phlex 2.3.1 → 2.3.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/phlex/html.rb +1 -1
- data/lib/phlex/sgml.rb +33 -4
- data/lib/phlex/svg.rb +1 -1
- data/lib/phlex/version.rb +1 -1
- metadata +3 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: da1aff25f1fe9b6bc23f54bd2adb5d31f9d924eecdb4f5c51b82f8992c9b89f5
|
|
4
|
+
data.tar.gz: dd729cfa28db81e66fb36e60771a6f22955888d93b69981c3cf916a0d42ba26e
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 9f81b0dae0bbc3e61c04e2c62346a111a5203b84d20935048edaeda19571b739299ba6a2505497993b9d915d9d3e0b68ae4025f268385dd2175c0211ef87caa7
|
|
7
|
+
data.tar.gz: 0a8ee37f6ffd2109e5f5f6844b3f74a8c6b8a6f73b63c8ba4227f477326bbdd1abca5f36978681137b4f5cbc8cdb80a0d7fe91795bd7200e48fa1317a30c63f5
|
data/lib/phlex/html.rb
CHANGED
|
@@ -55,7 +55,7 @@ class Phlex::HTML < Phlex::SGML
|
|
|
55
55
|
raise Phlex::ArgumentError.new("Expected the tag name to be a Symbol.")
|
|
56
56
|
end
|
|
57
57
|
|
|
58
|
-
if (tag = StandardElements.__registered_elements__[name]) || (tag = name.name.tr("_", "-")).include?("-")
|
|
58
|
+
if (tag = StandardElements.__registered_elements__[name]) || ((tag = name.name.tr("_", "-")).include?("-") && tag.match?(/\A[a-z0-9-]+\z/))
|
|
59
59
|
if attributes.length > 0 # with attributes
|
|
60
60
|
if block_given # with content block
|
|
61
61
|
buffer << "<#{tag}" << (Phlex::ATTRIBUTE_CACHE[attributes] ||= __attributes__(attributes)) << ">"
|
data/lib/phlex/sgml.rb
CHANGED
|
@@ -3,7 +3,13 @@
|
|
|
3
3
|
# **Standard Generalized Markup Language** for behaviour common to {HTML} and {SVG}.
|
|
4
4
|
class Phlex::SGML
|
|
5
5
|
UNSAFE_ATTRIBUTES = Set.new(%w[srcdoc sandbox http-equiv]).freeze
|
|
6
|
-
REF_ATTRIBUTES = Set.new(%w[href src action formaction lowsrc dynsrc background ping]).freeze
|
|
6
|
+
REF_ATTRIBUTES = Set.new(%w[href src action formaction lowsrc dynsrc background ping xlinkhref]).freeze
|
|
7
|
+
NAMED_CHARACTER_REFERENCES = {
|
|
8
|
+
"colon" => ":",
|
|
9
|
+
"tab" => "\t",
|
|
10
|
+
"newline" => "\n",
|
|
11
|
+
}.freeze
|
|
12
|
+
UNSAFE_ATTRIBUTE_NAME_CHARS = %r([<>&"'/=\s\x00])
|
|
7
13
|
|
|
8
14
|
ERBCompiler = ERB::Compiler.new("<>").tap do |compiler|
|
|
9
15
|
compiler.pre_cmd = [""]
|
|
@@ -520,7 +526,9 @@ class Phlex::SGML
|
|
|
520
526
|
if value != true && REF_ATTRIBUTES.include?(normalized_name)
|
|
521
527
|
case value
|
|
522
528
|
when String
|
|
523
|
-
|
|
529
|
+
decoded_value = decode_html_character_references(value)
|
|
530
|
+
|
|
531
|
+
if decoded_value.downcase.delete("^a-z:").start_with?("javascript:")
|
|
524
532
|
# We just ignore these because they were likely not specified by the developer.
|
|
525
533
|
next
|
|
526
534
|
end
|
|
@@ -538,7 +546,7 @@ class Phlex::SGML
|
|
|
538
546
|
end
|
|
539
547
|
end
|
|
540
548
|
|
|
541
|
-
if name.match?(
|
|
549
|
+
if name.match?(UNSAFE_ATTRIBUTE_NAME_CHARS)
|
|
542
550
|
raise Phlex::ArgumentError.new("Unsafe attribute name detected: #{k}.")
|
|
543
551
|
end
|
|
544
552
|
|
|
@@ -574,7 +582,7 @@ class Phlex::SGML
|
|
|
574
582
|
else raise Phlex::ArgumentError.new("Attribute keys should be Strings or Symbols")
|
|
575
583
|
end
|
|
576
584
|
|
|
577
|
-
if name.match?(
|
|
585
|
+
if name.match?(UNSAFE_ATTRIBUTE_NAME_CHARS)
|
|
578
586
|
raise Phlex::ArgumentError.new("Unsafe attribute name detected: #{k}.")
|
|
579
587
|
end
|
|
580
588
|
end
|
|
@@ -655,6 +663,27 @@ class Phlex::SGML
|
|
|
655
663
|
buffer.gsub('"', """)
|
|
656
664
|
end
|
|
657
665
|
|
|
666
|
+
private def decode_html_character_references(value)
|
|
667
|
+
value
|
|
668
|
+
.gsub(/&#x([0-9a-f]+);?/i) {
|
|
669
|
+
begin
|
|
670
|
+
[$1.to_i(16)].pack("U*")
|
|
671
|
+
rescue
|
|
672
|
+
""
|
|
673
|
+
end
|
|
674
|
+
}
|
|
675
|
+
.gsub(/&#(\d+);?/) {
|
|
676
|
+
begin
|
|
677
|
+
[$1.to_i].pack("U*")
|
|
678
|
+
rescue
|
|
679
|
+
""
|
|
680
|
+
end
|
|
681
|
+
}
|
|
682
|
+
.gsub(/&([a-z][a-z0-9]+);?/i) {
|
|
683
|
+
NAMED_CHARACTER_REFERENCES[$1.downcase] || ""
|
|
684
|
+
}
|
|
685
|
+
end
|
|
686
|
+
|
|
658
687
|
# Result is **unsafe**, so it should be escaped!
|
|
659
688
|
private def __styles__(styles)
|
|
660
689
|
case styles
|
data/lib/phlex/svg.rb
CHANGED
|
@@ -41,7 +41,7 @@ class Phlex::SVG < Phlex::SGML
|
|
|
41
41
|
raise Phlex::ArgumentError.new("Expected the tag name to be a Symbol.")
|
|
42
42
|
end
|
|
43
43
|
|
|
44
|
-
if (tag = StandardElements.__registered_elements__[name]) || (tag = name.name.tr("_", "-")).include?("-")
|
|
44
|
+
if (tag = StandardElements.__registered_elements__[name]) || ((tag = name.name.tr("_", "-")).include?("-") && tag.match?(/\A[a-z0-9-]+\z/))
|
|
45
45
|
if attributes.length > 0 # with attributes
|
|
46
46
|
if block_given # with content block
|
|
47
47
|
buffer << "<#{tag}" << (Phlex::ATTRIBUTE_CACHE[attributes] ||= __attributes__(attributes)) << ">"
|
data/lib/phlex/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: phlex
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 2.3.
|
|
4
|
+
version: 2.3.2
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Joel Drapper
|
|
8
8
|
- Will Cosgrove
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 1980-01-02 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: zeitwerk
|
|
@@ -79,7 +79,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
79
79
|
- !ruby/object:Gem::Version
|
|
80
80
|
version: '0'
|
|
81
81
|
requirements: []
|
|
82
|
-
rubygems_version:
|
|
82
|
+
rubygems_version: 4.0.3
|
|
83
83
|
specification_version: 4
|
|
84
84
|
summary: Object-oriented views in Ruby.
|
|
85
85
|
test_files: []
|