hamlit 2.6.0 → 2.6.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +7 -0
- data/lib/hamlit/attribute_compiler.rb +3 -3
- data/lib/hamlit/engine.rb +2 -0
- data/lib/hamlit/force_escapable.rb +28 -0
- data/lib/hamlit/version.rb +1 -1
- metadata +3 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 0b8b35eeaefa28bac22fe4535c4d33563974f734
|
|
4
|
+
data.tar.gz: 2c321cb4eafe5c6e0c7e913334867b46680b6510
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 4ee32ce74ac89cf0fe7142ffdf3321ce83f4d69806976f7bed04757b943f78434c2a36ab85dc6c9b8ae85594cdfc2e3cfe5ffeb5eba0c723a9e9ec2c0006dec8
|
|
7
|
+
data.tar.gz: a15d8443095adca91607fa58e82e1c03bfa8cc2a64df0244b76e630377f2360f3c6b58281978b3ca5340d34092477f3aefc6e9594a376b45736bc10c177ac25a
|
data/CHANGELOG.md
CHANGED
|
@@ -4,6 +4,13 @@ All notable changes to this project will be documented in this file. This
|
|
|
4
4
|
project adheres to [Semantic Versioning](http://semver.org/). This change log is based upon
|
|
5
5
|
[keep-a-changelog](https://github.com/olivierlacan/keep-a-changelog).
|
|
6
6
|
|
|
7
|
+
## [2.6.1](https://github.com/k0kubun/hamlit/compare/v2.6.0...v2.6.1) - 2016-08-18
|
|
8
|
+
|
|
9
|
+
### Fixed
|
|
10
|
+
|
|
11
|
+
- For Rails, escape attributes even if it's html\_safe
|
|
12
|
+
- This is the same fix as Rails for [CVE-2016-6316](https://groups.google.com/forum/#!topic/ruby-security-ann/8B2iV2tPRSE)
|
|
13
|
+
|
|
7
14
|
## [2.6.0](https://github.com/k0kubun/hamlit/compare/v2.5.0...v2.6.0) - 2016-08-14
|
|
8
15
|
|
|
9
16
|
### Changed
|
|
@@ -93,7 +93,7 @@ module Hamlit
|
|
|
93
93
|
case value
|
|
94
94
|
when true then temple << [:html, :attr, key, @format == :xhtml ? [:static, key] : [:multi]]
|
|
95
95
|
when false, nil
|
|
96
|
-
else temple << [:html, :attr, key, [:
|
|
96
|
+
else temple << [:html, :attr, key, [:fescape, @escape_attrs, [:static, value.to_s]]]
|
|
97
97
|
end
|
|
98
98
|
else
|
|
99
99
|
var = @identity.generate
|
|
@@ -101,13 +101,13 @@ module Hamlit
|
|
|
101
101
|
:case, "(#{var} = (#{exp}))",
|
|
102
102
|
['true', [:html, :attr, key, @format == :xhtml ? [:static, key] : [:multi]]],
|
|
103
103
|
['false, nil', [:multi]],
|
|
104
|
-
[:else, [:multi, [:static, " #{key}=#{@quote}"], [:
|
|
104
|
+
[:else, [:multi, [:static, " #{key}=#{@quote}"], [:fescape, @escape_attrs, [:dynamic, var]], [:static, @quote]]],
|
|
105
105
|
]
|
|
106
106
|
end
|
|
107
107
|
end
|
|
108
108
|
|
|
109
109
|
def compile_common!(temple, key, values)
|
|
110
|
-
temple << [:html, :attr, key, [:
|
|
110
|
+
temple << [:html, :attr, key, [:fescape, @escape_attrs, values.last]]
|
|
111
111
|
end
|
|
112
112
|
|
|
113
113
|
def attribute_builder(type, values)
|
data/lib/hamlit/engine.rb
CHANGED
|
@@ -2,6 +2,7 @@ require 'temple'
|
|
|
2
2
|
require 'hamlit/parser'
|
|
3
3
|
require 'hamlit/compiler'
|
|
4
4
|
require 'hamlit/escapable'
|
|
5
|
+
require 'hamlit/force_escapable'
|
|
5
6
|
require 'hamlit/html'
|
|
6
7
|
require 'hamlit/string_splitter'
|
|
7
8
|
require 'hamlit/static_analyzer'
|
|
@@ -26,6 +27,7 @@ module Hamlit
|
|
|
26
27
|
use StringSplitter
|
|
27
28
|
use StaticAnalyzer
|
|
28
29
|
use Escapable
|
|
30
|
+
use ForceEscapable
|
|
29
31
|
filter :ControlFlow
|
|
30
32
|
filter :MultiFlattener
|
|
31
33
|
filter :StaticMerger
|
|
@@ -0,0 +1,28 @@
|
|
|
1
|
+
require 'hamlit/escapable'
|
|
2
|
+
|
|
3
|
+
module Hamlit
|
|
4
|
+
# This module allows Temple::Filter to dispatch :fescape on `#compile`.
|
|
5
|
+
module FescapeDispathcer
|
|
6
|
+
def on_fescape(flag, exp)
|
|
7
|
+
[:fescape, flag, compile(exp)]
|
|
8
|
+
end
|
|
9
|
+
end
|
|
10
|
+
::Temple::Filter.include FescapeDispathcer
|
|
11
|
+
|
|
12
|
+
# Unlike Hamlit::Escapable, this escapes value even if it's html_safe.
|
|
13
|
+
class ForceEscapable < Escapable
|
|
14
|
+
def initialize(opts = {})
|
|
15
|
+
super
|
|
16
|
+
@escape_code = options[:escape_code] || "::Hamlit::Utils.escape_html((%s))"
|
|
17
|
+
@escaper = eval("proc {|v| #{@escape_code % 'v'} }")
|
|
18
|
+
end
|
|
19
|
+
|
|
20
|
+
alias_method :on_fescape, :on_escape
|
|
21
|
+
|
|
22
|
+
# ForceEscapable doesn't touch :escape expression.
|
|
23
|
+
# This method is not used if it's inserted after Hamlit::Escapable.
|
|
24
|
+
def on_escape(flag, exp)
|
|
25
|
+
[:escape, flag, compile(exp)]
|
|
26
|
+
end
|
|
27
|
+
end
|
|
28
|
+
end
|
data/lib/hamlit/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: hamlit
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 2.6.
|
|
4
|
+
version: 2.6.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Takashi Kokubun
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2016-08-
|
|
11
|
+
date: 2016-08-18 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: temple
|
|
@@ -323,6 +323,7 @@ files:
|
|
|
323
323
|
- lib/hamlit/filters/scss.rb
|
|
324
324
|
- lib/hamlit/filters/text_base.rb
|
|
325
325
|
- lib/hamlit/filters/tilt_base.rb
|
|
326
|
+
- lib/hamlit/force_escapable.rb
|
|
326
327
|
- lib/hamlit/helpers.rb
|
|
327
328
|
- lib/hamlit/html.rb
|
|
328
329
|
- lib/hamlit/identity.rb
|