liquid 5.8.7 → 5.9.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b3b75c321445b52cb025c14359defc6f1c5c38662f4cc49fdb25665578d7e0bd
-  data.tar.gz: c8b444e6a3848fbe278c8208feca605b788417aba56d2091e39cc6cf427f703b
+  metadata.gz: 112da43191fdf32af9afb1ad6322ff2fab8b22b6d658073980ba236aa1834213
+  data.tar.gz: b7ab5c91bc2f65b91a782027eedd8374f1f46629c791d6b2c07a8ba2c07d7314
 SHA512:
-  metadata.gz: 44360766b328bd38396bf8a0fa0a37f6808f955804fb0208d415d01ef5370ad3504adb8fa204e1df16fb28917e96588a0d51bcb21a46607a0c350b1434f7ea35
-  data.tar.gz: 59de1d715d6a9dcff97600e160c0827bd83a6e4f36f92d546c8f6d7734103ffcbe0477d829a8a3c397db8bde5ca56fab13b981997e1222f734794c23303e29e4
+  metadata.gz: c941dc92d57cf97c30a6db6eb206e7f00b780070b8dc790def3a8be06a3714562813b0ca8da34d5745be4432c839cf2f5946557d103ae0e56ffe5822b4ebf1e6
+  data.tar.gz: 9491a34a69273c3cebe65208f935007e68dbd81a8b32913ebc7d0056863c9f3a30b6dff9d1da3b37af66e472aedf60c6979e22d5f500ba6d24bd4f8637449a3f

data/History.md

@@ -1,5 +1,8 @@
 # Liquid Change Log
 
+## 5.9.0
+* Introduce `:rigid` error mode for stricter, safer parsing of all tags [CP Clermont, Guilherme Carreiro]
+
 ## 5.8.7
 * Expose body content in the `Doc` tag [James Meng]
 

data/README.md

@@ -99,14 +99,14 @@ Setting the error mode of Liquid lets you specify how strictly you want your tem
 Normally the parser is very lax and will accept almost anything without error. Unfortunately this can make
 it very hard to debug and can lead to unexpected behaviour.
 
-Liquid also comes with a stricter parser that can be used when editing templates to give better error messages
+Liquid also comes with different parsers that can be used when editing templates to give better error messages
 when templates are invalid. You can enable this new parser like this:
 
 ```ruby
-Liquid::Environment.default.error_mode = :strict
-Liquid::Environment.default.error_mode = :strict # Raises a SyntaxError when invalid syntax is used
-Liquid::Environment.default.error_mode = :warn # Adds strict errors to template.errors but continues as normal
-Liquid::Environment.default.error_mode = :lax # The default mode, accepts almost anything.
+Liquid::Environment.default.error_mode = :rigid  # Raises a SyntaxError when invalid syntax is used in all tags
+Liquid::Environment.default.error_mode = :strict # Raises a SyntaxError when invalid syntax is used in some tags
+Liquid::Environment.default.error_mode = :warn   # Adds strict errors to template.errors but continues as normal
+Liquid::Environment.default.error_mode = :lax    # The default mode, accepts almost anything.
 ```
 
 If you want to set the error mode only on specific templates you can pass `:error_mode` as an option to `parse`:

data/lib/liquid/condition.rb

@@ -48,8 +48,8 @@ module Liquid
       @@operators
     end
 
-    def self.parse_expression(parse_context, markup)
-      @@method_literals[markup] || parse_context.parse_expression(markup)
+    def self.parse_expression(parse_context, markup, safe: false)
+      @@method_literals[markup] || parse_context.parse_expression(markup, safe: safe)
     end
 
     attr_reader :attachment, :child_condition

data/lib/liquid/environment.rb

@@ -34,7 +34,7 @@ module Liquid
       # @param file_system The default file system that is used
       #  to load templates from.
       # @param error_mode [Symbol] The default error mode for all templates
-      #  (either :strict, :warn, or :lax).
+      #  (either :rigid, :strict, :warn, or :lax).
       # @param exception_renderer [Proc] The exception renderer that is used to
       #   render exceptions.
       # @yieldparam environment [Environment] The environment instance that is being built.

data/lib/liquid/expression.rb

@@ -28,6 +28,10 @@ module Liquid
     FLOAT_REGEX = /\A(-?\d+)\.\d+\z/
 
     class << self
+      def safe_parse(parser, ss = StringScanner.new(""), cache = nil)
+        parse(parser.expression, ss, cache)
+      end
+
       def parse(markup, ss = StringScanner.new(""), cache = nil)
         return unless markup
 

data/lib/liquid/locales/en.yml

@@ -20,6 +20,7 @@
       invalid_template_encoding: "Invalid template encoding"
       render: "Syntax error in tag 'render' - Template name must be a quoted string"
       table_row: "Syntax Error in 'table_row loop' - Valid syntax: table_row [item] in [collection] cols=3"
+      table_row_invalid_attribute: "Invalid attribute '%{attribute}' in tablerow loop. Valid attributes are cols, limit, offset, and range"
       tag_never_closed: "'%{block_name}' tag was never closed"
       tag_termination: "Tag '%{token}' was not properly terminated with regexp: %{tag_end}"
       unexpected_else: "%{block_name} tag does not expect 'else' tag"

data/lib/liquid/parse_context.rb

@@ -50,7 +50,22 @@ module Liquid
       )
     end
 
-    def parse_expression(markup)
+    def safe_parse_expression(parser)
+      Expression.safe_parse(parser, @string_scanner, @expression_cache)
+    end
+
+    def parse_expression(markup, safe: false)
+      if !safe && @error_mode == :rigid
+        # parse_expression is a widely used API. To maintain backward
+        # compatibility while raising awareness about rigid parser standards,
+        # the safe flag supports API users make a deliberate decision.
+        #
+        # In rigid mode, markup MUST come from a string returned by the parser
+        # (e.g., parser.expression). We're not calling the parser here to
+        # prevent redundant parser overhead.
+        raise Liquid::InternalError, "unsafe parse_expression cannot be used in rigid mode"
+      end
+
       Expression.parse(markup, @string_scanner, @expression_cache)
     end
 

data/lib/liquid/parser_switching.rb

@@ -2,10 +2,22 @@
 
 module Liquid
   module ParserSwitching
+    # Do not use this.
+    #
+    # It's basically doing the same thing the {#parse_with_selected_parser},
+    # except this will try the strict parser regardless of the error mode,
+    # and fall back to the lax parser if the error mode is lax or warn,
+    # except when in rigid mode where it uses the rigid parser.
+    #
+    # @deprecated Use {#parse_with_selected_parser} instead.
     def strict_parse_with_error_mode_fallback(markup)
+      return rigid_parse_with_error_context(markup) if rigid_mode?
+
       strict_parse_with_error_context(markup)
     rescue SyntaxError => e
       case parse_context.error_mode
+      when :rigid
+        raise
       when :strict
         raise
       when :warn
@@ -16,11 +28,12 @@ module Liquid
 
     def parse_with_selected_parser(markup)
       case parse_context.error_mode
+      when :rigid  then rigid_parse_with_error_context(markup)
       when :strict then strict_parse_with_error_context(markup)
       when :lax    then lax_parse(markup)
       when :warn
         begin
-          strict_parse_with_error_context(markup)
+          rigid_parse_with_error_context(markup)
         rescue SyntaxError => e
           parse_context.warnings << e
           lax_parse(markup)
@@ -28,8 +41,20 @@ module Liquid
       end
     end
 
+    def rigid_mode?
+      parse_context.error_mode == :rigid
+    end
+
     private
 
+    def rigid_parse_with_error_context(markup)
+      rigid_parse(markup)
+    rescue SyntaxError => e
+      e.line_number    = line_number
+      e.markup_context = markup_context(markup)
+      raise e
+    end
+
     def strict_parse_with_error_context(markup)
       strict_parse(markup)
     rescue SyntaxError => e

data/lib/liquid/tag.rb

@@ -68,8 +68,12 @@ module Liquid
 
     private
 
-    def parse_expression(markup)
-      parse_context.parse_expression(markup)
+    def safe_parse_expression(parser)
+      parse_context.safe_parse_expression(parser)
+    end
+
+    def parse_expression(markup, safe: false)
+      parse_context.parse_expression(markup, safe: safe)
     end
   end
 end

data/lib/liquid/tags/assign.rb

@@ -9,6 +9,10 @@ module Liquid
   #   Creates a new variable.
   # @liquid_description
   #   You can create variables of any [basic type](/docs/api/liquid/basics#types), [object](/docs/api/liquid/objects), or object property.
+  #
+  #   > Caution:
+  #   > Predefined Liquid objects can be overridden by variables with the same name.
+  #   > To make sure that you can access all Liquid objects, make sure that your variable name doesn't match a predefined object's name.
   # @liquid_syntax
   #   {% assign variable_name = value %}
   # @liquid_syntax_keyword variable_name The name of the variable being created.

data/lib/liquid/tags/capture.rb

@@ -9,6 +9,10 @@ module Liquid
   #   Creates a new variable with a string value.
   # @liquid_description
   #   You can create complex strings with Liquid logic and variables.
+  #
+  #   > Caution:
+  #   > Predefined Liquid objects can be overridden by variables with the same name.
+  #   > To make sure that you can access all Liquid objects, make sure that your variable name doesn't match a predefined object's name.
   # @liquid_syntax
   #   {% capture variable %}
   #     value

data/lib/liquid/tags/case.rb

@@ -31,12 +31,7 @@ module Liquid
     def initialize(tag_name, markup, options)
       super
       @blocks = []
-
-      if markup =~ Syntax
-        @left = parse_expression(Regexp.last_match(1))
-      else
-        raise SyntaxError, options[:locale].t("errors.syntax.case")
-      end
+      parse_with_selected_parser(markup)
     end
 
     def parse(tokens)
@@ -91,9 +86,50 @@ module Liquid
 
     private
 
+    def rigid_parse(markup)
+      parser = @parse_context.new_parser(markup)
+      @left = safe_parse_expression(parser)
+      parser.consume(:end_of_string)
+    end
+
+    def strict_parse(markup)
+      lax_parse(markup)
+    end
+
+    def lax_parse(markup)
+      if markup =~ Syntax
+        @left = parse_expression(Regexp.last_match(1))
+      else
+        raise SyntaxError, options[:locale].t("errors.syntax.case")
+      end
+    end
+
     def record_when_condition(markup)
       body = new_body
 
+      if rigid_mode?
+        parse_rigid_when(markup, body)
+      else
+        parse_lax_when(markup, body)
+      end
+    end
+
+    def parse_rigid_when(markup, body)
+      parser = @parse_context.new_parser(markup)
+
+      loop do
+        expr = safe_parse_expression(parser)
+        block = Condition.new(@left, '==', expr)
+        block.attach(body)
+        @blocks << block
+
+        break unless parser.id?('or') || parser.consume?(:comma)
+      end
+
+      parser.consume(:end_of_string)
+    end
+
+    def parse_lax_when(markup, body)
       while markup
         unless markup =~ WhenSyntax
           raise SyntaxError, options[:locale].t("errors.syntax.case_invalid_when")

data/lib/liquid/tags/cycle.rb

@@ -17,23 +17,13 @@ module Liquid
   class Cycle < Tag
     SimpleSyntax = /\A#{QuotedFragment}+/o
     NamedSyntax  = /\A(#{QuotedFragment})\s*\:\s*(.*)/om
+    UNNAMED_CYCLE_PATTERN = /\w+:0x\h{8}/
 
     attr_reader :variables
 
     def initialize(tag_name, markup, options)
       super
-      case markup
-      when NamedSyntax
-        @variables = variables_from_string(Regexp.last_match(2))
-        @name      = parse_expression(Regexp.last_match(1))
-        @is_named = true
-      when SimpleSyntax
-        @variables = variables_from_string(markup)
-        @name      = @variables.to_s
-        @is_named = !@name.match?(/\w+:0x\h{8}/)
-      else
-        raise SyntaxError, options[:locale].t("errors.syntax.cycle")
-      end
+      parse_with_selected_parser(markup)
     end
 
     def named?
@@ -65,19 +55,82 @@ module Liquid
 
     private
 
+    # cycle [name:] expression(, expression)*
+    def rigid_parse(markup)
+      p = @parse_context.new_parser(markup)
+
+      @variables = []
+
+      raise SyntaxError, options[:locale].t("errors.syntax.cycle") if p.look(:end_of_string)
+
+      first_expression = safe_parse_expression(p)
+      if p.look(:colon)
+        # cycle name: expr1, expr2, ...
+        @name = first_expression
+        @is_named = true
+        p.consume(:colon)
+        # After the colon, parse the first variable (required for named cycles)
+        @variables << maybe_dup_lookup(safe_parse_expression(p))
+      else
+        # cycle expr1, expr2, ...
+        @variables << maybe_dup_lookup(first_expression)
+      end
+
+      # Parse remaining comma-separated expressions
+      while p.consume?(:comma)
+        break if p.look(:end_of_string)
+
+        @variables << maybe_dup_lookup(safe_parse_expression(p))
+      end
+
+      p.consume(:end_of_string)
+
+      unless @is_named
+        @name = @variables.to_s
+        @is_named = !@name.match?(UNNAMED_CYCLE_PATTERN)
+      end
+    end
+
+    def strict_parse(markup)
+      lax_parse(markup)
+    end
+
+    def lax_parse(markup)
+      case markup
+      when NamedSyntax
+        @variables = variables_from_string(Regexp.last_match(2))
+        @name      = parse_expression(Regexp.last_match(1))
+        @is_named = true
+      when SimpleSyntax
+        @variables = variables_from_string(markup)
+        @name      = @variables.to_s
+        @is_named = !@name.match?(UNNAMED_CYCLE_PATTERN)
+      else
+        raise SyntaxError, options[:locale].t("errors.syntax.cycle")
+      end
+    end
+
     def variables_from_string(markup)
       markup.split(',').collect do |var|
         var =~ /\s*(#{QuotedFragment})\s*/o
         next unless Regexp.last_match(1)
 
-        # Expression Parser returns cached objects, and we need to dup them to
-        # start the cycle over for each new cycle call.
-        # Liquid-C does not have a cache, so we don't need to dup the object.
         var = parse_expression(Regexp.last_match(1))
-        var.is_a?(VariableLookup) ? var.dup : var
+        maybe_dup_lookup(var)
       end.compact
     end
 
+    # For backwards compatibility, whenever a lookup is used in an unnamed cycle,
+    # we make it so that the @variables.to_s produces different strings for cycles
+    # called with the same arguments (since @variables.to_s is used as the cycle counter key)
+    # This makes it so {% cycle a, b %} and {% cycle a, b %} have independent counters even if a and b share value.
+    # This is not true for literal values, {% cycle "a", "b" %} and {% cycle "a", "b" %} share the same counter.
+    # I was really scratching my head about this one, but migrating away from this would be more headache
+    # than it's worth. So we're keeping this quirk for now.
+    def maybe_dup_lookup(var)
+      var.is_a?(VariableLookup) ? var.dup : var
+    end
+
     class ParseTreeVisitor < Liquid::ParseTreeVisitor
       def children
         Array(@node.variables)

data/lib/liquid/tags/decrement.rb

@@ -7,6 +7,10 @@ module Liquid
   # @liquid_name decrement
   # @liquid_summary
   #   Creates a new variable, with a default value of -1, that's decreased by 1 with each subsequent call.
+  #
+  #   > Caution:
+  #   > Predefined Liquid objects can be overridden by variables with the same name.
+  #   > To make sure that you can access all Liquid objects, make sure that your variable name doesn't match a predefined object's name.
   # @liquid_description
   #   Variables that are declared with `decrement` are unique to the [layout](/themes/architecture/layouts), [template](/themes/architecture/templates),
   #   or [section](/themes/architecture/sections) file that they're created in. However, the variable is shared across

data/lib/liquid/tags/for.rb

@@ -20,8 +20,8 @@ module Liquid
   # @liquid_syntax_keyword variable The current item in the array.
   # @liquid_syntax_keyword array The array to iterate over.
   # @liquid_syntax_keyword expression The expression to render for each iteration.
-  # @liquid_optional_param limit [number] The number of iterations to perform.
-  # @liquid_optional_param offset [number] The 1-based index to start iterating at.
+  # @liquid_optional_param limit: [number] The number of iterations to perform.
+  # @liquid_optional_param offset: [number] The 1-based index to start iterating at.
   # @liquid_optional_param range [untyped] A custom numeric range to iterate over.
   # @liquid_optional_param reversed [untyped] Iterate in reverse order.
   class For < Block
@@ -93,7 +93,7 @@ module Liquid
       raise SyntaxError, options[:locale].t("errors.syntax.for_invalid_in") unless p.id?('in')
 
       collection_name  = p.expression
-      @collection_name = parse_expression(collection_name)
+      @collection_name = parse_expression(collection_name, safe: true)
 
       @name     = "#{@variable_name}-#{collection_name}"
       @reversed = p.id?('reversed')
@@ -104,13 +104,17 @@ module Liquid
           raise SyntaxError, options[:locale].t("errors.syntax.for_invalid_attribute")
         end
         p.consume(:colon)
-        set_attribute(attribute, p.expression)
+        set_attribute(attribute, p.expression, safe: true)
       end
       p.consume(:end_of_string)
     end
 
     private
 
+    def rigid_parse(markup)
+      strict_parse(markup)
+    end
+
     def collection_segment(context)
       offsets = context.registers[:for] ||= {}
 
@@ -174,16 +178,16 @@ module Liquid
       output
     end
 
-    def set_attribute(key, expr)
+    def set_attribute(key, expr, safe: false)
       case key
       when 'offset'
         @from = if expr == 'continue'
           :continue
         else
-          parse_expression(expr)
+          parse_expression(expr, safe: safe)
         end
       when 'limit'
-        @limit = parse_expression(expr)
+        @limit = parse_expression(expr, safe: safe)
       end
     end
 

data/lib/liquid/tags/if.rb

@@ -66,6 +66,10 @@ module Liquid
 
     private
 
+    def rigid_parse(markup)
+      strict_parse(markup)
+    end
+
     def push_block(tag, markup)
       block = if tag == 'else'
         ElseCondition.new
@@ -77,8 +81,8 @@ module Liquid
       block.attach(new_body)
     end
 
-    def parse_expression(markup)
-      Condition.parse_expression(parse_context, markup)
+    def parse_expression(markup, safe: false)
+      Condition.parse_expression(parse_context, markup, safe: safe)
     end
 
     def lax_parse(markup)
@@ -120,9 +124,9 @@ module Liquid
     end
 
     def parse_comparison(p)
-      a = parse_expression(p.expression)
+      a = parse_expression(p.expression, safe: true)
       if (op = p.consume?(:comparison))
-        b = parse_expression(p.expression)
+        b = parse_expression(p.expression, safe: true)
         Condition.new(a, op, b)
       else
         Condition.new(a)

data/lib/liquid/tags/include.rb

@@ -27,24 +27,7 @@ module Liquid
 
     def initialize(tag_name, markup, options)
       super
-
-      if markup =~ SYNTAX
-
-        template_name = Regexp.last_match(1)
-        variable_name = Regexp.last_match(3)
-
-        @alias_name         = Regexp.last_match(5)
-        @variable_name_expr = variable_name ? parse_expression(variable_name) : nil
-        @template_name_expr = parse_expression(template_name)
-        @attributes         = {}
-
-        markup.scan(TagAttributes) do |key, value|
-          @attributes[key] = parse_expression(value)
-        end
-
-      else
-        raise SyntaxError, options[:locale].t("errors.syntax.include")
-      end
+      parse_with_selected_parser(markup)
     end
 
     def parse(_tokens)
@@ -101,6 +84,49 @@ module Liquid
     alias_method :parse_context, :options
     private :parse_context
 
+    def rigid_parse(markup)
+      p = @parse_context.new_parser(markup)
+
+      @template_name_expr = safe_parse_expression(p)
+      @variable_name_expr = safe_parse_expression(p) if p.id?("for") || p.id?("with")
+      @alias_name         = p.consume(:id) if p.id?("as")
+
+      p.consume?(:comma)
+
+      @attributes = {}
+      while p.look(:id)
+        key = p.consume
+        p.consume(:colon)
+        @attributes[key] = safe_parse_expression(p)
+        p.consume?(:comma)
+      end
+
+      p.consume(:end_of_string)
+    end
+
+    def strict_parse(markup)
+      lax_parse(markup)
+    end
+
+    def lax_parse(markup)
+      if markup =~ SYNTAX
+        template_name = Regexp.last_match(1)
+        variable_name = Regexp.last_match(3)
+
+        @alias_name         = Regexp.last_match(5)
+        @variable_name_expr = variable_name ? parse_expression(variable_name) : nil
+        @template_name_expr = parse_expression(template_name)
+        @attributes         = {}
+
+        markup.scan(TagAttributes) do |key, value|
+          @attributes[key] = parse_expression(value)
+        end
+
+      else
+        raise SyntaxError, options[:locale].t("errors.syntax.include")
+      end
+    end
+
     class ParseTreeVisitor < Liquid::ParseTreeVisitor
       def children
         [

data/lib/liquid/tags/increment.rb

@@ -7,6 +7,10 @@ module Liquid
   # @liquid_name increment
   # @liquid_summary
   #   Creates a new variable, with a default value of 0, that's increased by 1 with each subsequent call.
+  #
+  #   > Caution:
+  #   > Predefined Liquid objects can be overridden by variables with the same name.
+  #   > To make sure that you can access all Liquid objects, make sure that your variable name doesn't match a predefined object's name.
   # @liquid_description
   #   Variables that are declared with `increment` are unique to the [layout](/themes/architecture/layouts), [template](/themes/architecture/templates),
   #   or [section](/themes/architecture/sections) file that they're created in. However, the variable is shared across

data/lib/liquid/tags/render.rb

@@ -35,22 +35,7 @@ module Liquid
 
     def initialize(tag_name, markup, options)
       super
-
-      raise SyntaxError, options[:locale].t("errors.syntax.render") unless markup =~ SYNTAX
-
-      template_name = Regexp.last_match(1)
-      with_or_for = Regexp.last_match(3)
-      variable_name = Regexp.last_match(4)
-
-      @alias_name = Regexp.last_match(6)
-      @variable_name_expr = variable_name ? parse_expression(variable_name) : nil
-      @template_name_expr = parse_expression(template_name)
-      @is_for_loop = (with_or_for == FOR)
-
-      @attributes = {}
-      markup.scan(TagAttributes) do |key, value|
-        @attributes[key] = parse_expression(value)
-      end
+      parse_with_selected_parser(markup)
     end
 
     def for_loop?
@@ -99,6 +84,55 @@ module Liquid
       output
     end
 
+    # render (string) (with|for expression)? (as id)? (key: value)*
+    def rigid_parse(markup)
+      p = @parse_context.new_parser(markup)
+
+      @template_name_expr = parse_expression(rigid_template_name(p), safe: true)
+      with_or_for         = p.id?("for") || p.id?("with")
+      @variable_name_expr = safe_parse_expression(p) if with_or_for
+      @alias_name         = p.consume(:id) if p.id?("as")
+      @is_for_loop        = (with_or_for == FOR)
+
+      p.consume?(:comma)
+
+      @attributes = {}
+      while p.look(:id)
+        key = p.consume
+        p.consume(:colon)
+        @attributes[key] = safe_parse_expression(p)
+        p.consume?(:comma)
+      end
+
+      p.consume(:end_of_string)
+    end
+
+    def rigid_template_name(p)
+      p.consume(:string)
+    end
+
+    def strict_parse(markup)
+      lax_parse(markup)
+    end
+
+    def lax_parse(markup)
+      raise SyntaxError, options[:locale].t("errors.syntax.render") unless markup =~ SYNTAX
+
+      template_name = Regexp.last_match(1)
+      with_or_for = Regexp.last_match(3)
+      variable_name = Regexp.last_match(4)
+
+      @alias_name = Regexp.last_match(6)
+      @variable_name_expr = variable_name ? parse_expression(variable_name) : nil
+      @template_name_expr = parse_expression(template_name)
+      @is_for_loop = (with_or_for == FOR)
+
+      @attributes = {}
+      markup.scan(TagAttributes) do |key, value|
+        @attributes[key] = parse_expression(value)
+      end
+    end
+
     class ParseTreeVisitor < Liquid::ParseTreeVisitor
       def children
         [

data/lib/liquid/tags/table_row.rb

@@ -19,17 +19,54 @@ module Liquid
   # @liquid_syntax_keyword variable The current item in the array.
   # @liquid_syntax_keyword array The array to iterate over.
   # @liquid_syntax_keyword expression The expression to render.
-  # @liquid_optional_param cols [number] The number of columns that the table should have.
-  # @liquid_optional_param limit [number] The number of iterations to perform.
-  # @liquid_optional_param offset [number] The 1-based index to start iterating at.
+  # @liquid_optional_param cols: [number] The number of columns that the table should have.
+  # @liquid_optional_param limit: [number] The number of iterations to perform.
+  # @liquid_optional_param offset: [number] The 1-based index to start iterating at.
   # @liquid_optional_param range [untyped] A custom numeric range to iterate over.
   class TableRow < Block
     Syntax = /(\w+)\s+in\s+(#{QuotedFragment}+)/o
+    ALLOWED_ATTRIBUTES = ['cols', 'limit', 'offset', 'range'].freeze
 
     attr_reader :variable_name, :collection_name, :attributes
 
     def initialize(tag_name, markup, options)
       super
+      parse_with_selected_parser(markup)
+    end
+
+    def rigid_parse(markup)
+      p = @parse_context.new_parser(markup)
+
+      @variable_name = p.consume(:id)
+
+      unless p.id?("in")
+        raise SyntaxError, options[:locale].t("errors.syntax.for_invalid_in")
+      end
+
+      @collection_name = safe_parse_expression(p)
+
+      p.consume?(:comma)
+
+      @attributes = {}
+      while p.look(:id)
+        key = p.consume
+        unless ALLOWED_ATTRIBUTES.include?(key)
+          raise SyntaxError, options[:locale].t("errors.syntax.table_row_invalid_attribute", attribute: key)
+        end
+
+        p.consume(:colon)
+        @attributes[key] = safe_parse_expression(p)
+        p.consume?(:comma)
+      end
+
+      p.consume(:end_of_string)
+    end
+
+    def strict_parse(markup)
+      lax_parse(markup)
+    end
+
+    def lax_parse(markup)
       if markup =~ Syntax
         @variable_name   = Regexp.last_match(1)
         @collection_name = parse_expression(Regexp.last_match(2))

data/lib/liquid/template.rb

@@ -2,7 +2,7 @@
 
 module Liquid
   # Templates are central to liquid.
-  # Interpretating templates is a two step process. First you compile the
+  # Interpreting templates is a two step process. First you compile the
   # source code you got. During compile time some extensive error checking is performed.
   # your code should expect to get some SyntaxErrors.
   #
@@ -24,7 +24,8 @@ module Liquid
       # Sets how strict the parser should be.
       # :lax acts like liquid 2.5 and silently ignores malformed tags in most cases.
       # :warn is the default and will give deprecation warnings when invalid syntax is used.
-      # :strict will enforce correct syntax.
+      # :strict enforces correct syntax for most tags
+      # :rigid enforces correct syntax for all tags
       def error_mode=(mode)
         Deprecations.warn("Template.error_mode=", "Environment#error_mode=")
         Environment.default.error_mode = mode

data/lib/liquid/utils.rb

@@ -2,6 +2,9 @@
 
 module Liquid
   module Utils
+    DECIMAL_REGEX = /\A-?\d+\.\d+\z/
+    UNIX_TIMESTAMP_REGEX = /\A\d+\z/
+
     def self.slice_collection(collection, from, to)
       if (from != 0 || !to.nil?) && collection.respond_to?(:load_slice)
         collection.load_slice(from, to)
@@ -52,7 +55,7 @@ module Liquid
       when Numeric
         obj
       when String
-        /\A-?\d+\.\d+\z/.match?(obj.strip) ? BigDecimal(obj) : obj.to_i
+        DECIMAL_REGEX.match?(obj.strip) ? BigDecimal(obj) : obj.to_i
       else
         if obj.respond_to?(:to_number)
           obj.to_number
@@ -73,7 +76,7 @@ module Liquid
       case obj
       when 'now', 'today'
         Time.now
-      when /\A\d+\z/, Integer
+      when UNIX_TIMESTAMP_REGEX, Integer
         Time.at(obj.to_i)
       when String
         Time.parse(obj)

data/lib/liquid/variable.rb

@@ -54,7 +54,7 @@ module Liquid
           next unless f =~ /\w+/
           filtername = Regexp.last_match(0)
           filterargs = f.scan(FilterArgsRegex).flatten
-          @filters << parse_filter_expressions(filtername, filterargs)
+          @filters << lax_parse_filter_expressions(filtername, filterargs)
         end
       end
     end
@@ -65,15 +65,26 @@ module Liquid
 
       return if p.look(:end_of_string)
 
-      @name = parse_context.parse_expression(p.expression)
+      @name = parse_context.safe_parse_expression(p)
       while p.consume?(:pipe)
         filtername = p.consume(:id)
         filterargs = p.consume?(:colon) ? parse_filterargs(p) : Const::EMPTY_ARRAY
-        @filters << parse_filter_expressions(filtername, filterargs)
+        @filters << lax_parse_filter_expressions(filtername, filterargs)
       end
       p.consume(:end_of_string)
     end
 
+    def rigid_parse(markup)
+      @filters = []
+      p = @parse_context.new_parser(markup)
+
+      return if p.look(:end_of_string)
+
+      @name = parse_context.safe_parse_expression(p)
+      @filters << rigid_parse_filter_expressions(p) while p.consume?(:pipe)
+      p.consume(:end_of_string)
+    end
+
     def parse_filterargs(p)
       # first argument
       filterargs = [p.argument]
@@ -122,7 +133,7 @@ module Liquid
 
     private
 
-    def parse_filter_expressions(filter_name, unparsed_args)
+    def lax_parse_filter_expressions(filter_name, unparsed_args)
       filter_args  = []
       keyword_args = nil
       unparsed_args.each do |a|
@@ -138,6 +149,46 @@ module Liquid
       result
     end
 
+    # Surprisingly, positional and keyword arguments can be mixed.
+    #
+    # filter = filtername [":" filterargs?]
+    # filterargs = argument ("," argument)*
+    # argument = (positional_argument | keyword_argument)
+    # positional_argument = expression
+    # keyword_argument = id ":" expression
+    def rigid_parse_filter_expressions(p)
+      filtername = p.consume(:id)
+      filter_args = []
+      keyword_args = {}
+
+      if p.consume?(:colon)
+        # Parse first argument (no leading comma)
+        argument(p, filter_args, keyword_args) unless end_of_arguments?(p)
+
+        # Parse remaining arguments (with leading commas) and optional trailing comma
+        argument(p, filter_args, keyword_args) while p.consume?(:comma) && !end_of_arguments?(p)
+      end
+
+      result = [filtername, filter_args]
+      result << keyword_args unless keyword_args.empty?
+      result
+    end
+
+    def argument(p, positional_arguments, keyword_arguments)
+      if p.look(:id) && p.look(:colon, 1)
+        key = p.consume(:id)
+        p.consume(:colon)
+        value = parse_context.safe_parse_expression(p)
+        keyword_arguments[key] = value
+      else
+        positional_arguments << parse_context.safe_parse_expression(p)
+      end
+    end
+
+    def end_of_arguments?(p)
+      p.look(:pipe) || p.look(:end_of_string)
+    end
+
     def evaluate_filter_expressions(context, filter_args, filter_kwargs)
       parsed_args = filter_args.map { |expr| context.evaluate(expr) }
       if filter_kwargs

data/lib/liquid/version.rb

@@ -2,5 +2,5 @@
 # frozen_string_literal: true
 
 module Liquid
-  VERSION = "5.8.7"
+  VERSION = "5.9.0"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: liquid
 version: !ruby/object:Gem::Version
-  version: 5.8.7
+  version: 5.9.0
 platform: ruby
 authors:
 - Tobias Lütke
@@ -159,7 +159,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: 1.3.7
 requirements: []
-rubygems_version: 3.6.9
+rubygems_version: 3.7.2
 specification_version: 4
 summary: A secure, non-evaling end user template engine with aesthetic markup.
 test_files: []