inline_svg 1.7.1 → 1.7.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.github/workflows/integration_test.yml +1 -1
- data/CHANGELOG.md +7 -1
- data/README.md +3 -1
- data/lib/inline_svg/action_view/helpers.rb +10 -1
- data/lib/inline_svg/cached_asset_file.rb +2 -11
- data/lib/inline_svg/version.rb +1 -1
- data/spec/helpers/inline_svg_spec.rb +11 -0
- metadata +6 -7
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: fd31243686f41f3d2acfc2f7235685baaab23ca967774d6f642e7f5aab7f2fbc
|
|
4
|
+
data.tar.gz: 1c6bdf6fc08c4a145c5ecefea9aaa2fe60d2f1d0142c78aed17a73d4acaaa9ce
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: baee695644bd79e2561183326818a30f2dd1be7e4262973faacc2fa17ba7970888f9b4beb5cb0ebf2ce9a8c477d99d941f29431bdfaea32d66bd654c244e9545
|
|
7
|
+
data.tar.gz: 16347bfe873b1f0ab075a43b5f98590a5d2f80cb985849dd7d6c868e4d753a8e5f86209bab55c06e47ea67f89b622132ce3fc88343cbb4a388ae94b798009ca1
|
data/CHANGELOG.md
CHANGED
|
@@ -6,6 +6,11 @@ This project adheres to [Semantic Versioning](http://semver.org/).
|
|
|
6
6
|
|
|
7
7
|
- Nothing
|
|
8
8
|
|
|
9
|
+
## [1.7.2] - 2020-12-07
|
|
10
|
+
### Fixed
|
|
11
|
+
- Improve performance of `CachedAssetFile`. [#118](https://github.com/jamesmartin/inline_svg/pull/118). Thanks [@stevendaniels](https://github.com/stevendaniels)
|
|
12
|
+
- Avoid XSS by preventing malicious input of filenames. [#117](https://github.com/jamesmartin/inline_svg/pull/117). Thanks [@pbyrne](https://github.com/pbyrne).
|
|
13
|
+
|
|
9
14
|
## [1.7.1] - 2020-03-17
|
|
10
15
|
### Fixed
|
|
11
16
|
- Static Asset Finder uses pathname for compatibility with Sprockets 4+. [#106](https://github.com/jamesmartin/inline_svg/pull/106). Thanks [@subdigital](https://github.com/subdigital)
|
|
@@ -234,7 +239,8 @@ transformations](https://github.com/jamesmartin/inline_svg/blob/master/README.md
|
|
|
234
239
|
### Added
|
|
235
240
|
- Basic Railtie and view helper to inline SVG documents to Rails views.
|
|
236
241
|
|
|
237
|
-
[unreleased]: https://github.com/jamesmartin/inline_svg/compare/v1.7.
|
|
242
|
+
[unreleased]: https://github.com/jamesmartin/inline_svg/compare/v1.7.2...HEAD
|
|
243
|
+
[1.7.2]: https://github.com/jamesmartin/inline_svg/compare/v1.7.1...v1.7.2
|
|
238
244
|
[1.7.1]: https://github.com/jamesmartin/inline_svg/compare/v1.7.0...v1.7.1
|
|
239
245
|
[1.7.0]: https://github.com/jamesmartin/inline_svg/compare/v1.6.0...v1.7.0
|
|
240
246
|
[1.6.0]: https://github.com/jamesmartin/inline_svg/compare/v1.5.2...v1.6.0
|
data/README.md
CHANGED
|
@@ -98,6 +98,7 @@ key | description
|
|
|
98
98
|
`preserve_aspect_ratio` | adds a `preserveAspectRatio` attribute to the SVG
|
|
99
99
|
`aria` | adds common accessibility attributes to the SVG (see [PR #34](https://github.com/jamesmartin/inline_svg/pull/34#issue-152062674) for details)
|
|
100
100
|
`aria_hidden` | adds the `aria-hidden=true` attribute to the SVG
|
|
101
|
+
`fallback` | set fallback SVG document
|
|
101
102
|
|
|
102
103
|
Example:
|
|
103
104
|
|
|
@@ -113,7 +114,8 @@ inline_svg_tag(
|
|
|
113
114
|
nocomment: true,
|
|
114
115
|
preserve_aspect_ratio: 'xMaxYMax meet',
|
|
115
116
|
aria: true,
|
|
116
|
-
aria_hidden: true
|
|
117
|
+
aria_hidden: true,
|
|
118
|
+
fallback: 'fallback-document.svg'
|
|
117
119
|
)
|
|
118
120
|
```
|
|
119
121
|
|
|
@@ -26,6 +26,15 @@ module InlineSvg
|
|
|
26
26
|
|
|
27
27
|
private
|
|
28
28
|
|
|
29
|
+
def backwards_compatible_html_escape(filename)
|
|
30
|
+
# html_escape_once was introduced in newer versions of Rails.
|
|
31
|
+
if ERB::Util.respond_to?(:html_escape_once)
|
|
32
|
+
ERB::Util.html_escape_once(filename)
|
|
33
|
+
else
|
|
34
|
+
ERB::Util.html_escape(filename)
|
|
35
|
+
end
|
|
36
|
+
end
|
|
37
|
+
|
|
29
38
|
def render_inline_svg(filename, transform_params={})
|
|
30
39
|
begin
|
|
31
40
|
svg_file = read_svg(filename)
|
|
@@ -55,7 +64,7 @@ module InlineSvg
|
|
|
55
64
|
|
|
56
65
|
def placeholder(filename)
|
|
57
66
|
css_class = InlineSvg.configuration.svg_not_found_css_class
|
|
58
|
-
not_found_message = "'#{filename}' #{extension_hint(filename)}"
|
|
67
|
+
not_found_message = "'#{backwards_compatible_html_escape(filename)}' #{extension_hint(filename)}"
|
|
59
68
|
|
|
60
69
|
if css_class.nil?
|
|
61
70
|
return "<svg><!-- SVG file not found: #{not_found_message}--></svg>".html_safe
|
|
@@ -18,6 +18,7 @@ module InlineSvg
|
|
|
18
18
|
@paths = Array(paths).compact.map { |p| Pathname.new(p) }
|
|
19
19
|
@filters = Array(filters).map { |f| Regexp.new(f) }
|
|
20
20
|
@assets = @paths.reduce({}) { |assets, p| assets.merge(read_assets(assets, p)) }
|
|
21
|
+
@sorted_asset_keys = assets.keys.sort { |a, b| a.size <=> b.size }
|
|
21
22
|
end
|
|
22
23
|
|
|
23
24
|
# Public: Finds the named asset and returns the contents as a string.
|
|
@@ -39,17 +40,7 @@ module InlineSvg
|
|
|
39
40
|
# Returns a String representing the key for the named asset or nil if there
|
|
40
41
|
# is no match.
|
|
41
42
|
def key_for_asset(asset_name)
|
|
42
|
-
|
|
43
|
-
a.string.size <=> b.string.size
|
|
44
|
-
end.first
|
|
45
|
-
match && match.string
|
|
46
|
-
end
|
|
47
|
-
|
|
48
|
-
# Internal: Find all potential asset keys matching the given asset name.
|
|
49
|
-
#
|
|
50
|
-
# Returns an array of MatchData objects for keys matching the asset name.
|
|
51
|
-
def all_keys_matching(asset_name)
|
|
52
|
-
assets.keys.map { |k| /(#{asset_name})/.match(k.to_s) }.compact
|
|
43
|
+
@sorted_asset_keys.find { |k| k.include?(asset_name) }
|
|
53
44
|
end
|
|
54
45
|
|
|
55
46
|
# Internal: Recursively descends through current_paths reading each file it
|
data/lib/inline_svg/version.rb
CHANGED
|
@@ -46,6 +46,17 @@ describe InlineSvg::ActionView::Helpers do
|
|
|
46
46
|
expect(output).to be_html_safe
|
|
47
47
|
end
|
|
48
48
|
|
|
49
|
+
it "escapes malicious input" do
|
|
50
|
+
malicious = "--></svg><script>alert(1)</script><svg>.svg"
|
|
51
|
+
allow(InlineSvg::AssetFile).to receive(:named).
|
|
52
|
+
with(malicious).
|
|
53
|
+
and_raise(InlineSvg::AssetFile::FileNotFound.new)
|
|
54
|
+
|
|
55
|
+
output = helper.send(helper_method, malicious)
|
|
56
|
+
expect(output).to eq "<svg><!-- SVG file not found: '--></svg><script>alert(1)</script><svg>.svg' --></svg>"
|
|
57
|
+
expect(output).to be_html_safe
|
|
58
|
+
end
|
|
59
|
+
|
|
49
60
|
it "gives a helpful hint when no .svg extension is provided in the filename" do
|
|
50
61
|
allow(InlineSvg::AssetFile).to receive(:named).
|
|
51
62
|
with('missing-file-with-no-extension').
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: inline_svg
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.7.
|
|
4
|
+
version: 1.7.2
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- James Martin
|
|
8
|
-
autorequire:
|
|
8
|
+
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2020-
|
|
11
|
+
date: 2020-12-07 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: bundler
|
|
@@ -200,7 +200,7 @@ homepage: https://github.com/jamesmartin/inline_svg
|
|
|
200
200
|
licenses:
|
|
201
201
|
- MIT
|
|
202
202
|
metadata: {}
|
|
203
|
-
post_install_message:
|
|
203
|
+
post_install_message:
|
|
204
204
|
rdoc_options: []
|
|
205
205
|
require_paths:
|
|
206
206
|
- lib
|
|
@@ -215,9 +215,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
215
215
|
- !ruby/object:Gem::Version
|
|
216
216
|
version: '0'
|
|
217
217
|
requirements: []
|
|
218
|
-
|
|
219
|
-
|
|
220
|
-
signing_key:
|
|
218
|
+
rubygems_version: 3.1.2
|
|
219
|
+
signing_key:
|
|
221
220
|
specification_version: 4
|
|
222
221
|
summary: Embeds an SVG document, inline.
|
|
223
222
|
test_files:
|