phlex 2.2.1 → 2.2.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/phlex/html.rb +1 -1
- data/lib/phlex/sgml.rb +33 -4
- data/lib/phlex/svg.rb +1 -1
- data/lib/phlex/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 1ad9e30b1fc9db64488ae58d78b09bb2c8cd57db032da7e28dff9e9c2c035677
|
|
4
|
+
data.tar.gz: 343cf214ef539fac85e35d63bdfa39e104a7902d8765a7c10f6fc26d3d5704f4
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 9d554ae1c210699c059d848ebe22d1f06939c93123f160be75b51eebd90271fefdd813093676fb570a8e23c9d6d58932be38a57b330f710f292f34cbd6452ef1
|
|
7
|
+
data.tar.gz: 5d5794df169f3a98c7c1de9cde0c75e2fb268c5eeaf9c6e74f731665cb52823dc972ef288589acefcdbae7907f7f1a57a0f2b59a6e933a5ac2c6b6d5dcd54e2f
|
data/lib/phlex/html.rb
CHANGED
|
@@ -55,7 +55,7 @@ class Phlex::HTML < Phlex::SGML
|
|
|
55
55
|
raise Phlex::ArgumentError.new("Expected the tag name to be a Symbol.")
|
|
56
56
|
end
|
|
57
57
|
|
|
58
|
-
if (tag = StandardElements.__registered_elements__[name]) || (tag = name.name.tr("_", "-")).include?("-")
|
|
58
|
+
if (tag = StandardElements.__registered_elements__[name]) || ((tag = name.name.tr("_", "-")).include?("-") && tag.match?(/\A[a-z0-9-]+\z/))
|
|
59
59
|
if attributes.length > 0 # with attributes
|
|
60
60
|
if block_given # with content block
|
|
61
61
|
buffer << "<#{tag}" << (Phlex::ATTRIBUTE_CACHE[attributes] ||= __attributes__(attributes)) << ">"
|
data/lib/phlex/sgml.rb
CHANGED
|
@@ -3,7 +3,13 @@
|
|
|
3
3
|
# **Standard Generalized Markup Language** for behaviour common to {HTML} and {SVG}.
|
|
4
4
|
class Phlex::SGML
|
|
5
5
|
UNSAFE_ATTRIBUTES = Set.new(%w[srcdoc sandbox http-equiv]).freeze
|
|
6
|
-
REF_ATTRIBUTES = Set.new(%w[href src action formaction lowsrc dynsrc background ping]).freeze
|
|
6
|
+
REF_ATTRIBUTES = Set.new(%w[href src action formaction lowsrc dynsrc background ping xlinkhref]).freeze
|
|
7
|
+
NAMED_CHARACTER_REFERENCES = {
|
|
8
|
+
"colon" => ":",
|
|
9
|
+
"tab" => "\t",
|
|
10
|
+
"newline" => "\n",
|
|
11
|
+
}.freeze
|
|
12
|
+
UNSAFE_ATTRIBUTE_NAME_CHARS = %r([<>&"'/=\s\x00])
|
|
7
13
|
|
|
8
14
|
ERBCompiler = ERB::Compiler.new("<>").tap do |compiler|
|
|
9
15
|
compiler.pre_cmd = [""]
|
|
@@ -518,7 +524,9 @@ class Phlex::SGML
|
|
|
518
524
|
if value != true && REF_ATTRIBUTES.include?(normalized_name)
|
|
519
525
|
case value
|
|
520
526
|
when String
|
|
521
|
-
|
|
527
|
+
decoded_value = decode_html_character_references(value)
|
|
528
|
+
|
|
529
|
+
if decoded_value.downcase.delete("^a-z:").start_with?("javascript:")
|
|
522
530
|
# We just ignore these because they were likely not specified by the developer.
|
|
523
531
|
next
|
|
524
532
|
end
|
|
@@ -536,7 +544,7 @@ class Phlex::SGML
|
|
|
536
544
|
end
|
|
537
545
|
end
|
|
538
546
|
|
|
539
|
-
if name.match?(
|
|
547
|
+
if name.match?(UNSAFE_ATTRIBUTE_NAME_CHARS)
|
|
540
548
|
raise Phlex::ArgumentError.new("Unsafe attribute name detected: #{k}.")
|
|
541
549
|
end
|
|
542
550
|
|
|
@@ -572,7 +580,7 @@ class Phlex::SGML
|
|
|
572
580
|
else raise Phlex::ArgumentError.new("Attribute keys should be Strings or Symbols")
|
|
573
581
|
end
|
|
574
582
|
|
|
575
|
-
if name.match?(
|
|
583
|
+
if name.match?(UNSAFE_ATTRIBUTE_NAME_CHARS)
|
|
576
584
|
raise Phlex::ArgumentError.new("Unsafe attribute name detected: #{k}.")
|
|
577
585
|
end
|
|
578
586
|
end
|
|
@@ -653,6 +661,27 @@ class Phlex::SGML
|
|
|
653
661
|
buffer.gsub('"', """)
|
|
654
662
|
end
|
|
655
663
|
|
|
664
|
+
private def decode_html_character_references(value)
|
|
665
|
+
value
|
|
666
|
+
.gsub(/&#x([0-9a-f]+);?/i) {
|
|
667
|
+
begin
|
|
668
|
+
[$1.to_i(16)].pack("U*")
|
|
669
|
+
rescue
|
|
670
|
+
""
|
|
671
|
+
end
|
|
672
|
+
}
|
|
673
|
+
.gsub(/&#(\d+);?/) {
|
|
674
|
+
begin
|
|
675
|
+
[$1.to_i].pack("U*")
|
|
676
|
+
rescue
|
|
677
|
+
""
|
|
678
|
+
end
|
|
679
|
+
}
|
|
680
|
+
.gsub(/&([a-z][a-z0-9]+);?/i) {
|
|
681
|
+
NAMED_CHARACTER_REFERENCES[$1.downcase] || ""
|
|
682
|
+
}
|
|
683
|
+
end
|
|
684
|
+
|
|
656
685
|
# Result is **unsafe**, so it should be escaped!
|
|
657
686
|
def __styles__(styles)
|
|
658
687
|
case styles
|
data/lib/phlex/svg.rb
CHANGED
|
@@ -41,7 +41,7 @@ class Phlex::SVG < Phlex::SGML
|
|
|
41
41
|
raise Phlex::ArgumentError.new("Expected the tag name to be a Symbol.")
|
|
42
42
|
end
|
|
43
43
|
|
|
44
|
-
if (tag = StandardElements.__registered_elements__[name]) || (tag = name.name.tr("_", "-")).include?("-")
|
|
44
|
+
if (tag = StandardElements.__registered_elements__[name]) || ((tag = name.name.tr("_", "-")).include?("-") && tag.match?(/\A[a-z0-9-]+\z/))
|
|
45
45
|
if attributes.length > 0 # with attributes
|
|
46
46
|
if block_given # with content block
|
|
47
47
|
buffer << "<#{tag}" << (Phlex::ATTRIBUTE_CACHE[attributes] ||= __attributes__(attributes)) << ">"
|
data/lib/phlex/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: phlex
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 2.2.
|
|
4
|
+
version: 2.2.2
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Joel Drapper
|
|
8
8
|
- Will Cosgrove
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2026-02-06 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: zeitwerk
|