phlex 1.11.0 → 1.11.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/phlex/sgml.rb +41 -2
- data/lib/phlex/version.rb +1 -1
- metadata +3 -6
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: b009908cf2bca382857d9e6adaf26040bbc72df73b4227546e48888d508552f0
|
|
4
|
+
data.tar.gz: 560928a3386b32c8f0a94a31462d29b9ff73bcbeb9ecad1171399c1f749be871
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: eb282ecd7594914cd485309e270748d64e3b74bed6fd49ec98244ea34e1fb90cbba0ff542909ee59d3347dce6cde47604aeb67efae605ccfa554473ed8934f61
|
|
7
|
+
data.tar.gz: 05ff1300599f9360d07d249e27ee3ef84667c77268bbe25c92a0609686e594f45aa377068714690ca55ee925548d85406b84aa3b3bad26d2eb2c6beb2dd12bf4
|
data/lib/phlex/sgml.rb
CHANGED
|
@@ -4,6 +4,13 @@ module Phlex
|
|
|
4
4
|
# **Standard Generalized Markup Language** for behaviour common to {HTML} and {SVG}.
|
|
5
5
|
class SGML
|
|
6
6
|
include Helpers
|
|
7
|
+
REF_ATTRIBUTES = Set.new(%w[href src action formaction lowsrc dynsrc background ping xlinkhref]).freeze
|
|
8
|
+
NAMED_CHARACTER_REFERENCES = {
|
|
9
|
+
"colon" => ":",
|
|
10
|
+
"tab" => "\t",
|
|
11
|
+
"newline" => "\n",
|
|
12
|
+
}.freeze
|
|
13
|
+
UNSAFE_ATTRIBUTE_NAME_CHARS = %r([<>&"'/=\s\x00])
|
|
7
14
|
|
|
8
15
|
class << self
|
|
9
16
|
# Render the view to a String. Arguments are delegated to {.new}.
|
|
@@ -421,6 +428,27 @@ module Phlex
|
|
|
421
428
|
buffer
|
|
422
429
|
end
|
|
423
430
|
|
|
431
|
+
def decode_html_character_references(value)
|
|
432
|
+
value
|
|
433
|
+
.gsub(/&#x([0-9a-f]+);?/i) {
|
|
434
|
+
begin
|
|
435
|
+
[$1.to_i(16)].pack("U*")
|
|
436
|
+
rescue
|
|
437
|
+
""
|
|
438
|
+
end
|
|
439
|
+
}
|
|
440
|
+
.gsub(/&#(\d+);?/) {
|
|
441
|
+
begin
|
|
442
|
+
[$1.to_i].pack("U*")
|
|
443
|
+
rescue
|
|
444
|
+
""
|
|
445
|
+
end
|
|
446
|
+
}
|
|
447
|
+
.gsub(/&([a-z][a-z0-9]+);?/i) {
|
|
448
|
+
NAMED_CHARACTER_REFERENCES[$1.downcase] || ""
|
|
449
|
+
}
|
|
450
|
+
end
|
|
451
|
+
|
|
424
452
|
# @api private
|
|
425
453
|
def __build_attributes__(attributes, buffer:)
|
|
426
454
|
attributes.each do |k, v|
|
|
@@ -433,10 +461,21 @@ module Phlex
|
|
|
433
461
|
end
|
|
434
462
|
|
|
435
463
|
lower_name = name.downcase
|
|
436
|
-
|
|
464
|
+
normalized_name = lower_name.delete("^a-z")
|
|
465
|
+
|
|
466
|
+
if REF_ATTRIBUTES.include?(normalized_name)
|
|
467
|
+
decoded_value = case v
|
|
468
|
+
when String then decode_html_character_references(v)
|
|
469
|
+
when Symbol then decode_html_character_references(v.name)
|
|
470
|
+
end
|
|
471
|
+
|
|
472
|
+
if decoded_value && decoded_value.downcase.tr("^a-z:", "").start_with?("javascript:")
|
|
473
|
+
next
|
|
474
|
+
end
|
|
475
|
+
end
|
|
437
476
|
|
|
438
477
|
# Detect unsafe attribute names. Attribute names are considered unsafe if they match an event attribute or include unsafe characters.
|
|
439
|
-
if HTML::EVENT_ATTRIBUTES.include?(lower_name.tr("^a-z-", "")) || name.match?(
|
|
478
|
+
if HTML::EVENT_ATTRIBUTES.include?(lower_name.tr("^a-z-", "")) || name.match?(UNSAFE_ATTRIBUTE_NAME_CHARS)
|
|
440
479
|
raise ArgumentError, "Unsafe attribute name detected: #{k}."
|
|
441
480
|
end
|
|
442
481
|
|
data/lib/phlex/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,13 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: phlex
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.11.
|
|
4
|
+
version: 1.11.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Joel Drapper
|
|
8
|
-
autorequire:
|
|
9
8
|
bindir: bin
|
|
10
9
|
cert_chain: []
|
|
11
|
-
date:
|
|
10
|
+
date: 2026-02-06 00:00:00.000000000 Z
|
|
12
11
|
dependencies: []
|
|
13
12
|
description: A high-performance view framework optimised for fun.
|
|
14
13
|
email:
|
|
@@ -47,7 +46,6 @@ metadata:
|
|
|
47
46
|
changelog_uri: https://github.com/phlex-ruby/phlex/blob/main/CHANGELOG.md
|
|
48
47
|
funding_uri: https://github.com/sponsors/joeldrapper
|
|
49
48
|
rubygems_mfa_required: 'true'
|
|
50
|
-
post_install_message:
|
|
51
49
|
rdoc_options: []
|
|
52
50
|
require_paths:
|
|
53
51
|
- lib
|
|
@@ -62,8 +60,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
62
60
|
- !ruby/object:Gem::Version
|
|
63
61
|
version: '0'
|
|
64
62
|
requirements: []
|
|
65
|
-
rubygems_version: 3.
|
|
66
|
-
signing_key:
|
|
63
|
+
rubygems_version: 3.6.2
|
|
67
64
|
specification_version: 4
|
|
68
65
|
summary: A fun framework for building views in Ruby.
|
|
69
66
|
test_files: []
|