chartkick 3.3.2 → 3.4.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: b462bf7fa745700c8fa561b0e5707c309f6f5cca29e314e550921370b3a9d590
4
- data.tar.gz: be9169ad2777d6e40846ef058ad981a3366aea965f16aa2e1af44d7c2b81cad4
3
+ metadata.gz: 5afacd4c10d0cfddc6a2a660efead206ee042e80d48dd749f9de79feb365c1fd
4
+ data.tar.gz: c7fc99b0b2b467a6326df99f5832de2b3674f5f80415749cf57177142eecfc45
5
5
  SHA512:
6
- metadata.gz: 2eedfd5f334b4e875d88b7b5e9af963a8ad3c4f8fc86eb17b31f0fb41e3b357cb3909a27cc92f8018c709856f56a7c0614ec95ac5ab8747549767e1f95fd7de8
7
- data.tar.gz: f997c95810273ed9d436f3e307b92b3936fe17736d01adda4979efc90379f45a703d97aeeed3c9a3add187440d0d085c8b3e4635df2dec0720491c9268a80eda
6
+ metadata.gz: 75b1793b427c5d9d4604b813773253adb864b6134fad48f952c72377f75da40c8daa19eaf06fd7ce0b2da31a1ba436cfe54bde318ac849ec2080652582ac7076
7
+ data.tar.gz: 8f47e12f6e9c746871d02f0d5bd3093da1017c5a222837696b5b0d7b7e4008c400c8556e4f85ec7b0ccd79c15a9cb510a91a7d9ecf896d1a106b7c82e68ddc36
@@ -1,3 +1,7 @@
1
+ ## 3.4.0 (2020-08-04)
2
+
3
+ - Fixed CSS injection with `width` and `height` options
4
+
1
5
  ## 3.3.2 (2020-07-23)
2
6
 
3
7
  - Updated Chartkick.js to 3.2.1
@@ -41,8 +41,8 @@ module Chartkick
41
41
  @chartkick_chart_id ||= 0
42
42
  options = chartkick_deep_merge(Chartkick.options, options)
43
43
  element_id = options.delete(:id) || "chart-#{@chartkick_chart_id += 1}"
44
- height = options.delete(:height) || "300px"
45
- width = options.delete(:width) || "100%"
44
+ height = (options.delete(:height) || "300px").to_s
45
+ width = (options.delete(:width) || "100%").to_s
46
46
  defer = !!options.delete(:defer)
47
47
  # content_for: nil must override default
48
48
  content_for = options.key?(:content_for) ? options.delete(:content_for) : Chartkick.content_for
@@ -63,14 +63,27 @@ module Chartkick
63
63
 
64
64
  # html vars
65
65
  html_vars = {
66
- id: element_id,
67
- height: height,
68
- width: width
66
+ id: element_id
69
67
  }
70
68
  html_vars.each_key do |k|
71
69
  html_vars[k] = ERB::Util.html_escape(html_vars[k])
72
70
  end
73
- html = (options.delete(:html) || %(<div id="%{id}" style="height: %{height}; width: %{width}; text-align: center; color: #999; line-height: %{height}; font-size: 14px; font-family: 'Lucida Grande', 'Lucida Sans Unicode', Verdana, Arial, Helvetica, sans-serif;">Loading...</div>)) % html_vars
71
+
72
+ # css vars
73
+ css_vars = {
74
+ height: height,
75
+ width: width
76
+ }
77
+ css_vars.each_key do |k|
78
+ # limit to alphanumeric and % for simplicity
79
+ # this prevents things like calc() but safety is the priority
80
+ raise ArgumentError, "Invalid #{k}" unless css_vars[k] =~ /\A[a-zA-Z0-9%]*\z/
81
+ # we limit above, but escape for safety as fail-safe
82
+ # to prevent XSS injection in worse-case scenario
83
+ css_vars[k] = ERB::Util.html_escape(css_vars[k])
84
+ end
85
+
86
+ html = (options.delete(:html) || %(<div id="%{id}" style="height: %{height}; width: %{width}; text-align: center; color: #999; line-height: %{height}; font-size: 14px; font-family: 'Lucida Grande', 'Lucida Sans Unicode', Verdana, Arial, Helvetica, sans-serif;">Loading...</div>)) % html_vars.merge(css_vars)
74
87
 
75
88
  # js vars
76
89
  js_vars = {
@@ -1,3 +1,3 @@
1
1
  module Chartkick
2
- VERSION = "3.3.2"
2
+ VERSION = "3.4.0"
3
3
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: chartkick
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.3.2
4
+ version: 3.4.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Andrew Kane
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2020-07-24 00:00:00.000000000 Z
11
+ date: 2020-08-04 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: bundler