inline_svg 1.6.0 → 1.8.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5141ac43ede6f67761b367d5697e8b007719bb445831bea6b689e712bf50414c
-  data.tar.gz: 6694ac5aa490995a47138013b550a28e738ae5d9f5fb0df72bdef476d802e0b0
+  metadata.gz: 23a2c45f1e25e4266196f0e2fc23a4384cb8513be840d2b676ae848b5be1d121
+  data.tar.gz: 8fdb1090f9037ed6c732469ffda28023e200d758533223d4bd9c85b5a20cfb72
 SHA512:
-  metadata.gz: 0310736a1123e9e5d42da01cc1dc4b966f369cd9c6931610623eb57921ce2b82119334224b6e953a130e374e3bd6cc47014fefbd4c1fb30ff1d87a09bf91b903
-  data.tar.gz: 95cbe5a123f9fa66bf2ea7510efccd017abf7e6269543dd8e22fd6b3bb0d7d165d7b37cd1a4ac891dc1412c811982b30037751c65be84ab3bfddf15d9c4f67d8
+  metadata.gz: c3d98f05ba0b9ea222d1b852f87f30584ba4b775d7b6848a2366341e5e85bb6c9912bc1f8441117d129db4d63506d54dcd8ef4d633a5140359e25f5a829a8a1c
+  data.tar.gz: 45eb7d5c8a30f0814e9c775924690825ad3b3ee9c3ada3c9694bf3af46499ababaa1ba81f696514e08dc09aa5ae6520094820fc528ee34fbb307b856dc16b3f4

data/.github/workflows/integration_test.yml

@@ -0,0 +1,47 @@
+name: Integration Tests
+
+on: [push]
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        test-branch: [rails5, rails6, rails7]
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v2
+    - name: Checkout test app
+      uses: actions/checkout@v2
+      with:
+        repository: jamesmartin/inline_svg_test_app
+        ref: ${{ matrix.test-branch }}
+        path: test_app
+    - name: Set up Ruby 2.7
+      uses: actions/setup-ruby@v1
+      with:
+        ruby-version: 2.7.x
+    - name: Build local gem
+      run: |
+        gem install bundler
+        bundle install --jobs 4 --retry 3
+        bundle exec rake build
+    - name: Use the local gem in the test App
+      id: uselocalgem
+      uses: jacobtomlinson/gha-find-replace@0.1.1
+      with:
+        find: "gem 'inline_svg'"
+        replace: "gem 'inline_svg', path: '${{github.workspace}}'"
+    - name: Check local gem in use
+      run: |
+        test "${{ steps.uselocalgem.outputs.modifiedFiles }}" != "0"
+        grep "inline_svg" $GITHUB_WORKSPACE/test_app/Gemfile
+    - name: Bundle
+      run: |
+        cd $GITHUB_WORKSPACE/test_app
+        bundle install --jobs 4 --retry 3
+    - name: Test
+      run: |
+        cd $GITHUB_WORKSPACE/test_app
+        bundle exec rake test

data/.github/workflows/rails_6_webpacker_integration_tests.yaml

@@ -0,0 +1,58 @@
+name: Rails 6 Webpacker Integration Tests (unreliable)
+
+on: [push]
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        test-branch: [rails6-webpacker]
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v2
+    - name: Checkout test app
+      uses: actions/checkout@v2
+      with:
+        repository: jamesmartin/inline_svg_test_app
+        ref: ${{ matrix.test-branch }}
+        path: test_app
+    - name: Set up Ruby 2.7
+      uses: actions/setup-ruby@v1
+      with:
+        ruby-version: 2.7.x
+    - name: Build local gem
+      run: |
+        gem install bundler
+        bundle install --jobs 4 --retry 3
+        bundle exec rake build
+    - name: Use the local gem in the test App
+      id: uselocalgem
+      uses: jacobtomlinson/gha-find-replace@0.1.1
+      with:
+        find: "gem 'inline_svg'"
+        replace: "gem 'inline_svg', path: '${{github.workspace}}'"
+    - name: Check local gem in use
+      run: |
+        test "${{ steps.uselocalgem.outputs.modifiedFiles }}" != "0"
+        grep "inline_svg" $GITHUB_WORKSPACE/test_app/Gemfile
+    - name: Bundle
+      run: |
+        cd $GITHUB_WORKSPACE/test_app
+        bundle install --jobs 4 --retry 3
+    - name: Set up Node.js 16.x
+      uses: actions/setup-node@v2
+      with:
+        node-version: 16
+      if: matrix.test-branch == 'rails6-webpacker'
+    - name: Generate Webpacker config
+      run: |
+        cd $GITHUB_WORKSPACE/test_app
+        yarn install --check-files
+        bundle exec rake webpacker:compile
+      if: matrix.test-branch == 'rails6-webpacker'
+    - name: Test
+      run: |
+        cd $GITHUB_WORKSPACE/test_app
+        bundle exec rake test

data/.github/workflows/ruby.yml

@@ -0,0 +1,20 @@
+name: Ruby
+
+on: [push]
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v2
+    - name: Set up Ruby 2.6
+      uses: actions/setup-ruby@v1
+      with:
+        ruby-version: 2.6.x
+    - name: Build and test with Rake
+      run: |
+        gem install bundler
+        bundle install --jobs 4 --retry 3
+        bundle exec rake

data/CHANGELOG.md

@@ -3,7 +3,31 @@ All notable changes to this project will be documented in this file.
 This project adheres to [Semantic Versioning](http://semver.org/).
 
 ## [Unreleased][unreleased]
-- Nothing
+
+Nothing.
+
+## [1.8.0] - 2022-01-09
+### Added
+- Remove deprecation warning for `inline_svg`, as we intend to keep it in 2.0. [#131](https://github.com/jamesmartin/inline_svg/pull/131). Thanks [@DanielJackson-Oslo](https://github.com/DanielJackson-Oslo)
+- Add support for Webpacker 6 beta. [#129](https://github.com/jamesmartin/inline_svg/pull/129). Thanks [@Intrepidd](https://github.com/Intrepidd) and [@tessi](https://github.com/tessi)
+- Add support for Propshaft assets in Rails 7. [#134](https://github.com/jamesmartin/inline_svg/pull/134). Thanks, [@martinzamuner](https://github.com/martinzamuner)
+
+## [1.7.2] - 2020-12-07
+### Fixed
+- Improve performance of `CachedAssetFile`. [#118](https://github.com/jamesmartin/inline_svg/pull/118). Thanks [@stevendaniels](https://github.com/stevendaniels)
+- Avoid XSS by preventing malicious input of filenames. [#117](https://github.com/jamesmartin/inline_svg/pull/117). Thanks [@pbyrne](https://github.com/pbyrne).
+
+## [1.7.1] - 2020-03-17
+### Fixed
+- Static Asset Finder uses pathname for compatibility with Sprockets 4+. [#106](https://github.com/jamesmartin/inline_svg/pull/106). Thanks [@subdigital](https://github.com/subdigital)
+
+## [1.7.0] - 2020-02-13
+### Added
+- WebpackAssetFinder serves files from dev server if one is running. [#111](https://github.com/jamesmartin/inline_svg/pull/111). Thanks, [@connorshea](https://github.com/connorshea)
+
+### Fixed
+- Using Webpacker and Asset Pipeline in a single App could result in SVGs not being found because the wrong `AssetFinder` was used. [#114](https://github.com/jamesmartin/inline_svg/pull/114). Thanks, [@kylefox](https://github.com/kylefox)
+- Prevent "EOFError error" when using webpack dev server over HTTPS [#113](https://github.com/jamesmartin/inline_svg/pull/113). Thanks, [@kylefox](https://github.com/kylefox)
 
 ## [1.6.0] - 2019-11-13
 ### Added
@@ -220,7 +244,12 @@ transformations](https://github.com/jamesmartin/inline_svg/blob/master/README.md
 ### Added
 - Basic Railtie and view helper to inline SVG documents to Rails views.
 
-[unreleased]: https://github.com/jamesmartin/inline_svg/compare/v1.5.2...HEAD
+[unreleased]: https://github.com/jamesmartin/inline_svg/compare/v1.8.0...HEAD
+[1.8.0]: https://github.com/jamesmartin/inline_svg/compare/v1.7.2...v1.8.0
+[1.7.2]: https://github.com/jamesmartin/inline_svg/compare/v1.7.1...v1.7.2
+[1.7.1]: https://github.com/jamesmartin/inline_svg/compare/v1.7.0...v1.7.1
+[1.7.0]: https://github.com/jamesmartin/inline_svg/compare/v1.6.0...v1.7.0
+[1.6.0]: https://github.com/jamesmartin/inline_svg/compare/v1.5.2...v1.6.0
 [1.5.2]: https://github.com/jamesmartin/inline_svg/compare/v1.5.1...v1.5.2
 [1.5.1]: https://github.com/jamesmartin/inline_svg/compare/v1.5.0...v1.5.1
 [1.5.0]: https://github.com/jamesmartin/inline_svg/compare/v1.4.0...v1.5.0

data/README.md

@@ -1,6 +1,7 @@
 # Inline SVG
 
-[![Build Status](https://travis-ci.org/jamesmartin/inline_svg.svg?branch=master)](https://travis-ci.org/jamesmartin/inline_svg)
+![Unit tests](https://github.com/jamesmartin/inline_svg/workflows/Ruby/badge.svg)
+![Integration Tests](https://github.com/jamesmartin/inline_svg/workflows/Integration%20Tests/badge.svg)
 
 Styling a SVG document with CSS for use on the web is most reliably achieved by
 [adding classes to the document and
@@ -11,10 +12,11 @@ then embeds it into a view.
 
 Inline SVG supports:
 
-- [Rails 3](http://weblog.rubyonrails.org/2010/8/29/rails-3-0-it-s-done/) (from [v0.12.0](https://github.com/jamesmartin/inline_svg/releases/tag/v0.12.0))
-- [Rails 4](http://weblog.rubyonrails.org/2013/6/25/Rails-4-0-final/)
 - [Rails 5](http://weblog.rubyonrails.org/2016/6/30/Rails-5-0-final/) (from [v0.10.0](https://github.com/jamesmartin/inline_svg/releases/tag/v0.10.0))
 - [Rails 6](https://weblog.rubyonrails.org/2019/4/24/Rails-6-0-rc1-released/) with Sprockets or Webpacker (from [v1.5.2](https://github.com/jamesmartin/inline_svg/releases/tag/v1.5.2)).
+- [Rails 7](https://weblog.rubyonrails.org/2021/12/6/Rails-7-0-rc-1-released/) (experimental)
+
+Inline SVG no longer officially supports Rails 3 or Rails 4 (although they may still work). In order to reduce the maintenance cost of this project we now follow the [Rails Maintenance Policy](https://guides.rubyonrails.org/maintenance_policy.html).
 
 ## Changelog
 
@@ -97,6 +99,7 @@ key                     | description
 `preserve_aspect_ratio` | adds a `preserveAspectRatio` attribute to the SVG
 `aria`                  | adds common accessibility attributes to the SVG (see [PR #34](https://github.com/jamesmartin/inline_svg/pull/34#issue-152062674) for details)
 `aria_hidden`           | adds the `aria-hidden=true` attribute to the SVG
+`fallback`              | set fallback SVG document
 
 Example:
 
@@ -112,7 +115,8 @@ inline_svg_tag(
   nocomment: true,
   preserve_aspect_ratio: 'xMaxYMax meet',
   aria: true,
-  aria_hidden: true
+  aria_hidden: true,
+  fallback: 'fallback-document.svg'
 )
 ```
 

data/lib/inline_svg/action_view/helpers.rb

@@ -17,15 +17,20 @@ module InlineSvg
       end
 
       def inline_svg(filename, transform_params={})
-        ActiveSupport::Deprecation.warn(
-          '`inline_svg` is deprecated and will be removed from inline_svg 2.0 (use `inline_svg_tag` or `inline_svg_pack_tag` instead)'
-        )
-
         render_inline_svg(filename, transform_params)
       end
 
       private
 
+      def backwards_compatible_html_escape(filename)
+        # html_escape_once was introduced in newer versions of Rails.
+        if ERB::Util.respond_to?(:html_escape_once)
+          ERB::Util.html_escape_once(filename)
+        else
+          ERB::Util.html_escape(filename)
+        end
+      end
+
       def render_inline_svg(filename, transform_params={})
         begin
           svg_file = read_svg(filename)
@@ -55,7 +60,7 @@ module InlineSvg
 
       def placeholder(filename)
         css_class = InlineSvg.configuration.svg_not_found_css_class
-        not_found_message = "'#{filename}' #{extension_hint(filename)}"
+        not_found_message = "'#{backwards_compatible_html_escape(filename)}' #{extension_hint(filename)}"
 
         if css_class.nil?
           return "<svg><!-- SVG file not found: #{not_found_message}--></svg>".html_safe
@@ -69,11 +74,9 @@ module InlineSvg
       end
 
       def with_asset_finder(asset_finder)
-        initial_asset_finder = InlineSvg.configuration.asset_finder
-
-        InlineSvg.configuration.asset_finder = asset_finder
+        Thread.current[:inline_svg_asset_finder] = asset_finder
         output = yield
-        InlineSvg.configuration.asset_finder = initial_asset_finder
+        Thread.current[:inline_svg_asset_finder] = nil
 
         output
       end

data/lib/inline_svg/cached_asset_file.rb

@@ -18,6 +18,7 @@ module InlineSvg
       @paths = Array(paths).compact.map { |p| Pathname.new(p) }
       @filters = Array(filters).map { |f| Regexp.new(f) }
       @assets = @paths.reduce({}) { |assets, p| assets.merge(read_assets(assets, p)) }
+      @sorted_asset_keys = assets.keys.sort { |a, b| a.size <=> b.size }
     end
 
     # Public: Finds the named asset and returns the contents as a string.
@@ -39,17 +40,7 @@ module InlineSvg
     # Returns a String representing the key for the named asset or nil if there
     # is no match.
     def key_for_asset(asset_name)
-      match = all_keys_matching(asset_name).sort do |a, b|
-        a.string.size <=> b.string.size
-      end.first
-      match && match.string
-    end
-
-    # Internal: Find all potential asset keys matching the given asset name.
-    #
-    # Returns an array of MatchData objects for keys matching the asset name.
-    def all_keys_matching(asset_name)
-      assets.keys.map { |k| /(#{asset_name})/.match(k.to_s) }.compact
+      @sorted_asset_keys.find { |k| k.include?(asset_name) }
     end
 
     # Internal: Recursively descends through current_paths reading each file it

data/lib/inline_svg/finds_asset_paths.rb

@@ -6,7 +6,7 @@ module InlineSvg
     end
 
     def self.configured_asset_finder
-      InlineSvg.configuration.asset_finder
+      Thread.current[:inline_svg_asset_finder] || InlineSvg.configuration.asset_finder
     end
   end
 end

data/lib/inline_svg/propshaft_asset_finder.rb

@@ -0,0 +1,15 @@
+module InlineSvg
+  class PropshaftAssetFinder
+    def self.find_asset(filename)
+      new(filename)
+    end
+
+    def initialize(filename)
+      @filename = filename
+    end
+
+    def pathname
+      ::Rails.application.assets.load_path.find(@filename).path
+    end
+  end
+end

data/lib/inline_svg/static_asset_finder.rb

@@ -1,7 +1,9 @@
+require "pathname"
+
 # Naive fallback asset finder for when sprockets >= 3.0 &&
 # config.assets.precompile = false
 # Thanks to @ryanswood for the original code:
-# https://github.com/AbleHealth/inline_svg/commit/661bbb3bef7d1b4bd6ccd63f5f018305797b9509
+# https://github.com/jamesmartin/inline_svg/commit/661bbb3bef7d1b4bd6ccd63f5f018305797b9509
 module InlineSvg
   class StaticAssetFinder
     def self.find_asset(filename)
@@ -14,7 +16,7 @@ module InlineSvg
 
     def pathname
       if ::Rails.application.config.assets.compile
-        ::Rails.application.assets[@filename].pathname
+        Pathname.new(::Rails.application.assets[@filename].filename)
       else
         manifest = ::Rails.application.assets_manifest
         asset_path = manifest.assets[@filename]

data/lib/inline_svg/version.rb

@@ -1,3 +1,3 @@
 module InlineSvg
-  VERSION = "1.6.0"
+  VERSION = "1.8.0"
 end

data/lib/inline_svg/webpack_asset_finder.rb

@@ -6,14 +6,45 @@ module InlineSvg
 
     def initialize(filename)
       @filename = filename
+      @asset_path = URI(Webpacker.manifest.lookup(@filename)).path
     end
 
     def pathname
-      public_path = Webpacker.config.public_path
-      file_path = Webpacker.instance.manifest.lookup(@filename)
-      return unless public_path && file_path
+      return if @asset_path.blank?
 
-      File.join(public_path, file_path)
+      if Webpacker.dev_server.running?
+        dev_server_asset(@asset_path)
+      elsif Webpacker.config.public_path.present?
+        File.join(Webpacker.config.public_path, @asset_path)
+      end
+    end
+
+    private
+
+    def dev_server_asset(file_path)
+      asset = fetch_from_dev_server(file_path)
+
+      begin
+        Tempfile.new(file_path).tap do |file|
+          file.binmode
+          file.write(asset)
+          file.rewind
+        end
+      rescue StandardError => e
+        Rails.logger.error "[inline_svg] Error creating tempfile for #{@filename}: #{e}"
+        raise
+      end
+    end
+
+    def fetch_from_dev_server(file_path)
+      http = Net::HTTP.new(Webpacker.dev_server.host, Webpacker.dev_server.port)
+      http.use_ssl = Webpacker.dev_server.https?
+      http.verify_mode = OpenSSL::SSL::VERIFY_NONE
+
+      http.request(Net::HTTP::Get.new(file_path)).body
+    rescue StandardError => e
+      Rails.logger.error "[inline_svg] Error fetching #{@filename} from webpack-dev-server: #{e}"
+      raise
     end
   end
 end

data/lib/inline_svg.rb

@@ -3,6 +3,7 @@ require "inline_svg/action_view/helpers"
 require "inline_svg/asset_file"
 require "inline_svg/cached_asset_file"
 require "inline_svg/finds_asset_paths"
+require "inline_svg/propshaft_asset_finder"
 require "inline_svg/static_asset_finder"
 require "inline_svg/webpack_asset_finder"
 require "inline_svg/transform_pipeline"
@@ -41,6 +42,8 @@ module InlineSvg
     def asset_finder=(finder)
       @asset_finder = if finder.respond_to?(:find_asset)
                         finder
+                      elsif finder.class.name == "Propshaft::Assembly"
+                        InlineSvg::PropshaftAssetFinder
                       else
                         # fallback to a naive static asset finder
                         # (sprokects >= 3.0 && config.assets.precompile = false

data/spec/finds_asset_paths_spec.rb

@@ -45,4 +45,49 @@ describe InlineSvg::FindsAssetPaths do
       expect(InlineSvg::FindsAssetPaths.by_filename('some-file')).to be_nil
     end
   end
+
+  context "when propshaft finder returns an object which supports only the pathname method" do
+    it "returns fully qualified file paths from Propshaft" do
+      propshaft = double('PropshaftDouble')
+
+      expect(propshaft).to receive(:find_asset).with('some-file').
+        and_return(double(pathname: Pathname('/full/path/to/some-file')))
+
+      InlineSvg.configure do |config|
+        config.asset_finder = propshaft
+      end
+
+      expect(InlineSvg::FindsAssetPaths.by_filename('some-file')).to eq Pathname('/full/path/to/some-file')
+    end
+  end
+
+  context "when webpack finder returns an object with a relative asset path" do
+    it "returns the fully qualified file path" do
+      webpacker = double('WebpackerDouble')
+
+      expect(webpacker).to receive(:find_asset).with('some-file').
+        and_return(double(filename: Pathname('/full/path/to/some-file')))
+
+      InlineSvg.configure do |config|
+        config.asset_finder = webpacker
+      end
+
+      expect(InlineSvg::FindsAssetPaths.by_filename('some-file')).to eq Pathname('/full/path/to/some-file')
+    end
+  end
+
+  context "when webpack finder returns an object with an absolute http asset path" do
+    it "returns the fully qualified file path" do
+      webpacker = double('WebpackerDouble')
+
+      expect(webpacker).to receive(:find_asset).with('some-file').
+        and_return(double(filename: Pathname('https://my-fancy-domain.test/full/path/to/some-file')))
+
+      InlineSvg.configure do |config|
+        config.asset_finder = webpacker
+      end
+
+      expect(InlineSvg::FindsAssetPaths.by_filename('some-file')).to eq Pathname('https://my-fancy-domain.test/full/path/to/some-file')
+    end
+  end
 end

data/spec/helpers/inline_svg_spec.rb

@@ -46,6 +46,17 @@ describe InlineSvg::ActionView::Helpers do
         expect(output).to be_html_safe
       end
 
+      it "escapes malicious input" do
+        malicious = "--></svg><script>alert(1)</script><svg>.svg"
+        allow(InlineSvg::AssetFile).to receive(:named).
+          with(malicious).
+          and_raise(InlineSvg::AssetFile::FileNotFound.new)
+
+        output = helper.send(helper_method, malicious)
+        expect(output).to eq "<svg><!-- SVG file not found: '--&gt;&lt;/svg&gt;&lt;script&gt;alert(1)&lt;/script&gt;&lt;svg&gt;.svg' --></svg>"
+        expect(output).to be_html_safe
+      end
+
       it "gives a helpful hint when no .svg extension is provided in the filename" do
         allow(InlineSvg::AssetFile).to receive(:named).
           with('missing-file-with-no-extension').

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: inline_svg
 version: !ruby/object:Gem::Version
-  version: 1.6.0
+  version: 1.8.0
 platform: ruby
 authors:
 - James Martin
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-11-13 00:00:00.000000000 Z
+date: 2022-01-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -129,16 +129,17 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".github/workflows/integration_test.yml"
+- ".github/workflows/rails_6_webpacker_integration_tests.yaml"
+- ".github/workflows/ruby.yml"
 - ".gitignore"
 - ".rubocop.yml"
 - ".rubocop_todo.yml"
-- ".travis.yml"
 - CHANGELOG.md
 - Gemfile
 - LICENSE.txt
 - README.md
 - Rakefile
-- circle.yml
 - inline_svg.gemspec
 - lib/inline_svg.rb
 - lib/inline_svg/action_view/helpers.rb
@@ -147,6 +148,7 @@ files:
 - lib/inline_svg/finds_asset_paths.rb
 - lib/inline_svg/id_generator.rb
 - lib/inline_svg/io_resource.rb
+- lib/inline_svg/propshaft_asset_finder.rb
 - lib/inline_svg/railtie.rb
 - lib/inline_svg/static_asset_finder.rb
 - lib/inline_svg/transform_pipeline.rb
@@ -215,8 +217,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.7.6
+rubygems_version: 3.1.2
 signing_key: 
 specification_version: 4
 summary: Embeds an SVG document, inline.

data/.travis.yml

@@ -1,8 +0,0 @@
-language: ruby
-rvm:
-  - 2.3
-  - 2.4
-  - 2.5
-before_install:
-  - gem install -v 2.0.1 bundler --no-document
-script: bundle exec rspec

data/circle.yml

@@ -1,3 +0,0 @@
-machine:
-  ruby:
-    version:  2.5.0