activesupport 5.2.6.2 → 5.2.7.1

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of activesupport might be problematic. Click here for more details.

checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 7064b7c29850882af63657ca21981ff9b328f05205035d5708003f7afe68d3cc
4
- data.tar.gz: cd0c59a687910eb495507cdad5b6ee9b6a3742b75567bc07c44586ce523dfad0
3
+ metadata.gz: aa79e8148b74284648f6d5c9dc1694bdb052857b790a8e0cf2cee73f624cb0f6
4
+ data.tar.gz: 8feca76c0bcf709b1945fdbbe9400230c0b1404c42123782b7a594ff941f79ee
5
5
  SHA512:
6
- metadata.gz: ad8749d13d3707110dff8cd9efed02b92199deb890f28c8c085b29dcb6e44b594096c2a48f60eb3496f9e8a1ceda24b5eb539f2d3c649d6871f5b1111cdc02ee
7
- data.tar.gz: b1a7cc698f146647647e0c936eb523bff63c0c8283efbde4926e2aaceb811cb98d83d83fddb30727714956f5a4a2fcca4b6c0ce033485eaf6d17301c0f26c614
6
+ metadata.gz: ff6874567bd990b8598c9ad44ef9106c17d1057f1868d8b8b0be55ff165b130bb60203ea6694d00e050ebd7c076704a2a17632bf1bfe2e6736ea0abab494ec6e
7
+ data.tar.gz: bc15910b72defa9b95871d049dfb30b12fa9de7eeadb3148246560f1e57963c467e83ae923670467eae945fc82c9fc55f314372b7b4f0fa7d3a1e800e026641a
data/CHANGELOG.md CHANGED
@@ -1,3 +1,25 @@
1
+ ## Rails 5.2.7.1 (April 26, 2022) ##
2
+
3
+ * Fix and add protections for XSS in `ActionView::Helpers` and `ERB::Util`.
4
+
5
+ Add the method `ERB::Util.xml_name_escape` to escape dangerous characters
6
+ in names of tags and names of attributes, following the specification of XML.
7
+
8
+ *Álvaro Martín Fraguas*
9
+
10
+
11
+ ## Rails 5.2.7 (March 10, 2022) ##
12
+
13
+ * Restore support to Ruby 2.2.
14
+
15
+ *ojab*
16
+
17
+
18
+ ## Rails 5.2.6.3 (March 08, 2022) ##
19
+
20
+ * No changes.
21
+
22
+
1
23
  ## Rails 5.2.6.2 (February 11, 2022) ##
2
24
 
3
25
  * Fix Reloader method signature to work with the new Executor signature
@@ -12,6 +12,14 @@ class ERB
12
12
  HTML_ESCAPE_ONCE_REGEXP = /["><']|&(?!([a-zA-Z]+|(#\d+)|(#[xX][\dA-Fa-f]+));)/
13
13
  JSON_ESCAPE_REGEXP = /[\u2028\u2029&><]/u
14
14
 
15
+ # Following XML requirements: https://www.w3.org/TR/REC-xml/#NT-Name
16
+ TAG_NAME_START_REGEXP_SET = ":A-Z_a-z\u{C0}-\u{D6}\u{D8}-\u{F6}\u{F8}-\u{2FF}\u{370}-\u{37D}\u{37F}-\u{1FFF}" \
17
+ "\u{200C}-\u{200D}\u{2070}-\u{218F}\u{2C00}-\u{2FEF}\u{3001}-\u{D7FF}\u{F900}-\u{FDCF}" \
18
+ "\u{FDF0}-\u{FFFD}\u{10000}-\u{EFFFF}"
19
+ TAG_NAME_START_REGEXP = /[^#{TAG_NAME_START_REGEXP_SET}]/
20
+ TAG_NAME_FOLLOWING_REGEXP = /[^#{TAG_NAME_START_REGEXP_SET}\-.0-9\u{B7}\u{0300}-\u{036F}\u{203F}-\u{2040}]/
21
+ TAG_NAME_REPLACEMENT_CHAR = "_"
22
+
15
23
  # A utility method for escaping HTML tag characters.
16
24
  # This method is also aliased as <tt>h</tt>.
17
25
  #
@@ -116,6 +124,26 @@ class ERB
116
124
  end
117
125
 
118
126
  module_function :json_escape
127
+
128
+ # A utility method for escaping XML names of tags and names of attributes.
129
+ #
130
+ # xml_name_escape('1 < 2 & 3')
131
+ # # => "1___2___3"
132
+ #
133
+ # It follows the requirements of the specification: https://www.w3.org/TR/REC-xml/#NT-Name
134
+ def xml_name_escape(name)
135
+ name = name.to_s
136
+ return "" if name.blank?
137
+
138
+ starting_char = name[0].gsub(TAG_NAME_START_REGEXP, TAG_NAME_REPLACEMENT_CHAR)
139
+
140
+ return starting_char if name.size == 1
141
+
142
+ following_chars = name[1..-1].gsub(TAG_NAME_FOLLOWING_REGEXP, TAG_NAME_REPLACEMENT_CHAR)
143
+
144
+ starting_char + following_chars
145
+ end
146
+ module_function :xml_name_escape
119
147
  end
120
148
  end
121
149
 
@@ -65,7 +65,7 @@ module ActiveSupport
65
65
  def self.run!(reset: false)
66
66
  if reset
67
67
  lost_instance = active.delete(Thread.current)
68
- lost_instance&.complete!
68
+ lost_instance.complete! unless lost_instance.nil?
69
69
  else
70
70
  return Null if active?
71
71
  end
@@ -9,8 +9,8 @@ module ActiveSupport
9
9
  module VERSION
10
10
  MAJOR = 5
11
11
  MINOR = 2
12
- TINY = 6
13
- PRE = "2"
12
+ TINY = 7
13
+ PRE = "1"
14
14
 
15
15
  STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
16
16
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: activesupport
3
3
  version: !ruby/object:Gem::Version
4
- version: 5.2.6.2
4
+ version: 5.2.7.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - David Heinemeier Hansson
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2022-02-11 00:00:00.000000000 Z
11
+ date: 2022-04-26 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: i18n
@@ -333,8 +333,8 @@ homepage: http://rubyonrails.org
333
333
  licenses:
334
334
  - MIT
335
335
  metadata:
336
- source_code_uri: https://github.com/rails/rails/tree/v5.2.6.2/activesupport
337
- changelog_uri: https://github.com/rails/rails/blob/v5.2.6.2/activesupport/CHANGELOG.md
336
+ source_code_uri: https://github.com/rails/rails/tree/v5.2.7.1/activesupport
337
+ changelog_uri: https://github.com/rails/rails/blob/v5.2.7.1/activesupport/CHANGELOG.md
338
338
  post_install_message:
339
339
  rdoc_options:
340
340
  - "--encoding"