activesupport 7.0.2.3 → 7.0.2.4

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of activesupport might be problematic. Click here for more details.

checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: da403c75ed521630cf7259572515e2aac83fa7f5e325de6967925dcbd976a6e6
4
- data.tar.gz: e74ff605a4151e4c4232d6193096e68c0de6fbbb633f68b7bc32184c95a13da7
3
+ metadata.gz: '02869b1bcaf37b6194486f794ee952cd0fc99be001f71f7aa6c2f883acbbb124'
4
+ data.tar.gz: b2819e4848cfeb61f674e89f2dbc734c1e3a06003b85f9e28153a4b1cf5d1c42
5
5
  SHA512:
6
- metadata.gz: 74d16fb70cbe757fbdc24ef975611f1c0904fe09cf11bb6b6bb7bf62446a0b0a78af7d0ae2c4fb97f74e348fcda1585d279758159884c38da28c77653d789e9c
7
- data.tar.gz: 39431adb807fc5e5a330265470cc702400ccab05581d2474486bc72e33d24785226863671616ce1da88dcd3d0979efd2660c79822516a6eab473c418de970b9b
6
+ metadata.gz: 8949b44a0afb53bc581e1df773c8a991b6c6f0e2533e1d7198686ff1013cc0e24cd203f26edd07a21c7a54edb30b8b8f537d2e17987533a66ccf7b8239d7fde3
7
+ data.tar.gz: 6199375f07c08dee86c37886c6b2e063d6cc8a65f326cb9697aefa97b85b4f4bce0ff4fe1f702c7b223c80e5fd1ef4c293f57dc35dd30a8e8159d74eafb1589d
data/CHANGELOG.md CHANGED
@@ -1,3 +1,12 @@
1
+ ## Rails 7.0.2.4 (April 26, 2022) ##
2
+
3
+ * Fix and add protections for XSS in `ActionView::Helpers` and `ERB::Util`.
4
+
5
+ Add the method `ERB::Util.xml_name_escape` to escape dangerous characters
6
+ in names of tags and names of attributes, following the specification of XML.
7
+
8
+ *Álvaro Martín Fraguas*
9
+
1
10
  ## Rails 7.0.2.3 (March 08, 2022) ##
2
11
 
3
12
  * No changes.
@@ -11,6 +11,14 @@ class ERB
11
11
  HTML_ESCAPE_ONCE_REGEXP = /["><']|&(?!([a-zA-Z]+|(#\d+)|(#[xX][\dA-Fa-f]+));)/
12
12
  JSON_ESCAPE_REGEXP = /[\u2028\u2029&><]/u
13
13
 
14
+ # Following XML requirements: https://www.w3.org/TR/REC-xml/#NT-Name
15
+ TAG_NAME_START_REGEXP_SET = ":A-Z_a-z\u{C0}-\u{D6}\u{D8}-\u{F6}\u{F8}-\u{2FF}\u{370}-\u{37D}\u{37F}-\u{1FFF}" \
16
+ "\u{200C}-\u{200D}\u{2070}-\u{218F}\u{2C00}-\u{2FEF}\u{3001}-\u{D7FF}\u{F900}-\u{FDCF}" \
17
+ "\u{FDF0}-\u{FFFD}\u{10000}-\u{EFFFF}"
18
+ TAG_NAME_START_REGEXP = /[^#{TAG_NAME_START_REGEXP_SET}]/
19
+ TAG_NAME_FOLLOWING_REGEXP = /[^#{TAG_NAME_START_REGEXP_SET}\-.0-9\u{B7}\u{0300}-\u{036F}\u{203F}-\u{2040}]/
20
+ TAG_NAME_REPLACEMENT_CHAR = "_"
21
+
14
22
  # A utility method for escaping HTML tag characters.
15
23
  # This method is also aliased as <tt>h</tt>.
16
24
  #
@@ -115,6 +123,26 @@ class ERB
115
123
  end
116
124
 
117
125
  module_function :json_escape
126
+
127
+ # A utility method for escaping XML names of tags and names of attributes.
128
+ #
129
+ # xml_name_escape('1 < 2 & 3')
130
+ # # => "1___2___3"
131
+ #
132
+ # It follows the requirements of the specification: https://www.w3.org/TR/REC-xml/#NT-Name
133
+ def xml_name_escape(name)
134
+ name = name.to_s
135
+ return "" if name.blank?
136
+
137
+ starting_char = name[0].gsub(TAG_NAME_START_REGEXP, TAG_NAME_REPLACEMENT_CHAR)
138
+
139
+ return starting_char if name.size == 1
140
+
141
+ following_chars = name[1..-1].gsub(TAG_NAME_FOLLOWING_REGEXP, TAG_NAME_REPLACEMENT_CHAR)
142
+
143
+ starting_char + following_chars
144
+ end
145
+ module_function :xml_name_escape
118
146
  end
119
147
  end
120
148
 
@@ -10,7 +10,7 @@ module ActiveSupport
10
10
  MAJOR = 7
11
11
  MINOR = 0
12
12
  TINY = 2
13
- PRE = "3"
13
+ PRE = "4"
14
14
 
15
15
  STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
16
16
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: activesupport
3
3
  version: !ruby/object:Gem::Version
4
- version: 7.0.2.3
4
+ version: 7.0.2.4
5
5
  platform: ruby
6
6
  authors:
7
7
  - David Heinemeier Hansson
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2022-03-08 00:00:00.000000000 Z
11
+ date: 2022-04-26 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: i18n
@@ -359,10 +359,10 @@ licenses:
359
359
  - MIT
360
360
  metadata:
361
361
  bug_tracker_uri: https://github.com/rails/rails/issues
362
- changelog_uri: https://github.com/rails/rails/blob/v7.0.2.3/activesupport/CHANGELOG.md
363
- documentation_uri: https://api.rubyonrails.org/v7.0.2.3/
362
+ changelog_uri: https://github.com/rails/rails/blob/v7.0.2.4/activesupport/CHANGELOG.md
363
+ documentation_uri: https://api.rubyonrails.org/v7.0.2.4/
364
364
  mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
365
- source_code_uri: https://github.com/rails/rails/tree/v7.0.2.3/activesupport
365
+ source_code_uri: https://github.com/rails/rails/tree/v7.0.2.4/activesupport
366
366
  rubygems_mfa_required: 'true'
367
367
  post_install_message:
368
368
  rdoc_options: