RubyGems - chartkick - Versions diffs - 3.3.2 → 3.4.0 - Mend

chartkick 3.3.2 → 3.4.0

Files changed (5) hide show

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b462bf7fa745700c8fa561b0e5707c309f6f5cca29e314e550921370b3a9d590
-  data.tar.gz: be9169ad2777d6e40846ef058ad981a3366aea965f16aa2e1af44d7c2b81cad4
+  metadata.gz: 5afacd4c10d0cfddc6a2a660efead206ee042e80d48dd749f9de79feb365c1fd
+  data.tar.gz: c7fc99b0b2b467a6326df99f5832de2b3674f5f80415749cf57177142eecfc45
 SHA512:
-  metadata.gz: 2eedfd5f334b4e875d88b7b5e9af963a8ad3c4f8fc86eb17b31f0fb41e3b357cb3909a27cc92f8018c709856f56a7c0614ec95ac5ab8747549767e1f95fd7de8
-  data.tar.gz: f997c95810273ed9d436f3e307b92b3936fe17736d01adda4979efc90379f45a703d97aeeed3c9a3add187440d0d085c8b3e4635df2dec0720491c9268a80eda
+  metadata.gz: 75b1793b427c5d9d4604b813773253adb864b6134fad48f952c72377f75da40c8daa19eaf06fd7ce0b2da31a1ba436cfe54bde318ac849ec2080652582ac7076
+  data.tar.gz: 8f47e12f6e9c746871d02f0d5bd3093da1017c5a222837696b5b0d7b7e4008c400c8556e4f85ec7b0ccd79c15a9cb510a91a7d9ecf896d1a106b7c82e68ddc36

data/CHANGELOG.md CHANGED

@@ -1,3 +1,7 @@
+## 3.4.0 (2020-08-04)
+- Fixed CSS injection with `width` and `height` options
 ## 3.3.2 (2020-07-23)
 - Updated Chartkick.js to 3.2.1

data/lib/chartkick/helper.rb CHANGED

@@ -41,8 +41,8 @@ module Chartkick
       @chartkick_chart_id ||= 0
       options = chartkick_deep_merge(Chartkick.options, options)
       element_id = options.delete(:id) || "chart-#{@chartkick_chart_id += 1}"
-      height = options.delete(:height) || "300px"
-      width = options.delete(:width) || "100%"
+      height = (options.delete(:height) || "300px").to_s
+      width = (options.delete(:width) || "100%").to_s
       defer = !!options.delete(:defer)
       # content_for: nil must override default
       content_for = options.key?(:content_for) ? options.delete(:content_for) : Chartkick.content_for
@@ -63,14 +63,27 @@ module Chartkick
       # html vars
       html_vars = {
-        id: element_id,
-        height: height,
-        width: width
+        id: element_id
       }
       html_vars.each_key do |k|
         html_vars[k] = ERB::Util.html_escape(html_vars[k])
       end
-      html = (options.delete(:html) || %(<div id="%{id}" style="height: %{height}; width: %{width}; text-align: center; color: #999; line-height: %{height}; font-size: 14px; font-family: 'Lucida Grande', 'Lucida Sans Unicode', Verdana, Arial, Helvetica, sans-serif;">Loading...</div>)) % html_vars
+      # css vars
+      css_vars = {
+        height: height,
+        width: width
+      }
+      css_vars.each_key do |k|
+        # limit to alphanumeric and % for simplicity
+        # this prevents things like calc() but safety is the priority
+        raise ArgumentError, "Invalid #{k}" unless css_vars[k] =~ /\A[a-zA-Z0-9%]*\z/
+        # we limit above, but escape for safety as fail-safe
+        # to prevent XSS injection in worse-case scenario
+        css_vars[k] = ERB::Util.html_escape(css_vars[k])
+      end
+      html = (options.delete(:html) || %(<div id="%{id}" style="height: %{height}; width: %{width}; text-align: center; color: #999; line-height: %{height}; font-size: 14px; font-family: 'Lucida Grande', 'Lucida Sans Unicode', Verdana, Arial, Helvetica, sans-serif;">Loading...</div>)) % html_vars.merge(css_vars)
       # js vars
       js_vars = {

data/lib/chartkick/version.rb CHANGED

@@ -1,3 +1,3 @@
 module Chartkick
-  VERSION = "3.3.2"
+  VERSION = "3.4.0"
 end

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: chartkick
 version: !ruby/object:Gem::Version
-  version: 3.3.2
+  version: 3.4.0
 platform: ruby
 authors:
 - Andrew Kane
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-07-24 00:00:00.000000000 Z
+date: 2020-08-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler