bh 1.3.3 → 1.3.4
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +12 -0
- data/README.md +1 -1
- data/gemfiles/Gemfile.rails-3.x +3 -3
- data/lib/bh/classes/base.rb +1 -1
- data/lib/bh/version.rb +1 -1
- data/spec/shared/link_to_helper.rb +26 -4
- data/spec/support/matchers.rb +6 -0
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 990dc7edcfb65b8cf34d156eec8abc3f18e32c9f
|
|
4
|
+
data.tar.gz: 9ad5be9c224508ed6cd2f43406561e36ed6eb688
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: b31c41c110c0f70965c0a5172d6c1bc6f7c84f652da0c8335a434e6d6b6f75d567464e60c87b04a4e0001f8454c5cf1085669bae83069cbb400cb2975155ca72
|
|
7
|
+
data.tar.gz: cf475af91cb93ffb13a82177c35dd33415c021fd264928ce4b8e9973654efab0e77dcc9128d385a253613083274b8485bdef66745e152bd1d84e913d2b89ecbb
|
data/CHANGELOG.md
CHANGED
|
@@ -6,6 +6,18 @@ For more information about changelogs, check
|
|
|
6
6
|
[Keep a Changelog](http://keepachangelog.com) and
|
|
7
7
|
[Vandamme](http://tech-angels.github.io/vandamme).
|
|
8
8
|
|
|
9
|
+
## 1.3.4 - 2014-06-23
|
|
10
|
+
|
|
11
|
+
* [BUGFIX] Security: don’t always assume that the content of `link_to` is safe
|
|
12
|
+
|
|
13
|
+
Note that this might break your code if it relied on the wrong behavior of
|
|
14
|
+
Bh, assuming that the content of `link_to` was always HTML safe.
|
|
15
|
+
|
|
16
|
+
For instance, if your app has the following code to display an image with a
|
|
17
|
+
link `link_to '<img src="logo.png">', '/'`, then the image will not display
|
|
18
|
+
anymore, since Bh now correctly escapes the HTML content (as Rails and Padrino
|
|
19
|
+
do). In this case, you should use `link_to image_tag('logo.png'), '/'` instead.
|
|
20
|
+
|
|
9
21
|
## 1.3.3 - 2014-03-11
|
|
10
22
|
|
|
11
23
|
* [BUGFIX] Correctly align the "X" icon at the right of the field in basic forms
|
data/README.md
CHANGED
|
@@ -44,7 +44,7 @@ The other ones are: `bootstrap_css`, `bootstrap_js`, `bootstrap_theme_css`,
|
|
|
44
44
|
How to install
|
|
45
45
|
==============
|
|
46
46
|
|
|
47
|
-
Bh is compatible with **Rails 3**, **Rails 4**, **Padrino** and **Middleman**.
|
|
47
|
+
Bh is compatible with **Rails 3.2**, **Rails 4**, **Padrino** and **Middleman**.
|
|
48
48
|
|
|
49
49
|
To include the Bh gem in your project:
|
|
50
50
|
|
data/gemfiles/Gemfile.rails-3.x
CHANGED
|
@@ -1,8 +1,8 @@
|
|
|
1
1
|
source 'http://rubygems.org'
|
|
2
2
|
|
|
3
|
-
gem 'activesupport', '~> 3.
|
|
4
|
-
gem 'actionpack', '~> 3.
|
|
5
|
-
gem 'activemodel', '~> 3.
|
|
3
|
+
gem 'activesupport', '~> 3.2'
|
|
4
|
+
gem 'actionpack', '~> 3.2'
|
|
5
|
+
gem 'activemodel', '~> 3.2'
|
|
6
6
|
gem 'middleman-core', '~> 3.2.2'
|
|
7
7
|
|
|
8
8
|
gemspec path: '../'
|
data/lib/bh/classes/base.rb
CHANGED
data/lib/bh/version.rb
CHANGED
|
@@ -5,6 +5,8 @@ shared_examples_for 'the link_to helper' do
|
|
|
5
5
|
all_tests_pass_with 'the link wrapped in dropdown'
|
|
6
6
|
all_tests_pass_with 'the link wrapped in nav'
|
|
7
7
|
all_tests_pass_with 'the link wrapped in vertical'
|
|
8
|
+
all_tests_pass_with 'the link including unsafe Javascript'
|
|
9
|
+
all_tests_pass_with 'the link including safe HTML content'
|
|
8
10
|
end
|
|
9
11
|
|
|
10
12
|
#--
|
|
@@ -55,8 +57,28 @@ shared_examples_for 'the link wrapped in nav' do
|
|
|
55
57
|
end
|
|
56
58
|
|
|
57
59
|
shared_examples_for 'the link wrapped in vertical' do
|
|
58
|
-
specify '
|
|
59
|
-
html =
|
|
60
|
-
bh.
|
|
60
|
+
specify 'adds the "navbar-brand" class to the link' do
|
|
61
|
+
html = %r{^<a.+class="navbar-brand".*>content</a>$}
|
|
62
|
+
bh.navbar(id: 'id') do
|
|
63
|
+
bh.vertical { expect(:link_to).to generate html }
|
|
64
|
+
end
|
|
61
65
|
end
|
|
62
|
-
end
|
|
66
|
+
end
|
|
67
|
+
|
|
68
|
+
shared_examples_for 'the link including unsafe Javascript' do
|
|
69
|
+
specify 'uses the original link_to helper which escapes the link' do
|
|
70
|
+
expect(link_to: :xss_script).not_to generate %r{<script>}
|
|
71
|
+
bh.alert_box { expect(link_to: :xss_script).not_to generate %r{<script>} }
|
|
72
|
+
bh.dropdown('') { expect(link_to: :xss_script).not_to generate %r{<script>} }
|
|
73
|
+
bh.nav { expect(link_to: :xss_script).not_to generate %r{<script>} }
|
|
74
|
+
bh.navbar(id: 'id') do
|
|
75
|
+
bh.vertical { expect(link_to: :xss_script).not_to generate %r{<script>} }
|
|
76
|
+
end
|
|
77
|
+
end
|
|
78
|
+
end
|
|
79
|
+
|
|
80
|
+
shared_examples_for 'the link including safe HTML content' do
|
|
81
|
+
specify 'does not escape the HTML content' do
|
|
82
|
+
expect(link_to: :safe_html).to generate %r{<hr />}
|
|
83
|
+
end
|
|
84
|
+
end
|
data/spec/support/matchers.rb
CHANGED
|
@@ -7,6 +7,12 @@ RSpec::Matchers.define :generate do |html|
|
|
|
7
7
|
if helper == :link_to && options == :nil_name
|
|
8
8
|
@inline = bh.send helper, nil, '/'
|
|
9
9
|
@block = @inline
|
|
10
|
+
elsif helper == :link_to && options == :xss_script
|
|
11
|
+
@inline = bh.send helper, '<script>alert("xss")</script>', '/'
|
|
12
|
+
@block = bh.send(helper, '/') { '<script>alert("xss")</script>' }
|
|
13
|
+
elsif helper == :link_to && options == :safe_html
|
|
14
|
+
@inline = bh.send helper, bh.tag(:hr), '/'
|
|
15
|
+
@block = bh.send(helper, '/') { bh.tag(:hr) }
|
|
10
16
|
elsif helper == :link_to || helper == :button_to
|
|
11
17
|
@inline = bh.send helper, *['content', '/', options].compact
|
|
12
18
|
if bh.test_button_to_with_block
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: bh
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.3.
|
|
4
|
+
version: 1.3.4
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Claudio Baccigalupo
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2015-
|
|
11
|
+
date: 2015-06-23 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: activesupport
|