RubyGems - gon - Versions diffs - 4.1.0 → 4.1.1 - Mend

gon 4.1.0 → 4.1.1

Potentially problematic release.

This version of gon might be problematic. Click here for more details.

Files changed (9) hide show

data/CHANGELOG.md CHANGED

@@ -1,5 +1,9 @@
 # CHANGELOG
+## 4.1.1
+  * Fixed critical XSS vulnerability https://github.com/gazay/gon/issues/84 (@vadimr & @Hebo)
 ## 4.1.0
   * Refactored script tag generation (@toothrot)

data/README.md CHANGED

@@ -2,7 +2,7 @@
 ![Gon. You should try this. If you look closer - you will see an elephant.](https://github.com/gazay/gon/raw/master/doc/logo_small.png)
-### Build Status [![Build Status](https://secure.travis-ci.org/gazay/gon.png)](http://travis-ci.org/gazay/gon)
+[![Build Status](https://secure.travis-ci.org/gazay/gon.png)](http://travis-ci.org/gazay/gon) [![CodeClimate](https://codeclimate.com/github/gazay/gon.png)](https://codeclimate.com/github/gazay/gon)
 If you need to send some data to your js files and you don't want to do this with long way through views and parsing - use this force!

data/lib/gon/base.rb CHANGED

@@ -3,24 +3,13 @@ class Gon
     class << self
       def render_data(options)
-        data = Gon.all_variables || {}
-        if Gon.global.all_variables.present?
-          data[:global] = Gon.global.all_variables
-        end
         namespace, tag, cameled, watch = parse_options options
         script    = "window.#{namespace} = {};"
-        data.each do |key, val|
-          if cameled
-            script << "#{namespace}.#{key.to_s.camelize(:lower)}=#{val.to_json};"
-          else
-            script << "#{namespace}.#{key.to_s}=#{val.to_json};"
-          end
-        end
-        script << Gon.watch.render if watch and Gon::Watch.all_variables.present?
+        script << formatted_data(namespace, cameled, watch)
         script = Gon::Escaper.escape_unicode(script)
         script = Gon::Escaper.javascript_tag(script) if tag
         script.html_safe
       end
@@ -58,6 +47,31 @@ class Gon
         [namespace, tag, cameled, watch]
       end
+      def formatted_data(namespace, keys_cameled, watch)
+        script = ''
+        gon_variables.each do |key, val|
+          js_key = keys_cameled ? key.to_s.camelize(:lower) : key.to_s
+          script << "#{namespace}.#{js_key}=#{val.to_json};"
+        end
+        if watch and Gon::Watch.all_variables.present?
+          script << Gon.watch.render
+        end
+        script
+      end
+      def gon_variables
+        data = Gon.all_variables || {}
+        if Gon.global.all_variables.present?
+          data[:global] = Gon.global.all_variables
+        end
+        data
+      end
       def right_extension?(extension, template_path)
         File.extname(template_path) == ".#{extension}"
       end

data/lib/gon/escaper.rb CHANGED

@@ -7,7 +7,7 @@ class Gon
       def escape_unicode(javascript)
         if javascript
-          result = javascript.gsub(/\342\200\250/u, '&#x2028;')
+          result = javascript.gsub(/\342\200\250/u, '&#x2028;').gsub(/(<\/)/u, '\u003C/')
           javascript.html_safe? ? result.html_safe : result
         else
           ''

data/lib/gon/jbuilder.rb CHANGED

@@ -78,16 +78,20 @@ class Gon
         path = partial_line.match(/['"]([^'"]*)['"]/)[1]
         path = parse_path path
         options_hash = partial_line.match(/,(.*)/)[1]
-        if options_hash.present?
-          options = eval '{' + options_hash + '}'
-          options.each do |name, val|
-            self.instance_variable_set('@' + name.to_s, val)
-            eval "def #{name}; self.instance_variable_get('@' + '#{name.to_s}'); end"
-          end
-        end
+        set_options_from_hash(options_hash) if options_hash.present?
         find_partials File.readlines(path)
       end
+      def set_options_from_hash(options_hash)
+        options = eval "{#{options_hash}}"
+        options.each do |name, val|
+          self.instance_variable_set("@#{name.to_s}", val)
+          eval "def #{name}; self.instance_variable_get('@' + '#{name.to_s}'); end"
+        end
+      end
       def parse_path(path)
         return path if File.exists?(path)

data/lib/gon/version.rb CHANGED

@@ -1,3 +1,3 @@
 class Gon
-  VERSION = '4.1.0'
+  VERSION = '4.1.1'
 end

data/spec/gon/basic_spec.rb CHANGED

@@ -102,7 +102,7 @@ describe Gon do
       @base.include_gon.should == '<script type="text/javascript">' +
                                     "\n//<![CDATA[\n" +
                                     'window.gon = {};' +
-                                    %q(gon.str="</script><script>alert('!')</script>";) +
+                                    %q(gon.str="\u003C/script><script>alert('!')\u003C/script>";) +
                                     "\n//]]>\n" +
                                   '</script>'
     end

data/spec/gon/global_spec.rb CHANGED

@@ -83,7 +83,7 @@ describe Gon::Global do
       @base.include_gon.should == "<script type=\"text/javascript\">" +
                                     "\n//<![CDATA[\n" +
                                     "window.gon = {};" +
-                                    "gon.global={\"str\":\"</script><script>alert('!')</script>\"};" +
+                                    "gon.global={\"str\":\"\\u003C/script><script>alert('!')\\u003C/script>\"};" +
                                     "\n//]]>\n" +
                                   "</script>"
     end

metadata CHANGED

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: gon
 version: !ruby/object:Gem::Version
-  version: 4.1.0
+  version: 4.1.1
   prerelease:
 platform: ruby
 authors:
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2013-04-15 00:00:00.000000000 Z
+date: 2013-06-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: actionpack