gollum-lib 5.1.1 → 5.1.2

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 47faac44209a913d8a5e77c59da097cb0be6fe744f73954894784d7ba870aadb
4
- data.tar.gz: cda628f38b4fdfc54af5abaa10576717c09a439c9b7d634db523e2c11fdd31b2
3
+ metadata.gz: ccf06509c7be7d9ce30fec5185caf8160752806c978c4a9442a8a1761d6d9a86
4
+ data.tar.gz: e6caac594ae4a468637d2b7655cff942241315abbac3adfac1fc3992abb329d2
5
5
  SHA512:
6
- metadata.gz: 1a301d2d3ec39106043766a4ec204b69849b6f3e54cd4e5223d7cbc3373737fe3dc36f9877790749cbdb92005da945e128e8bfcf5575ba9839b6cec65c77a78a
7
- data.tar.gz: 6ae767089ea2efc4d7de8187ae8020163d5fe5f1dd9777a0b78d9877387fda79b67663e9537649cfb7330ba7e786e2aa4a164083ab98e94640e4b5dad61e123b
6
+ metadata.gz: eb43a84550c6be9cd60716ea97cf3f67f5c18b3e0f4ca59bda95dc639bef80285fc9d6eb5c376aedcdf7592a4c4c5a12df6a1345e9c4f2290960fefb9fffa3d0
7
+ data.tar.gz: 2dc8f219900b705c78dffa7226fd713d15fd4a8778c2eaa4145ea3a087e21365b878b3b933e4845b038aeafd52f3ba5b79b445907d68b7be1fdf746d3ff95f7d
data/HISTORY.md CHANGED
@@ -1,6 +1,10 @@
1
+ # v5.1.2
2
+
3
+ * SECURITY UPDATE: sanitize HTML generated by Macros.
4
+
1
5
  # v5.0.1
2
6
 
3
- Bugfix release: fix emoji when using base path. Thanks to @heavywatal.
7
+ * Bugfix release: fix emoji when using base path. Thanks to @heavywatal.
4
8
 
5
9
  # v5.0
6
10
 
data/gemspec.rb CHANGED
@@ -8,7 +8,7 @@ def specification(version, default_adapter, platform = nil)
8
8
  s.name = 'gollum-lib'
9
9
  s.version = version
10
10
  s.platform = platform if platform
11
- s.date = '2021-06-28'
11
+ s.date = '2021-07-10'
12
12
  s.date = '2017-04-13'
13
13
  s.rubyforge_project = 'gollum-lib'
14
14
  s.license = 'MIT'
@@ -55,6 +55,6 @@ class Gollum::Filter::Macro < Gollum::Filter
55
55
  end
56
56
  end
57
57
 
58
- data
58
+ sanitize(data)
59
59
  end
60
60
  end
@@ -3,7 +3,7 @@ module Gollum
3
3
  class AllPages < Gollum::Macro
4
4
  def render
5
5
  if @wiki.pages.size > 0
6
- '<ul id="pages">' + @wiki.pages.map { |p| "<li>#{p.name}</li>" }.join + '</ul>'
6
+ '<ul id="pages">' + @wiki.pages.map { |p| "<li>#{CGI::escapeHTML(p.name)}</li>" }.join + '</ul>'
7
7
  end
8
8
  end
9
9
  end
@@ -2,7 +2,7 @@ module Gollum
2
2
  class Macro
3
3
  class Audio < Gollum::Macro
4
4
  def render (fname)
5
- "<audio width=\"100%\" height=\"100%\" src=\"#{fname}\" controls=\"\"> HTML5 audio is not supported on this Browser.</audio>"
5
+ "<audio width=\"100%\" height=\"100%\" src=\"#{CGI::escapeHTML(fname)}\" controls=\"\"> HTML5 audio is not supported on this Browser.</audio>"
6
6
  end
7
7
  end
8
8
  end
@@ -4,9 +4,9 @@ module Gollum
4
4
  def render(title = "Global Table of Contents")
5
5
  if @wiki.pages.size > 0
6
6
  prepath = @wiki.base_path.sub(/\/$/, '')
7
- result = '<ul>' + @wiki.pages.map { |p| "<li><a href=\"#{prepath}/#{p.escaped_url_path}\">#{p.url_path}</a></li>" }.join + '</ul>'
7
+ result = '<ul>' + @wiki.pages.map { |p| "<li><a href=\"#{CGI::escapeHTML(prepath + "/" + p.escaped_url_path)}\">#{CGI::escapeHTML(p.url_path)}</a></li>" }.join + '</ul>'
8
8
  end
9
- "<div class=\"toc\"><div class=\"toc-title\">#{title}</div>#{result}</div>"
9
+ "<div class=\"toc\"><div class=\"toc-title\">#{CGI::escapeHTML(title)}</div>#{result}</div>"
10
10
  end
11
11
  end
12
12
  end
@@ -9,12 +9,12 @@ module Gollum
9
9
  list_items = pages.map do |page|
10
10
  if toc_root_path == '.' || page.url_path =~ /^#{toc_root_path}\//
11
11
  path_display = (full_path || toc_root_path == '.') ? page.url_path : page.url_path.sub(/^#{toc_root_path}\//,"").sub(/^\//,'')
12
- "<li><a href=\"#{prepath}/#{page.escaped_url_path}\">#{path_display}</a></li>"
12
+ "<li><a href=\"#{CGI::escapeHTML(prepath + "/" + page.escaped_url_path)}\">#{CGI::escapeHTML(path_display)}</a></li>"
13
13
  end
14
14
  end
15
15
  result = "<ul>#{list_items.join}</ul>"
16
16
  end
17
- "<div class=\"toc\"><div class=\"toc-title\">#{title}</div>#{result}</div>"
17
+ "<div class=\"toc\"><div class=\"toc-title\">#{CGI::escapeHTML(title)}</div>#{result}</div>"
18
18
  end
19
19
 
20
20
  end
@@ -12,7 +12,7 @@ module Gollum
12
12
  icon.options[:class] << ' mr-2'
13
13
  icon = icon.to_svg
14
14
  end
15
- "<div class='flash'>#{icon}#{notice}</div>"
15
+ "<div class='flash'>#{icon}#{CGI::escapeHTML(notice)}</div>"
16
16
  end
17
17
  end
18
18
  end
@@ -8,8 +8,8 @@ module Gollum
8
8
  end
9
9
 
10
10
  def render_links(previous_page, next_page)
11
- result = "Previous: <a href=\"#{::File.join(@wiki.base_path,previous_page.escaped_url_path)}\">#{previous_page.name}</a>" if previous_page
12
- result = "#{result}#{result ? ' | ' : ''}Next: <a href=\"#{::File.join(@wiki.base_path,next_page.escaped_url_path)}\">#{next_page.name}</a>" if next_page
11
+ result = "Previous: <a href=\"#{CGI::escapeHTML(::File.join(@wiki.base_path,previous_page.escaped_url_path))}\">#{CGI::escapeHTML(previous_page.name)}</a>" if previous_page
12
+ result = "#{result}#{result ? ' | ' : ''}Next: <a href=\"#{CGI::escapeHTML(::File.join(@wiki.base_path,next_page.escaped_url_path))}\">#{CGI::escapeHTML(next_page.name)}</a>" if next_page
13
13
  wrap_result(result)
14
14
  end
15
15
 
@@ -32,14 +32,14 @@ module Gollum
32
32
 
33
33
  class SeriesStart < Gollum::Macro::Series
34
34
  def render_links(previous_page, next_page)
35
- result = "Next: <a href=\"#{::File.join(@wiki.base_path,next_page.escaped_url_path)}\">#{next_page.name}</a>" if next_page
35
+ result = "Next: <a href=\"#{CGI::escapeHTML(::File.join(@wiki.base_path,next_page.escaped_url_path))}\">#{CGI::escapeHTML(next_page.name)}</a>" if next_page
36
36
  wrap_result(result)
37
37
  end
38
38
  end
39
39
 
40
40
  class SeriesEnd < Gollum::Macro::Series
41
41
  def render_links(previous_page, next_page)
42
- result = "Previous: <a href=\"#{::File.join(@wiki.base_path,previous_page.escaped_url_path)}\">#{previous_page.name}</a>" if previous_page
42
+ result = "Previous: <a href=\"#{CGI::escapeHTML(::File.join(@wiki.base_path,previous_page.escaped_url_path))}\">#{CGI::escapeHTML(previous_page.name)}</a>" if previous_page
43
43
  wrap_result(result)
44
44
  end
45
45
  end
@@ -2,7 +2,7 @@ module Gollum
2
2
  class Macro
3
3
  class Video < Gollum::Macro
4
4
  def render (fname)
5
- "<video width=\"100%\" height=\"100%\" src=\"#{fname}\" controls=\"\"> HTML5 video is not supported on this Browser.</video>"
5
+ "<video width=\"100%\" height=\"100%\" src=\"#{CGI::escapeHTML(fname)}\" controls=\"\"> HTML5 video is not supported on this Browser.</video>"
6
6
  end
7
7
  end
8
8
  end
@@ -4,7 +4,7 @@ module Gollum
4
4
  def render(warning)
5
5
  icon = Octicons::Octicon.new('alert', {width: 24, height: 24})
6
6
  icon.options[:class] << ' mr-2'
7
- "<div class='flash flash-warn'>#{icon.to_svg}#{warning}</div>"
7
+ "<div class='flash flash-warn'>#{icon.to_svg}#{CGI::escapeHTML(warning)}</div>"
8
8
  end
9
9
  end
10
10
  end
@@ -1,5 +1,5 @@
1
1
  module Gollum
2
2
  module Lib
3
- VERSION = '5.1.1'
3
+ VERSION = '5.1.2'
4
4
  end
5
5
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: gollum-lib
3
3
  version: !ruby/object:Gem::Version
4
- version: 5.1.1
4
+ version: 5.1.2
5
5
  platform: ruby
6
6
  authors:
7
7
  - Tom Preston-Werner