activesupport 6.1.5 → 6.1.5.1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of activesupport might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +9 -0
- data/lib/active_support/core_ext/string/output_safety.rb +28 -0
- data/lib/active_support/gem_version.rb +1 -1
- metadata +9 -9
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 03f0888f6510d51dd63f94d6bdef1a01bc267213c8e32e05e5b23f3a18be663e
|
|
4
|
+
data.tar.gz: c36c9f693da00016c44ff333a8aca0a3b203acb391e3a1f11ac75741182fb726
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 9720be129b6a970ecd40651359fdf5d91fadb5b03e626e18a1ea161d50cb86db629fbe282f1b3b712c6b630e87a59ad62d371ef24e795b8426876793524c3600
|
|
7
|
+
data.tar.gz: e961f1e39d735e17519a92665ab4e96a77fe95fd972c534ffa82a083dabb30147f1a1c5273b084d5c380bd0bce0826482cf4abd3f21292e000dea1ad4d04e3be
|
data/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,12 @@
|
|
|
1
|
+
## Rails 6.1.5.1 (April 26, 2022) ##
|
|
2
|
+
|
|
3
|
+
* Fix and add protections for XSS in `ActionView::Helpers` and `ERB::Util`.
|
|
4
|
+
|
|
5
|
+
Add the method `ERB::Util.xml_name_escape` to escape dangerous characters
|
|
6
|
+
in names of tags and names of attributes, following the specification of XML.
|
|
7
|
+
|
|
8
|
+
*Álvaro Martín Fraguas*
|
|
9
|
+
|
|
1
10
|
## Rails 6.1.5 (March 09, 2022) ##
|
|
2
11
|
|
|
3
12
|
* Fix `ActiveSupport::Duration.build` to support negative values.
|
|
@@ -11,6 +11,14 @@ class ERB
|
|
|
11
11
|
HTML_ESCAPE_ONCE_REGEXP = /["><']|&(?!([a-zA-Z]+|(#\d+)|(#[xX][\dA-Fa-f]+));)/
|
|
12
12
|
JSON_ESCAPE_REGEXP = /[\u2028\u2029&><]/u
|
|
13
13
|
|
|
14
|
+
# Following XML requirements: https://www.w3.org/TR/REC-xml/#NT-Name
|
|
15
|
+
TAG_NAME_START_REGEXP_SET = ":A-Z_a-z\u{C0}-\u{D6}\u{D8}-\u{F6}\u{F8}-\u{2FF}\u{370}-\u{37D}\u{37F}-\u{1FFF}" \
|
|
16
|
+
"\u{200C}-\u{200D}\u{2070}-\u{218F}\u{2C00}-\u{2FEF}\u{3001}-\u{D7FF}\u{F900}-\u{FDCF}" \
|
|
17
|
+
"\u{FDF0}-\u{FFFD}\u{10000}-\u{EFFFF}"
|
|
18
|
+
TAG_NAME_START_REGEXP = /[^#{TAG_NAME_START_REGEXP_SET}]/
|
|
19
|
+
TAG_NAME_FOLLOWING_REGEXP = /[^#{TAG_NAME_START_REGEXP_SET}\-.0-9\u{B7}\u{0300}-\u{036F}\u{203F}-\u{2040}]/
|
|
20
|
+
TAG_NAME_REPLACEMENT_CHAR = "_"
|
|
21
|
+
|
|
14
22
|
# A utility method for escaping HTML tag characters.
|
|
15
23
|
# This method is also aliased as <tt>h</tt>.
|
|
16
24
|
#
|
|
@@ -115,6 +123,26 @@ class ERB
|
|
|
115
123
|
end
|
|
116
124
|
|
|
117
125
|
module_function :json_escape
|
|
126
|
+
|
|
127
|
+
# A utility method for escaping XML names of tags and names of attributes.
|
|
128
|
+
#
|
|
129
|
+
# xml_name_escape('1 < 2 & 3')
|
|
130
|
+
# # => "1___2___3"
|
|
131
|
+
#
|
|
132
|
+
# It follows the requirements of the specification: https://www.w3.org/TR/REC-xml/#NT-Name
|
|
133
|
+
def xml_name_escape(name)
|
|
134
|
+
name = name.to_s
|
|
135
|
+
return "" if name.blank?
|
|
136
|
+
|
|
137
|
+
starting_char = name[0].gsub(TAG_NAME_START_REGEXP, TAG_NAME_REPLACEMENT_CHAR)
|
|
138
|
+
|
|
139
|
+
return starting_char if name.size == 1
|
|
140
|
+
|
|
141
|
+
following_chars = name[1..-1].gsub(TAG_NAME_FOLLOWING_REGEXP, TAG_NAME_REPLACEMENT_CHAR)
|
|
142
|
+
|
|
143
|
+
starting_char + following_chars
|
|
144
|
+
end
|
|
145
|
+
module_function :xml_name_escape
|
|
118
146
|
end
|
|
119
147
|
end
|
|
120
148
|
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: activesupport
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 6.1.5
|
|
4
|
+
version: 6.1.5.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- David Heinemeier Hansson
|
|
8
|
-
autorequire:
|
|
8
|
+
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2022-
|
|
11
|
+
date: 2022-04-26 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: i18n
|
|
@@ -357,12 +357,12 @@ licenses:
|
|
|
357
357
|
- MIT
|
|
358
358
|
metadata:
|
|
359
359
|
bug_tracker_uri: https://github.com/rails/rails/issues
|
|
360
|
-
changelog_uri: https://github.com/rails/rails/blob/v6.1.5/activesupport/CHANGELOG.md
|
|
361
|
-
documentation_uri: https://api.rubyonrails.org/v6.1.5/
|
|
360
|
+
changelog_uri: https://github.com/rails/rails/blob/v6.1.5.1/activesupport/CHANGELOG.md
|
|
361
|
+
documentation_uri: https://api.rubyonrails.org/v6.1.5.1/
|
|
362
362
|
mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
|
|
363
|
-
source_code_uri: https://github.com/rails/rails/tree/v6.1.5/activesupport
|
|
363
|
+
source_code_uri: https://github.com/rails/rails/tree/v6.1.5.1/activesupport
|
|
364
364
|
rubygems_mfa_required: 'true'
|
|
365
|
-
post_install_message:
|
|
365
|
+
post_install_message:
|
|
366
366
|
rdoc_options:
|
|
367
367
|
- "--encoding"
|
|
368
368
|
- UTF-8
|
|
@@ -379,8 +379,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
379
379
|
- !ruby/object:Gem::Version
|
|
380
380
|
version: '0'
|
|
381
381
|
requirements: []
|
|
382
|
-
rubygems_version: 3.
|
|
383
|
-
signing_key:
|
|
382
|
+
rubygems_version: 3.1.6
|
|
383
|
+
signing_key:
|
|
384
384
|
specification_version: 4
|
|
385
385
|
summary: A toolkit of support libraries and Ruby core extensions extracted from the
|
|
386
386
|
Rails framework.
|