activesupport 6.0.4.7 → 6.0.4.8

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of activesupport might be problematic. Click here for more details.

checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 7c2ac48c4fc14731e5de656bd8d6e95f0e05bbf3e327070658ed4ffe5f4220d1
4
- data.tar.gz: f2c96dbb25d284303c5b8d6c642951085a7ae33dcf19e5423f3143b3e4a11801
3
+ metadata.gz: c10e4238f073719e09a040bcb9d75ffb447e6255ce7794099f9d3f6ae38b5b32
4
+ data.tar.gz: e4044e3a0e76c0c732107d921d6832740dc41b6ac95bf912a70505a1d43d6a80
5
5
  SHA512:
6
- metadata.gz: f5894888b523c8523b1664a00e1daf9d6cd679f78fd0f4ef0dfb5860058d99869960d4241e94d4802e19607e3e42abb6a141b37b85ea596b7e49510cf4f2162b
7
- data.tar.gz: ac6c166043958ea77707d2f4973225568bee0b2d8bf1c3a9518e83f2b3f36f8e4761437cec0cd9de7389a017ea38f91fe89cd7f3b2d8bd03a99900f743bb0f53
6
+ metadata.gz: 3ab4066d1f1b568f9ed38f92a40d18515557f4d1f3eea87a571c2f3e3a6fd1d237229fb890cc383b4b943de410ae52347251da3675f79f872861791b10a00485
7
+ data.tar.gz: d586fccfd8c78eaccba32a46275e84bef0fefec92ace78bec50cef3d34c053e3842dee2380b020464f4f6c5a9b94b6815d5275438343ae02e5018cfb36aefb09
data/CHANGELOG.md CHANGED
@@ -1,3 +1,13 @@
1
+ ## Rails 6.0.4.8 (April 26, 2022) ##
2
+
3
+ * Fix and add protections for XSS in `ActionView::Helpers` and `ERB::Util`.
4
+
5
+ Add the method `ERB::Util.xml_name_escape` to escape dangerous characters
6
+ in names of tags and names of attributes, following the specification of XML.
7
+
8
+ *Álvaro Martín Fraguas*
9
+
10
+
1
11
  ## Rails 6.0.4.7 (March 08, 2022) ##
2
12
 
3
13
  * No changes.
@@ -12,6 +12,14 @@ class ERB
12
12
  HTML_ESCAPE_ONCE_REGEXP = /["><']|&(?!([a-zA-Z]+|(#\d+)|(#[xX][\dA-Fa-f]+));)/
13
13
  JSON_ESCAPE_REGEXP = /[\u2028\u2029&><]/u
14
14
 
15
+ # Following XML requirements: https://www.w3.org/TR/REC-xml/#NT-Name
16
+ TAG_NAME_START_REGEXP_SET = ":A-Z_a-z\u{C0}-\u{D6}\u{D8}-\u{F6}\u{F8}-\u{2FF}\u{370}-\u{37D}\u{37F}-\u{1FFF}" \
17
+ "\u{200C}-\u{200D}\u{2070}-\u{218F}\u{2C00}-\u{2FEF}\u{3001}-\u{D7FF}\u{F900}-\u{FDCF}" \
18
+ "\u{FDF0}-\u{FFFD}\u{10000}-\u{EFFFF}"
19
+ TAG_NAME_START_REGEXP = /[^#{TAG_NAME_START_REGEXP_SET}]/
20
+ TAG_NAME_FOLLOWING_REGEXP = /[^#{TAG_NAME_START_REGEXP_SET}\-.0-9\u{B7}\u{0300}-\u{036F}\u{203F}-\u{2040}]/
21
+ TAG_NAME_REPLACEMENT_CHAR = "_"
22
+
15
23
  # A utility method for escaping HTML tag characters.
16
24
  # This method is also aliased as <tt>h</tt>.
17
25
  #
@@ -116,6 +124,26 @@ class ERB
116
124
  end
117
125
 
118
126
  module_function :json_escape
127
+
128
+ # A utility method for escaping XML names of tags and names of attributes.
129
+ #
130
+ # xml_name_escape('1 < 2 & 3')
131
+ # # => "1___2___3"
132
+ #
133
+ # It follows the requirements of the specification: https://www.w3.org/TR/REC-xml/#NT-Name
134
+ def xml_name_escape(name)
135
+ name = name.to_s
136
+ return "" if name.blank?
137
+
138
+ starting_char = name[0].gsub(TAG_NAME_START_REGEXP, TAG_NAME_REPLACEMENT_CHAR)
139
+
140
+ return starting_char if name.size == 1
141
+
142
+ following_chars = name[1..-1].gsub(TAG_NAME_FOLLOWING_REGEXP, TAG_NAME_REPLACEMENT_CHAR)
143
+
144
+ starting_char + following_chars
145
+ end
146
+ module_function :xml_name_escape
119
147
  end
120
148
  end
121
149
 
@@ -10,7 +10,7 @@ module ActiveSupport
10
10
  MAJOR = 6
11
11
  MINOR = 0
12
12
  TINY = 4
13
- PRE = "7"
13
+ PRE = "8"
14
14
 
15
15
  STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
16
16
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: activesupport
3
3
  version: !ruby/object:Gem::Version
4
- version: 6.0.4.7
4
+ version: 6.0.4.8
5
5
  platform: ruby
6
6
  authors:
7
7
  - David Heinemeier Hansson
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2022-03-08 00:00:00.000000000 Z
11
+ date: 2022-04-26 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: i18n
@@ -359,10 +359,10 @@ licenses:
359
359
  - MIT
360
360
  metadata:
361
361
  bug_tracker_uri: https://github.com/rails/rails/issues
362
- changelog_uri: https://github.com/rails/rails/blob/v6.0.4.7/activesupport/CHANGELOG.md
363
- documentation_uri: https://api.rubyonrails.org/v6.0.4.7/
362
+ changelog_uri: https://github.com/rails/rails/blob/v6.0.4.8/activesupport/CHANGELOG.md
363
+ documentation_uri: https://api.rubyonrails.org/v6.0.4.8/
364
364
  mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
365
- source_code_uri: https://github.com/rails/rails/tree/v6.0.4.7/activesupport
365
+ source_code_uri: https://github.com/rails/rails/tree/v6.0.4.8/activesupport
366
366
  post_install_message:
367
367
  rdoc_options:
368
368
  - "--encoding"