(reset: false)
       if reset
         lost_instance = active.delete(Thread.current)
-        lost_instance&.complete!
+        lost_instance.complete! unless lost_instance.nil?
       else
         return Null if active?
       end

data/lib/active_support/gem_version.rb CHANGED Viewed

@@ -9,8 +9,8 @@ module ActiveSupport
   module VERSION
     MAJOR = 5
     MINOR = 2
-    TINY  = 6
-    PRE   = "2"
+    TINY  = 7
+    PRE   = "1"
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: activesupport
 version: !ruby/object:Gem::Version
-  version: 5.2.6.2
+  version: 5.2.7.1
 platform: ruby
 authors:
 - David Heinemeier Hansson
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-02-11 00:00:00.000000000 Z
+date: 2022-04-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: i18n
@@ -333,8 +333,8 @@ homepage: http://rubyonrails.org
 licenses:
 - MIT
 metadata:
-  source_code_uri: https://github.com/rails/rails/tree/v5.2.6.2/activesupport
-  changelog_uri: https://github.com/rails/rails/blob/v5.2.6.2/activesupport/CHANGELOG.md
+  source_code_uri: https://github.com/rails/rails/tree/v5.2.7.1/activesupport
+  changelog_uri: https://github.com/rails/rails/blob/v5.2.7.1/activesupport/CHANGELOG.md
 post_install_message:
 rdoc_options:
 - "--encoding"