activesupport 6.1.5 → 6.1.5.1

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of activesupport might be problematic. Click here for more details.

checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 4b3babd75cfe9eba9446aa952df30fa9e7a6b8ace1d63022314a7cd9be07eeb6
4
- data.tar.gz: 16ad9c941a3643fdb30602b5ffea85aedc9306babaaf5caccee7041726df0a89
3
+ metadata.gz: 03f0888f6510d51dd63f94d6bdef1a01bc267213c8e32e05e5b23f3a18be663e
4
+ data.tar.gz: c36c9f693da00016c44ff333a8aca0a3b203acb391e3a1f11ac75741182fb726
5
5
  SHA512:
6
- metadata.gz: c362a52ce66fc84e04216656f8919cc39e22280fe7a5f2e0daf1f228ee503be30caf7b942bb7c8ca9445f0aed6604cf6cc8d048c9a9cc9154a91f284e17518db
7
- data.tar.gz: bc8e7c37926b6c30b80ae39d22f0c57fb756e1fd8faebdd5047196afe7508b0ff86691c970f0db3c100e741445b76cb1366bda1dda6ecfc9b5a6ea574415e097
6
+ metadata.gz: 9720be129b6a970ecd40651359fdf5d91fadb5b03e626e18a1ea161d50cb86db629fbe282f1b3b712c6b630e87a59ad62d371ef24e795b8426876793524c3600
7
+ data.tar.gz: e961f1e39d735e17519a92665ab4e96a77fe95fd972c534ffa82a083dabb30147f1a1c5273b084d5c380bd0bce0826482cf4abd3f21292e000dea1ad4d04e3be
data/CHANGELOG.md CHANGED
@@ -1,3 +1,12 @@
1
+ ## Rails 6.1.5.1 (April 26, 2022) ##
2
+
3
+ * Fix and add protections for XSS in `ActionView::Helpers` and `ERB::Util`.
4
+
5
+ Add the method `ERB::Util.xml_name_escape` to escape dangerous characters
6
+ in names of tags and names of attributes, following the specification of XML.
7
+
8
+ *Álvaro Martín Fraguas*
9
+
1
10
  ## Rails 6.1.5 (March 09, 2022) ##
2
11
 
3
12
  * Fix `ActiveSupport::Duration.build` to support negative values.
@@ -11,6 +11,14 @@ class ERB
11
11
  HTML_ESCAPE_ONCE_REGEXP = /["><']|&(?!([a-zA-Z]+|(#\d+)|(#[xX][\dA-Fa-f]+));)/
12
12
  JSON_ESCAPE_REGEXP = /[\u2028\u2029&><]/u
13
13
 
14
+ # Following XML requirements: https://www.w3.org/TR/REC-xml/#NT-Name
15
+ TAG_NAME_START_REGEXP_SET = ":A-Z_a-z\u{C0}-\u{D6}\u{D8}-\u{F6}\u{F8}-\u{2FF}\u{370}-\u{37D}\u{37F}-\u{1FFF}" \
16
+ "\u{200C}-\u{200D}\u{2070}-\u{218F}\u{2C00}-\u{2FEF}\u{3001}-\u{D7FF}\u{F900}-\u{FDCF}" \
17
+ "\u{FDF0}-\u{FFFD}\u{10000}-\u{EFFFF}"
18
+ TAG_NAME_START_REGEXP = /[^#{TAG_NAME_START_REGEXP_SET}]/
19
+ TAG_NAME_FOLLOWING_REGEXP = /[^#{TAG_NAME_START_REGEXP_SET}\-.0-9\u{B7}\u{0300}-\u{036F}\u{203F}-\u{2040}]/
20
+ TAG_NAME_REPLACEMENT_CHAR = "_"
21
+
14
22
  # A utility method for escaping HTML tag characters.
15
23
  # This method is also aliased as <tt>h</tt>.
16
24
  #
@@ -115,6 +123,26 @@ class ERB
115
123
  end
116
124
 
117
125
  module_function :json_escape
126
+
127
+ # A utility method for escaping XML names of tags and names of attributes.
128
+ #
129
+ # xml_name_escape('1 < 2 & 3')
130
+ # # => "1___2___3"
131
+ #
132
+ # It follows the requirements of the specification: https://www.w3.org/TR/REC-xml/#NT-Name
133
+ def xml_name_escape(name)
134
+ name = name.to_s
135
+ return "" if name.blank?
136
+
137
+ starting_char = name[0].gsub(TAG_NAME_START_REGEXP, TAG_NAME_REPLACEMENT_CHAR)
138
+
139
+ return starting_char if name.size == 1
140
+
141
+ following_chars = name[1..-1].gsub(TAG_NAME_FOLLOWING_REGEXP, TAG_NAME_REPLACEMENT_CHAR)
142
+
143
+ starting_char + following_chars
144
+ end
145
+ module_function :xml_name_escape
118
146
  end
119
147
  end
120
148
 
@@ -10,7 +10,7 @@ module ActiveSupport
10
10
  MAJOR = 6
11
11
  MINOR = 1
12
12
  TINY = 5
13
- PRE = nil
13
+ PRE = "1"
14
14
 
15
15
  STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
16
16
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: activesupport
3
3
  version: !ruby/object:Gem::Version
4
- version: 6.1.5
4
+ version: 6.1.5.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - David Heinemeier Hansson
8
- autorequire:
8
+ autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2022-03-10 00:00:00.000000000 Z
11
+ date: 2022-04-26 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: i18n
@@ -357,12 +357,12 @@ licenses:
357
357
  - MIT
358
358
  metadata:
359
359
  bug_tracker_uri: https://github.com/rails/rails/issues
360
- changelog_uri: https://github.com/rails/rails/blob/v6.1.5/activesupport/CHANGELOG.md
361
- documentation_uri: https://api.rubyonrails.org/v6.1.5/
360
+ changelog_uri: https://github.com/rails/rails/blob/v6.1.5.1/activesupport/CHANGELOG.md
361
+ documentation_uri: https://api.rubyonrails.org/v6.1.5.1/
362
362
  mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
363
- source_code_uri: https://github.com/rails/rails/tree/v6.1.5/activesupport
363
+ source_code_uri: https://github.com/rails/rails/tree/v6.1.5.1/activesupport
364
364
  rubygems_mfa_required: 'true'
365
- post_install_message:
365
+ post_install_message:
366
366
  rdoc_options:
367
367
  - "--encoding"
368
368
  - UTF-8
@@ -379,8 +379,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
379
379
  - !ruby/object:Gem::Version
380
380
  version: '0'
381
381
  requirements: []
382
- rubygems_version: 3.3.7
383
- signing_key:
382
+ rubygems_version: 3.1.6
383
+ signing_key:
384
384
  specification_version: 4
385
385
  summary: A toolkit of support libraries and Ruby core extensions extracted from the
386
386
  Rails framework.