phlex 2.2.0 → 2.2.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d3eae91fcc5ec985b668a5e016c518f6392cd91d6d155a1f60552282755ca0e7
-  data.tar.gz: 4bac6d025488edbc104135dc3417286cc4782d4f022caff2a8a414afa12d09c3
+  metadata.gz: 1ad9e30b1fc9db64488ae58d78b09bb2c8cd57db032da7e28dff9e9c2c035677
+  data.tar.gz: 343cf214ef539fac85e35d63bdfa39e104a7902d8765a7c10f6fc26d3d5704f4
 SHA512:
-  metadata.gz: 0a18175ffb32c8ae170f9fd2c7f4b990d39500cef81db66545c057f7ff6635a215ba257130c3715a82d1322666ec89badc9beb06fae3325d864a1630f685bea2
-  data.tar.gz: 4ee950b03d2d8f0b8efe085207ca42b139775dff4cc0a564661648995ef32f01fce22e84537194a7c37a6218031d9ab8a4ab7689b92bfeac53534aee4d2fc919
+  metadata.gz: 9d554ae1c210699c059d848ebe22d1f06939c93123f160be75b51eebd90271fefdd813093676fb570a8e23c9d6d58932be38a57b330f710f292f34cbd6452ef1
+  data.tar.gz: 5d5794df169f3a98c7c1de9cde0c75e2fb268c5eeaf9c6e74f731665cb52823dc972ef288589acefcdbae7907f7f1a57a0f2b59a6e933a5ac2c6b6d5dcd54e2f

data/lib/phlex/html.rb

@@ -55,7 +55,7 @@ class Phlex::HTML < Phlex::SGML
 			raise Phlex::ArgumentError.new("Expected the tag name to be a Symbol.")
 		end
 
-		if (tag = StandardElements.__registered_elements__[name]) || (tag = name.name.tr("_", "-")).include?("-")
+		if (tag = StandardElements.__registered_elements__[name]) || ((tag = name.name.tr("_", "-")).include?("-") && tag.match?(/\A[a-z0-9-]+\z/))
 			if attributes.length > 0 # with attributes
 				if block_given # with content block
 					buffer << "<#{tag}" << (Phlex::ATTRIBUTE_CACHE[attributes] ||= __attributes__(attributes)) << ">"

data/lib/phlex/sgml.rb

@@ -3,7 +3,13 @@
 # **Standard Generalized Markup Language** for behaviour common to {HTML} and {SVG}.
 class Phlex::SGML
 	UNSAFE_ATTRIBUTES = Set.new(%w[srcdoc sandbox http-equiv]).freeze
-	REF_ATTRIBUTES = Set.new(%w[href src action formaction lowsrc dynsrc background ping]).freeze
+	REF_ATTRIBUTES = Set.new(%w[href src action formaction lowsrc dynsrc background ping xlinkhref]).freeze
+	NAMED_CHARACTER_REFERENCES = {
+		"colon" => ":",
+		"tab" => "\t",
+		"newline" => "\n",
+	}.freeze
+	UNSAFE_ATTRIBUTE_NAME_CHARS = %r([<>&"'/=\s\x00])
 
 	ERBCompiler = ERB::Compiler.new("<>").tap do |compiler|
 		compiler.pre_cmd    = [""]
@@ -518,7 +524,9 @@ class Phlex::SGML
 				if value != true && REF_ATTRIBUTES.include?(normalized_name)
 					case value
 					when String
-						if value.downcase.delete("^a-z:").start_with?("javascript:")
+						decoded_value = decode_html_character_references(value)
+
+						if decoded_value.downcase.delete("^a-z:").start_with?("javascript:")
 							# We just ignore these because they were likely not specified by the developer.
 							next
 						end
@@ -536,7 +544,7 @@ class Phlex::SGML
 				end
 			end
 
-			if name.match?(/[<>&"']/)
+			if name.match?(UNSAFE_ATTRIBUTE_NAME_CHARS)
 				raise Phlex::ArgumentError.new("Unsafe attribute name detected: #{k}.")
 			end
 
@@ -572,7 +580,7 @@ class Phlex::SGML
 					else raise Phlex::ArgumentError.new("Attribute keys should be Strings or Symbols")
 				end
 
-				if name.match?(/[<>&"']/)
+				if name.match?(UNSAFE_ATTRIBUTE_NAME_CHARS)
 					raise Phlex::ArgumentError.new("Unsafe attribute name detected: #{k}.")
 				end
 			end
@@ -653,6 +661,27 @@ class Phlex::SGML
 		buffer.gsub('"', "&quot;")
 	end
 
+	private def decode_html_character_references(value)
+		value
+			.gsub(/&#x([0-9a-f]+);?/i) {
+				begin
+					[$1.to_i(16)].pack("U*")
+				rescue
+					""
+				end
+			}
+			.gsub(/&#(\d+);?/) {
+				begin
+					[$1.to_i].pack("U*")
+				rescue
+					""
+				end
+			}
+			.gsub(/&([a-z][a-z0-9]+);?/i) {
+				NAMED_CHARACTER_REFERENCES[$1.downcase] || ""
+			}
+	end
+
 	# Result is **unsafe**, so it should be escaped!
 	def __styles__(styles)
 		case styles

data/lib/phlex/svg.rb

@@ -41,7 +41,7 @@ class Phlex::SVG < Phlex::SGML
 			raise Phlex::ArgumentError.new("Expected the tag name to be a Symbol.")
 		end
 
-		if (tag = StandardElements.__registered_elements__[name]) || (tag = name.name.tr("_", "-")).include?("-")
+		if (tag = StandardElements.__registered_elements__[name]) || ((tag = name.name.tr("_", "-")).include?("-") && tag.match?(/\A[a-z0-9-]+\z/))
 			if attributes.length > 0 # with attributes
 				if block_given # with content block
 					buffer << "<#{tag}" << (Phlex::ATTRIBUTE_CACHE[attributes] ||= __attributes__(attributes)) << ">"

data/lib/phlex/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Phlex
-	VERSION = "2.2.0"
+	VERSION = "2.2.2"
 end

data/lib/phlex.rb

@@ -6,7 +6,6 @@ require "zeitwerk"
 
 module Phlex
 	Loader = Zeitwerk::Loader.for_gem.tap do |loader|
-		loader.push_dir("lib/phlex/errors", namespace: Phlex)
 		loader.inflector.inflect(
 			"csv" => "CSV",
 			"fifo" => "FIFO",
@@ -16,6 +15,7 @@ module Phlex
 			"svg" => "SVG",
 		)
 
+		loader.collapse("#{__dir__}/phlex/errors")
 		loader.setup
 	end
 

metadata

@@ -1,29 +1,29 @@
 --- !ruby/object:Gem::Specification
 name: phlex
 version: !ruby/object:Gem::Version
-  version: 2.2.0
+  version: 2.2.2
 platform: ruby
 authors:
 - Joel Drapper
 - Will Cosgrove
 bindir: bin
 cert_chain: []
-date: 2025-04-04 00:00:00.000000000 Z
+date: 2026-02-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: zeitwerk
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '2.7'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '2.7'
 description: Build HTML, SVG and CSV views with Ruby classes.
 email:
 - joel@drapper.me