hamlit 2.6.0 → 2.6.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +7 -0
- data/lib/hamlit/attribute_compiler.rb +3 -3
- data/lib/hamlit/engine.rb +2 -0
- data/lib/hamlit/force_escapable.rb +28 -0
- data/lib/hamlit/version.rb +1 -1
- metadata +3 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 0b8b35eeaefa28bac22fe4535c4d33563974f734
|
|
4
|
+
data.tar.gz: 2c321cb4eafe5c6e0c7e913334867b46680b6510
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 4ee32ce74ac89cf0fe7142ffdf3321ce83f4d69806976f7bed04757b943f78434c2a36ab85dc6c9b8ae85594cdfc2e3cfe5ffeb5eba0c723a9e9ec2c0006dec8
|
|
7
|
+
data.tar.gz: a15d8443095adca91607fa58e82e1c03bfa8cc2a64df0244b76e630377f2360f3c6b58281978b3ca5340d34092477f3aefc6e9594a376b45736bc10c177ac25a
|
data/CHANGELOG.md
CHANGED
|
@@ -4,6 +4,13 @@ All notable changes to this project will be documented in this file. This
|
|
|
4
4
|
project adheres to [Semantic Versioning](http://semver.org/). This change log is based upon
|
|
5
5
|
[keep-a-changelog](https://github.com/olivierlacan/keep-a-changelog).
|
|
6
6
|
|
|
7
|
+
## [2.6.1](https://github.com/k0kubun/hamlit/compare/v2.6.0...v2.6.1) - 2016-08-18
|
|
8
|
+
|
|
9
|
+
### Fixed
|
|
10
|
+
|
|
11
|
+
- For Rails, escape attributes even if it's html\_safe
|
|
12
|
+
- This is the same fix as Rails for [CVE-2016-6316](https://groups.google.com/forum/#!topic/ruby-security-ann/8B2iV2tPRSE)
|
|
13
|
+
|
|
7
14
|
## [2.6.0](https://github.com/k0kubun/hamlit/compare/v2.5.0...v2.6.0) - 2016-08-14
|
|
8
15
|
|
|
9
16
|
### Changed
|
|
@@ -93,7 +93,7 @@ module Hamlit
|
|
|
93
93
|
case value
|
|
94
94
|
when true then temple << [:html, :attr, key, @format == :xhtml ? [:static, key] : [:multi]]
|
|
95
95
|
when false, nil
|
|
96
|
-
else temple << [:html, :attr, key, [:
|
|
96
|
+
else temple << [:html, :attr, key, [:fescape, @escape_attrs, [:static, value.to_s]]]
|
|
97
97
|
end
|
|
98
98
|
else
|
|
99
99
|
var = @identity.generate
|
|
@@ -101,13 +101,13 @@ module Hamlit
|
|
|
101
101
|
:case, "(#{var} = (#{exp}))",
|
|
102
102
|
['true', [:html, :attr, key, @format == :xhtml ? [:static, key] : [:multi]]],
|
|
103
103
|
['false, nil', [:multi]],
|
|
104
|
-
[:else, [:multi, [:static, " #{key}=#{@quote}"], [:
|
|
104
|
+
[:else, [:multi, [:static, " #{key}=#{@quote}"], [:fescape, @escape_attrs, [:dynamic, var]], [:static, @quote]]],
|
|
105
105
|
]
|
|
106
106
|
end
|
|
107
107
|
end
|
|
108
108
|
|
|
109
109
|
def compile_common!(temple, key, values)
|
|
110
|
-
temple << [:html, :attr, key, [:
|
|
110
|
+
temple << [:html, :attr, key, [:fescape, @escape_attrs, values.last]]
|
|
111
111
|
end
|
|
112
112
|
|
|
113
113
|
def attribute_builder(type, values)
|
data/lib/hamlit/engine.rb
CHANGED
|
@@ -2,6 +2,7 @@ require 'temple'
|
|
|
2
2
|
require 'hamlit/parser'
|
|
3
3
|
require 'hamlit/compiler'
|
|
4
4
|
require 'hamlit/escapable'
|
|
5
|
+
require 'hamlit/force_escapable'
|
|
5
6
|
require 'hamlit/html'
|
|
6
7
|
require 'hamlit/string_splitter'
|
|
7
8
|
require 'hamlit/static_analyzer'
|
|
@@ -26,6 +27,7 @@ module Hamlit
|
|
|
26
27
|
use StringSplitter
|
|
27
28
|
use StaticAnalyzer
|
|
28
29
|
use Escapable
|
|
30
|
+
use ForceEscapable
|
|
29
31
|
filter :ControlFlow
|
|
30
32
|
filter :MultiFlattener
|
|
31
33
|
filter :StaticMerger
|
|
@@ -0,0 +1,28 @@
|
|
|
1
|
+
require 'hamlit/escapable'
|
|
2
|
+
|
|
3
|
+
module Hamlit
|
|
4
|
+
# This module allows Temple::Filter to dispatch :fescape on `#compile`.
|
|
5
|
+
module FescapeDispathcer
|
|
6
|
+
def on_fescape(flag, exp)
|
|
7
|
+
[:fescape, flag, compile(exp)]
|
|
8
|
+
end
|
|
9
|
+
end
|
|
10
|
+
::Temple::Filter.include FescapeDispathcer
|
|
11
|
+
|
|
12
|
+
# Unlike Hamlit::Escapable, this escapes value even if it's html_safe.
|
|
13
|
+
class ForceEscapable < Escapable
|
|
14
|
+
def initialize(opts = {})
|
|
15
|
+
super
|
|
16
|
+
@escape_code = options[:escape_code] || "::Hamlit::Utils.escape_html((%s))"
|
|
17
|
+
@escaper = eval("proc {|v| #{@escape_code % 'v'} }")
|
|
18
|
+
end
|
|
19
|
+
|
|
20
|
+
alias_method :on_fescape, :on_escape
|
|
21
|
+
|
|
22
|
+
# ForceEscapable doesn't touch :escape expression.
|
|
23
|
+
# This method is not used if it's inserted after Hamlit::Escapable.
|
|
24
|
+
def on_escape(flag, exp)
|
|
25
|
+
[:escape, flag, compile(exp)]
|
|
26
|
+
end
|
|
27
|
+
end
|
|
28
|
+
end
|
data/lib/hamlit/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: hamlit
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 2.6.
|
|
4
|
+
version: 2.6.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Takashi Kokubun
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2016-08-
|
|
11
|
+
date: 2016-08-18 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: temple
|
|
@@ -323,6 +323,7 @@ files:
|
|
|
323
323
|
- lib/hamlit/filters/scss.rb
|
|
324
324
|
- lib/hamlit/filters/text_base.rb
|
|
325
325
|
- lib/hamlit/filters/tilt_base.rb
|
|
326
|
+
- lib/hamlit/force_escapable.rb
|
|
326
327
|
- lib/hamlit/helpers.rb
|
|
327
328
|
- lib/hamlit/html.rb
|
|
328
329
|
- lib/hamlit/identity.rb
|