phlex 2.4.0 → 2.4.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d7204ba8933eeeba6ac827d6a8f965f8a69a5d63245538a882f579881a1a4f3a
-  data.tar.gz: c0d11845eb37d6a14cd6c750972a7d898a63ba7062ddcf14f2e024e5785c20fb
+  metadata.gz: abdf62bcb21b9c00118dc8fa4f1c96d510caecc15eebf4539b5655c3ab94e057
+  data.tar.gz: e88808653a12b00adbb4980e07994b379bb871cabd4652c9e19bb76ef87dc0f0
 SHA512:
-  metadata.gz: 33797f2a30f72abc79d5161e4d3006e38023450c0b4eee03018c19e545307c8344e4e085aeabd590184550ec1f1505e6681e943e1af2ab1bf5faf7f0392abcc1
-  data.tar.gz: 6ffe9a663d9be2d87d73992640c803107f26671598e058c843db8786678eee53bab16605e046af350ec0c6c9c0f5c5a5e7fe2860402f43da9727e3d54eee5e7b
+  metadata.gz: f6568b33898b323c45e86405f3369816262195e4da70b9b94405779fd6728307b7c785ee53392bc1717ee2de26dad5029ec47b2f6753cb80ed4880a4cd15c97e
+  data.tar.gz: '09cdec83ffabbe16b7e2895f1964f1cc29217c89b93a1a7848c982ec1d0329d101ad165b165f0c98638daf9c0b5bc3072cf671661e41d139a9ffe5f5069f9055'

data/lib/phlex/html.rb

@@ -55,7 +55,7 @@ class Phlex::HTML < Phlex::SGML
 			raise Phlex::ArgumentError.new("Expected the tag name to be a Symbol.")
 		end
 
-		if (tag = StandardElements.__registered_elements__[name]) || (tag = name.name.tr("_", "-")).include?("-")
+			if (tag = StandardElements.__registered_elements__[name]) || ((tag = name.name.tr("_", "-")).include?("-") && tag.match?(/\A[a-z0-9-]+\z/))
 			if attributes.length > 0 # with attributes
 				if block_given # with content block
 					buffer << "<#{tag}" << (Phlex::ATTRIBUTE_CACHE[attributes] ||= Phlex::SGML::Attributes.generate_attributes(attributes)) << ">"

data/lib/phlex/sgml/attributes.rb

@@ -4,7 +4,13 @@ module Phlex::SGML::Attributes
 	extend self
 
 	UNSAFE_ATTRIBUTES = Set.new(%w[srcdoc sandbox http-equiv]).freeze
-	REF_ATTRIBUTES = Set.new(%w[href src action formaction lowsrc dynsrc background ping]).freeze
+	REF_ATTRIBUTES = Set.new(%w[href src action formaction lowsrc dynsrc background ping xlinkhref]).freeze
+	NAMED_CHARACTER_REFERENCES = {
+		"colon" => ":",
+		"tab" => "\t",
+		"newline" => "\n",
+	}.freeze
+	UNSAFE_ATTRIBUTE_NAME_CHARS = %r([<>&"'/=\s\x00])
 
 	def generate_attributes(attributes, buffer = +"")
 		attributes.each do |k, v|
@@ -68,7 +74,9 @@ module Phlex::SGML::Attributes
 				if value != true && REF_ATTRIBUTES.include?(normalized_name)
 					case value
 					when String
-						if value.downcase.delete("^a-z:").start_with?("javascript:")
+						decoded_value = decode_html_character_references(value)
+
+						if decoded_value.downcase.delete("^a-z:").start_with?("javascript:")
 							# We just ignore these because they were likely not specified by the developer.
 							next
 						end
@@ -86,7 +94,7 @@ module Phlex::SGML::Attributes
 				end
 			end
 
-			if name.match?(/[<>&"']/)
+			if name.match?(UNSAFE_ATTRIBUTE_NAME_CHARS)
 				raise Phlex::ArgumentError.new("Unsafe attribute name detected: #{k}.")
 			end
 
@@ -122,7 +130,7 @@ module Phlex::SGML::Attributes
 					else raise Phlex::ArgumentError.new("Attribute keys should be Strings or Symbols")
 				end
 
-				if name.match?(/[<>&"']/)
+				if name.match?(UNSAFE_ATTRIBUTE_NAME_CHARS)
 					raise Phlex::ArgumentError.new("Unsafe attribute name detected: #{k}.")
 				end
 			end
@@ -160,6 +168,27 @@ module Phlex::SGML::Attributes
 		end
 	end
 
+	def decode_html_character_references(value)
+		value
+			.gsub(/&#x([0-9a-f]+);?/i) {
+				begin
+					[$1.to_i(16)].pack("U*")
+				rescue
+					""
+				end
+			}
+			.gsub(/&#(\d+);?/) {
+				begin
+					[$1.to_i].pack("U*")
+				rescue
+					""
+				end
+			}
+			.gsub(/&([a-z][a-z0-9]+);?/i) {
+				NAMED_CHARACTER_REFERENCES[$1.downcase] || ""
+			}
+	end
+
 	def generate_nested_tokens(tokens, sep = " ", gsub_from = nil, gsub_to	= "")
 		buffer = +""
 

data/lib/phlex/svg.rb

@@ -41,7 +41,7 @@ class Phlex::SVG < Phlex::SGML
 			raise Phlex::ArgumentError.new("Expected the tag name to be a Symbol.")
 		end
 
-		if (tag = StandardElements.__registered_elements__[name]) || (tag = name.name.tr("_", "-")).include?("-")
+			if (tag = StandardElements.__registered_elements__[name]) || ((tag = name.name.tr("_", "-")).include?("-") && tag.match?(/\A[a-z0-9-]+\z/))
 			if attributes.length > 0 # with attributes
 				if block_given # with content block
 					buffer << "<#{tag}" << (Phlex::ATTRIBUTE_CACHE[attributes] ||= Phlex::SGML::Attributes.generate_attributes(attributes)) << ">"

data/lib/phlex/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Phlex
-	VERSION = "2.4.0"
+	VERSION = "2.4.1"
 end

metadata

@@ -1,14 +1,15 @@
 --- !ruby/object:Gem::Specification
 name: phlex
 version: !ruby/object:Gem::Version
-  version: 2.4.0
+  version: 2.4.1
 platform: ruby
 authors:
 - Joel Drapper
 - Will Cosgrove
+autorequire:
 bindir: bin
 cert_chain: []
-date: 1980-01-02 00:00:00.000000000 Z
+date: 2026-02-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: zeitwerk
@@ -85,6 +86,7 @@ metadata:
   changelog_uri: https://github.com/phlex-ruby/phlex/releases
   funding_uri: https://github.com/sponsors/joeldrapper
   rubygems_mfa_required: 'true'
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -99,7 +101,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 4.0.3
+rubygems_version: 3.5.3
+signing_key:
 specification_version: 4
 summary: Object-oriented views in Ruby.
 test_files: []