activesupport 5.2.7 → 5.2.7.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of activesupport might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +10 -0
- data/lib/active_support/core_ext/string/output_safety.rb +28 -0
- data/lib/active_support/gem_version.rb +1 -1
- metadata +7 -7
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: aa79e8148b74284648f6d5c9dc1694bdb052857b790a8e0cf2cee73f624cb0f6
|
|
4
|
+
data.tar.gz: 8feca76c0bcf709b1945fdbbe9400230c0b1404c42123782b7a594ff941f79ee
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: ff6874567bd990b8598c9ad44ef9106c17d1057f1868d8b8b0be55ff165b130bb60203ea6694d00e050ebd7c076704a2a17632bf1bfe2e6736ea0abab494ec6e
|
|
7
|
+
data.tar.gz: bc15910b72defa9b95871d049dfb30b12fa9de7eeadb3148246560f1e57963c467e83ae923670467eae945fc82c9fc55f314372b7b4f0fa7d3a1e800e026641a
|
data/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,13 @@
|
|
|
1
|
+
## Rails 5.2.7.1 (April 26, 2022) ##
|
|
2
|
+
|
|
3
|
+
* Fix and add protections for XSS in `ActionView::Helpers` and `ERB::Util`.
|
|
4
|
+
|
|
5
|
+
Add the method `ERB::Util.xml_name_escape` to escape dangerous characters
|
|
6
|
+
in names of tags and names of attributes, following the specification of XML.
|
|
7
|
+
|
|
8
|
+
*Álvaro Martín Fraguas*
|
|
9
|
+
|
|
10
|
+
|
|
1
11
|
## Rails 5.2.7 (March 10, 2022) ##
|
|
2
12
|
|
|
3
13
|
* Restore support to Ruby 2.2.
|
|
@@ -12,6 +12,14 @@ class ERB
|
|
|
12
12
|
HTML_ESCAPE_ONCE_REGEXP = /["><']|&(?!([a-zA-Z]+|(#\d+)|(#[xX][\dA-Fa-f]+));)/
|
|
13
13
|
JSON_ESCAPE_REGEXP = /[\u2028\u2029&><]/u
|
|
14
14
|
|
|
15
|
+
# Following XML requirements: https://www.w3.org/TR/REC-xml/#NT-Name
|
|
16
|
+
TAG_NAME_START_REGEXP_SET = ":A-Z_a-z\u{C0}-\u{D6}\u{D8}-\u{F6}\u{F8}-\u{2FF}\u{370}-\u{37D}\u{37F}-\u{1FFF}" \
|
|
17
|
+
"\u{200C}-\u{200D}\u{2070}-\u{218F}\u{2C00}-\u{2FEF}\u{3001}-\u{D7FF}\u{F900}-\u{FDCF}" \
|
|
18
|
+
"\u{FDF0}-\u{FFFD}\u{10000}-\u{EFFFF}"
|
|
19
|
+
TAG_NAME_START_REGEXP = /[^#{TAG_NAME_START_REGEXP_SET}]/
|
|
20
|
+
TAG_NAME_FOLLOWING_REGEXP = /[^#{TAG_NAME_START_REGEXP_SET}\-.0-9\u{B7}\u{0300}-\u{036F}\u{203F}-\u{2040}]/
|
|
21
|
+
TAG_NAME_REPLACEMENT_CHAR = "_"
|
|
22
|
+
|
|
15
23
|
# A utility method for escaping HTML tag characters.
|
|
16
24
|
# This method is also aliased as <tt>h</tt>.
|
|
17
25
|
#
|
|
@@ -116,6 +124,26 @@ class ERB
|
|
|
116
124
|
end
|
|
117
125
|
|
|
118
126
|
module_function :json_escape
|
|
127
|
+
|
|
128
|
+
# A utility method for escaping XML names of tags and names of attributes.
|
|
129
|
+
#
|
|
130
|
+
# xml_name_escape('1 < 2 & 3')
|
|
131
|
+
# # => "1___2___3"
|
|
132
|
+
#
|
|
133
|
+
# It follows the requirements of the specification: https://www.w3.org/TR/REC-xml/#NT-Name
|
|
134
|
+
def xml_name_escape(name)
|
|
135
|
+
name = name.to_s
|
|
136
|
+
return "" if name.blank?
|
|
137
|
+
|
|
138
|
+
starting_char = name[0].gsub(TAG_NAME_START_REGEXP, TAG_NAME_REPLACEMENT_CHAR)
|
|
139
|
+
|
|
140
|
+
return starting_char if name.size == 1
|
|
141
|
+
|
|
142
|
+
following_chars = name[1..-1].gsub(TAG_NAME_FOLLOWING_REGEXP, TAG_NAME_REPLACEMENT_CHAR)
|
|
143
|
+
|
|
144
|
+
starting_char + following_chars
|
|
145
|
+
end
|
|
146
|
+
module_function :xml_name_escape
|
|
119
147
|
end
|
|
120
148
|
end
|
|
121
149
|
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: activesupport
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 5.2.7
|
|
4
|
+
version: 5.2.7.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- David Heinemeier Hansson
|
|
8
|
-
autorequire:
|
|
8
|
+
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2022-
|
|
11
|
+
date: 2022-04-26 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: i18n
|
|
@@ -333,9 +333,9 @@ homepage: http://rubyonrails.org
|
|
|
333
333
|
licenses:
|
|
334
334
|
- MIT
|
|
335
335
|
metadata:
|
|
336
|
-
source_code_uri: https://github.com/rails/rails/tree/v5.2.7/activesupport
|
|
337
|
-
changelog_uri: https://github.com/rails/rails/blob/v5.2.7/activesupport/CHANGELOG.md
|
|
338
|
-
post_install_message:
|
|
336
|
+
source_code_uri: https://github.com/rails/rails/tree/v5.2.7.1/activesupport
|
|
337
|
+
changelog_uri: https://github.com/rails/rails/blob/v5.2.7.1/activesupport/CHANGELOG.md
|
|
338
|
+
post_install_message:
|
|
339
339
|
rdoc_options:
|
|
340
340
|
- "--encoding"
|
|
341
341
|
- UTF-8
|
|
@@ -353,7 +353,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
353
353
|
version: '0'
|
|
354
354
|
requirements: []
|
|
355
355
|
rubygems_version: 3.1.6
|
|
356
|
-
signing_key:
|
|
356
|
+
signing_key:
|
|
357
357
|
specification_version: 4
|
|
358
358
|
summary: A toolkit of support libraries and Ruby core extensions extracted from the
|
|
359
359
|
Rails framework.
|