inline_svg 1.7.1 → 1.7.2

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 923ca3f0952247f48b3346decfe83b44216566a52a2f2bf4a9ba117a2626712b
4
- data.tar.gz: afef4e221a4e7becce12338289eafe79b60138bd2706ec76a51229a588fe8e5d
3
+ metadata.gz: fd31243686f41f3d2acfc2f7235685baaab23ca967774d6f642e7f5aab7f2fbc
4
+ data.tar.gz: 1c6bdf6fc08c4a145c5ecefea9aaa2fe60d2f1d0142c78aed17a73d4acaaa9ce
5
5
  SHA512:
6
- metadata.gz: 72bc4f1be354aa23bda0bb62814d194568691b9833e21b8da89594eea213f5ce6fc523ea60c04f19a7e23e546826c98a35ba6cf812579162c70bc6a0905c5d09
7
- data.tar.gz: c0db9494ac8b67ad61c2dfa38f8b6bb64dad204bbf1978cc86f58600d71ee10f977a38ae74b69b7212293f31eec7ebec183c3c90e14aa274605ebe3972626ec7
6
+ metadata.gz: baee695644bd79e2561183326818a30f2dd1be7e4262973faacc2fa17ba7970888f9b4beb5cb0ebf2ce9a8c477d99d941f29431bdfaea32d66bd654c244e9545
7
+ data.tar.gz: 16347bfe873b1f0ab075a43b5f98590a5d2f80cb985849dd7d6c868e4d753a8e5f86209bab55c06e47ea67f89b622132ce3fc88343cbb4a388ae94b798009ca1
@@ -8,7 +8,7 @@ jobs:
8
8
  runs-on: ubuntu-latest
9
9
  strategy:
10
10
  matrix:
11
- test-branch: [rails3, rails4, master, rails6, rails6-webpacker]
11
+ test-branch: [rails3, rails4, main, rails6, rails6-webpacker]
12
12
  steps:
13
13
  - name: Checkout
14
14
  uses: actions/checkout@v2
@@ -6,6 +6,11 @@ This project adheres to [Semantic Versioning](http://semver.org/).
6
6
 
7
7
  - Nothing
8
8
 
9
+ ## [1.7.2] - 2020-12-07
10
+ ### Fixed
11
+ - Improve performance of `CachedAssetFile`. [#118](https://github.com/jamesmartin/inline_svg/pull/118). Thanks [@stevendaniels](https://github.com/stevendaniels)
12
+ - Avoid XSS by preventing malicious input of filenames. [#117](https://github.com/jamesmartin/inline_svg/pull/117). Thanks [@pbyrne](https://github.com/pbyrne).
13
+
9
14
  ## [1.7.1] - 2020-03-17
10
15
  ### Fixed
11
16
  - Static Asset Finder uses pathname for compatibility with Sprockets 4+. [#106](https://github.com/jamesmartin/inline_svg/pull/106). Thanks [@subdigital](https://github.com/subdigital)
@@ -234,7 +239,8 @@ transformations](https://github.com/jamesmartin/inline_svg/blob/master/README.md
234
239
  ### Added
235
240
  - Basic Railtie and view helper to inline SVG documents to Rails views.
236
241
 
237
- [unreleased]: https://github.com/jamesmartin/inline_svg/compare/v1.7.1...HEAD
242
+ [unreleased]: https://github.com/jamesmartin/inline_svg/compare/v1.7.2...HEAD
243
+ [1.7.2]: https://github.com/jamesmartin/inline_svg/compare/v1.7.1...v1.7.2
238
244
  [1.7.1]: https://github.com/jamesmartin/inline_svg/compare/v1.7.0...v1.7.1
239
245
  [1.7.0]: https://github.com/jamesmartin/inline_svg/compare/v1.6.0...v1.7.0
240
246
  [1.6.0]: https://github.com/jamesmartin/inline_svg/compare/v1.5.2...v1.6.0
data/README.md CHANGED
@@ -98,6 +98,7 @@ key | description
98
98
  `preserve_aspect_ratio` | adds a `preserveAspectRatio` attribute to the SVG
99
99
  `aria` | adds common accessibility attributes to the SVG (see [PR #34](https://github.com/jamesmartin/inline_svg/pull/34#issue-152062674) for details)
100
100
  `aria_hidden` | adds the `aria-hidden=true` attribute to the SVG
101
+ `fallback` | set fallback SVG document
101
102
 
102
103
  Example:
103
104
 
@@ -113,7 +114,8 @@ inline_svg_tag(
113
114
  nocomment: true,
114
115
  preserve_aspect_ratio: 'xMaxYMax meet',
115
116
  aria: true,
116
- aria_hidden: true
117
+ aria_hidden: true,
118
+ fallback: 'fallback-document.svg'
117
119
  )
118
120
  ```
119
121
 
@@ -26,6 +26,15 @@ module InlineSvg
26
26
 
27
27
  private
28
28
 
29
+ def backwards_compatible_html_escape(filename)
30
+ # html_escape_once was introduced in newer versions of Rails.
31
+ if ERB::Util.respond_to?(:html_escape_once)
32
+ ERB::Util.html_escape_once(filename)
33
+ else
34
+ ERB::Util.html_escape(filename)
35
+ end
36
+ end
37
+
29
38
  def render_inline_svg(filename, transform_params={})
30
39
  begin
31
40
  svg_file = read_svg(filename)
@@ -55,7 +64,7 @@ module InlineSvg
55
64
 
56
65
  def placeholder(filename)
57
66
  css_class = InlineSvg.configuration.svg_not_found_css_class
58
- not_found_message = "'#{filename}' #{extension_hint(filename)}"
67
+ not_found_message = "'#{backwards_compatible_html_escape(filename)}' #{extension_hint(filename)}"
59
68
 
60
69
  if css_class.nil?
61
70
  return "<svg><!-- SVG file not found: #{not_found_message}--></svg>".html_safe
@@ -18,6 +18,7 @@ module InlineSvg
18
18
  @paths = Array(paths).compact.map { |p| Pathname.new(p) }
19
19
  @filters = Array(filters).map { |f| Regexp.new(f) }
20
20
  @assets = @paths.reduce({}) { |assets, p| assets.merge(read_assets(assets, p)) }
21
+ @sorted_asset_keys = assets.keys.sort { |a, b| a.size <=> b.size }
21
22
  end
22
23
 
23
24
  # Public: Finds the named asset and returns the contents as a string.
@@ -39,17 +40,7 @@ module InlineSvg
39
40
  # Returns a String representing the key for the named asset or nil if there
40
41
  # is no match.
41
42
  def key_for_asset(asset_name)
42
- match = all_keys_matching(asset_name).sort do |a, b|
43
- a.string.size <=> b.string.size
44
- end.first
45
- match && match.string
46
- end
47
-
48
- # Internal: Find all potential asset keys matching the given asset name.
49
- #
50
- # Returns an array of MatchData objects for keys matching the asset name.
51
- def all_keys_matching(asset_name)
52
- assets.keys.map { |k| /(#{asset_name})/.match(k.to_s) }.compact
43
+ @sorted_asset_keys.find { |k| k.include?(asset_name) }
53
44
  end
54
45
 
55
46
  # Internal: Recursively descends through current_paths reading each file it
@@ -1,3 +1,3 @@
1
1
  module InlineSvg
2
- VERSION = "1.7.1"
2
+ VERSION = "1.7.2"
3
3
  end
@@ -46,6 +46,17 @@ describe InlineSvg::ActionView::Helpers do
46
46
  expect(output).to be_html_safe
47
47
  end
48
48
 
49
+ it "escapes malicious input" do
50
+ malicious = "--></svg><script>alert(1)</script><svg>.svg"
51
+ allow(InlineSvg::AssetFile).to receive(:named).
52
+ with(malicious).
53
+ and_raise(InlineSvg::AssetFile::FileNotFound.new)
54
+
55
+ output = helper.send(helper_method, malicious)
56
+ expect(output).to eq "<svg><!-- SVG file not found: '--&gt;&lt;/svg&gt;&lt;script&gt;alert(1)&lt;/script&gt;&lt;svg&gt;.svg' --></svg>"
57
+ expect(output).to be_html_safe
58
+ end
59
+
49
60
  it "gives a helpful hint when no .svg extension is provided in the filename" do
50
61
  allow(InlineSvg::AssetFile).to receive(:named).
51
62
  with('missing-file-with-no-extension').
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: inline_svg
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.7.1
4
+ version: 1.7.2
5
5
  platform: ruby
6
6
  authors:
7
7
  - James Martin
8
- autorequire:
8
+ autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2020-03-17 00:00:00.000000000 Z
11
+ date: 2020-12-07 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: bundler
@@ -200,7 +200,7 @@ homepage: https://github.com/jamesmartin/inline_svg
200
200
  licenses:
201
201
  - MIT
202
202
  metadata: {}
203
- post_install_message:
203
+ post_install_message:
204
204
  rdoc_options: []
205
205
  require_paths:
206
206
  - lib
@@ -215,9 +215,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
215
215
  - !ruby/object:Gem::Version
216
216
  version: '0'
217
217
  requirements: []
218
- rubyforge_project:
219
- rubygems_version: 2.7.6
220
- signing_key:
218
+ rubygems_version: 3.1.2
219
+ signing_key:
221
220
  specification_version: 4
222
221
  summary: Embeds an SVG document, inline.
223
222
  test_files: