bh 1.3.3 → 1.3.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 7f5835cd462fb3d11c1aed1d680b9cad2e07118a
-  data.tar.gz: a790bdc43c1d08155d6768fb871c4c1317dfd3f8
+  metadata.gz: 990dc7edcfb65b8cf34d156eec8abc3f18e32c9f
+  data.tar.gz: 9ad5be9c224508ed6cd2f43406561e36ed6eb688
 SHA512:
-  metadata.gz: ccf655fafab88fbb6b66c7e5b65fca87bcec689a4e23f3d75b934555146d703e3b01509491b8d348cb4f1a113491e7f4c572eafbedd62a01669e639543c94b0d
-  data.tar.gz: 9286a9d3ae256ba18927d8c5f2b9dfcfa29b2ef2455c83f00cd65e8f052481a36322fc8129181e5496147ba52b0722389f146201eb48bddb3abbf2c48fd84d35
+  metadata.gz: b31c41c110c0f70965c0a5172d6c1bc6f7c84f652da0c8335a434e6d6b6f75d567464e60c87b04a4e0001f8454c5cf1085669bae83069cbb400cb2975155ca72
+  data.tar.gz: cf475af91cb93ffb13a82177c35dd33415c021fd264928ce4b8e9973654efab0e77dcc9128d385a253613083274b8485bdef66745e152bd1d84e913d2b89ecbb

data/CHANGELOG.md

@@ -6,6 +6,18 @@ For more information about changelogs, check
 [Keep a Changelog](http://keepachangelog.com) and
 [Vandamme](http://tech-angels.github.io/vandamme).
 
+## 1.3.4 - 2014-06-23
+
+* [BUGFIX] Security: don’t always assume that the content of `link_to` is safe
+
+Note that this might break your code if it relied on the wrong behavior of
+Bh, assuming that the content of `link_to` was always HTML safe.
+
+For instance, if your app has the following code to display an image with a
+link `link_to '<img src="logo.png">', '/'`, then the image will not display
+anymore, since Bh now correctly escapes the HTML content (as Rails and Padrino
+do). In this case, you should use `link_to image_tag('logo.png'), '/'` instead.
+
 ## 1.3.3 - 2014-03-11
 
 * [BUGFIX] Correctly align the "X" icon at the right of the field in basic forms

data/README.md

@@ -44,7 +44,7 @@ The other ones are: `bootstrap_css`, `bootstrap_js`, `bootstrap_theme_css`,
 How to install
 ==============
 
-Bh is compatible with **Rails 3**, **Rails 4**, **Padrino** and **Middleman**.
+Bh is compatible with **Rails 3.2**, **Rails 4**, **Padrino** and **Middleman**.
 
 To include the Bh gem in your project:
 

data/gemfiles/Gemfile.rails-3.x

@@ -1,8 +1,8 @@
 source 'http://rubygems.org'
 
-gem 'activesupport', '~> 3.0'
-gem 'actionpack', '~> 3.0'
-gem 'activemodel', '~> 3.0'
+gem 'activesupport', '~> 3.2'
+gem 'actionpack', '~> 3.2'
+gem 'activemodel', '~> 3.2'
 gem 'middleman-core', '~> 3.2.2'
 
 gemspec path: '../'

data/lib/bh/classes/base.rb

@@ -59,7 +59,7 @@ module Bh
         items = Array.wrap(@content).map do |item|
           item.is_a?(Base) ? item.content_tag(item.tag) : item
         end
-        safe_join items
+        items.all?(&:html_safe?) ? safe_join(items) : items.join
       end
 
       def content_tag(tag)

data/lib/bh/version.rb

@@ -1,3 +1,3 @@
 module Bh
-  VERSION = '1.3.3'
+  VERSION = '1.3.4'
 end

data/spec/shared/link_to_helper.rb

@@ -5,6 +5,8 @@ shared_examples_for 'the link_to helper' do
   all_tests_pass_with 'the link wrapped in dropdown'
   all_tests_pass_with 'the link wrapped in nav'
   all_tests_pass_with 'the link wrapped in vertical'
+  all_tests_pass_with 'the link including unsafe Javascript'
+  all_tests_pass_with 'the link including safe HTML content'
 end
 
 #--
@@ -55,8 +57,28 @@ shared_examples_for 'the link wrapped in nav' do
 end
 
 shared_examples_for 'the link wrapped in vertical' do
-  specify 'surrounds the link in a <li> item' do
-    html = '<li><a href="/">content</a></li>'
-    bh.vertical { expect(:link_to).to generate html }
+  specify 'adds the "navbar-brand" class to the link' do
+    html = %r{^<a.+class="navbar-brand".*>content</a>$}
+    bh.navbar(id: 'id') do
+      bh.vertical { expect(:link_to).to generate html }
+    end
   end
-end
+end
+
+shared_examples_for 'the link including unsafe Javascript' do
+  specify 'uses the original link_to helper which escapes the link' do
+    expect(link_to: :xss_script).not_to generate %r{<script>}
+    bh.alert_box { expect(link_to: :xss_script).not_to generate %r{<script>} }
+    bh.dropdown('') { expect(link_to: :xss_script).not_to generate %r{<script>} }
+    bh.nav { expect(link_to: :xss_script).not_to generate %r{<script>} }
+    bh.navbar(id: 'id') do
+      bh.vertical { expect(link_to: :xss_script).not_to generate %r{<script>} }
+    end
+  end
+end
+
+shared_examples_for 'the link including safe HTML content' do
+  specify 'does not escape the HTML content' do
+    expect(link_to: :safe_html).to generate %r{<hr />}
+  end
+end

data/spec/support/matchers.rb

@@ -7,6 +7,12 @@ RSpec::Matchers.define :generate do |html|
     if helper == :link_to && options == :nil_name
       @inline = bh.send helper, nil, '/'
       @block = @inline
+    elsif helper == :link_to && options == :xss_script
+      @inline = bh.send helper, '<script>alert("xss")</script>', '/'
+      @block = bh.send(helper, '/') { '<script>alert("xss")</script>' }
+    elsif helper == :link_to && options == :safe_html
+      @inline = bh.send helper, bh.tag(:hr), '/'
+      @block = bh.send(helper, '/') { bh.tag(:hr) }
     elsif helper == :link_to || helper == :button_to
       @inline = bh.send helper, *['content', '/', options].compact
       if bh.test_button_to_with_block

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: bh
 version: !ruby/object:Gem::Version
-  version: 1.3.3
+  version: 1.3.4
 platform: ruby
 authors:
 - Claudio Baccigalupo
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-03-11 00:00:00.000000000 Z
+date: 2015-06-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport