repost 0.4.2 → 0.5.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9e1da23cf757ad2caae83210670973e81bd0ee2df4d2083098060e1350207f03
-  data.tar.gz: 980a4401dbc598a418ecaf8e977d81a4817e48edd35a5160103a6512ef8caf06
+  metadata.gz: 77a301cd78a8e6ce5a6b34b8acb0538701b59ca4bc351e40a8095500b0e0a735
+  data.tar.gz: 9ee29217ffc133b3ccabe49090844757334e66904135c2aad686a7f17d1dddbe
 SHA512:
-  metadata.gz: 3b2e440a8aa7b3a670170d4107ed94a9ac6e11a0da1091482ac96304697b31fbd9d37c4a2eaaf19d48a817105d12970ec8d2a6b39a740e2a8a807dd39df0ad02
-  data.tar.gz: 63f43be2ca29f724e989cf32e1aa57d4a6ec9567ac899c15e383c754790377017e288788353bb7bbdd8b11cc4ec95187643f0d28c39e27bdb5fbd3d6b443722d
+  metadata.gz: 68eab1a118f6407a1432fbad24e8fd553a0460c3821cbb945e829fd3b7afa14da183e323d7d2b64695ae1b454600840fe862b16bb05f7702d5d213ad24b2ad9d
+  data.tar.gz: 3e551dc5fa1045f106b7555894f13bb2cd02bc32a5ae6409df8e8096be848e8aea86b5db45d0ea9e7327ee8edf0f040b2958695c5280721d733f89d5828cc4e0

data/lib/repost/extend_controller.rb

@@ -1,22 +1,27 @@
 if defined?(Rails) && defined?(ActiveSupport)
   ActiveSupport.on_load(:action_controller) do
     class ::ActionController::Base
-
       def repost(url, params: {}, options: {})
         status = options.delete(:status) || :ok
-        authenticity_token = form_authenticity_token if ['auto', :auto].include?(options[:authenticity_token])
-        render html: Repost::Senpai.perform(
+        authenticity_token = if ['auto', :auto].include?(options[:authenticity_token])
+                               form_authenticity_token
+                             else
+                               options[:authenticity_token]
+                             end
+
+        html_payload = Repost::Senpai.perform(
           url,
           params: params,
           options: options.merge({
-            authenticity_token: authenticity_token,
-            autosubmit_nonce: content_security_policy_nonce,
-          }.compact)
-        ).html_safe, status: status
+                                   authenticity_token: authenticity_token,
+                                   autosubmit_nonce: content_security_policy_nonce
+                                 }.compact)
+        )
+
+        render html: html_payload.html_safe, status: status
       end
 
       alias :redirect_post :repost
-
     end
   end
 end

data/lib/repost/senpai.rb

@@ -1,3 +1,5 @@
+require 'cgi'
+
 module Repost
   class Senpai < Action
     DEFAULT_SUBMIT_BUTTON_TEXT = 'Continue'
@@ -21,10 +23,10 @@ module Repost
 
     def perform
       compiled_body = if autosubmit
-        form_body << auto_submit_script << no_script
-      else
-        form_body << submit_section
-      end
+                        form_body << auto_submit_script << no_script
+                      else
+                        form_body << submit_section
+                      end
       form_head << compiled_body << form_footer
     end
 
@@ -34,8 +36,12 @@ module Repost
                 :section_classes, :section_html, :submit_classes,
                 :submit_text, :authenticity_token, :charset, :autosubmit_nonce
 
+    def escape(value)
+      CGI.escapeHTML(value.to_s)
+    end
+
     def form_head
-      %Q(<form id="#{form_id}" action="#{url}" method="#{method}" accept-charset="#{charset}">)
+      %Q(<form id="#{escape(form_id)}" action="#{escape(url)}" method="#{escape(method)}" accept-charset="#{escape(charset)}">)
     end
 
     def form_body
@@ -57,7 +63,7 @@ module Repost
           form_input("#{key}[]", inner_value)
         end.join
       else
-        %Q(<input type="hidden" name="#{key}" value=#{process_value(value)}>)
+        %Q(<input type="hidden" name="#{escape(key)}" value="#{escape(value)}">)
       end
     end
 
@@ -66,19 +72,17 @@ module Repost
     end
 
     def csrf_token
-      %Q(<input name="authenticity_token" value="#{authenticity_token}" type="hidden">)
+      %Q(<input name="authenticity_token" value="#{escape(authenticity_token)}" type="hidden">)
     end
 
     def no_script
-      %Q(<noscript>
-        #{submit_section}
-      </noscript>)
+      %Q(<noscript>#{submit_section}</noscript>)
     end
 
     def submit_section
-      %Q(<div class="#{section_classes}">
+      %Q(<div class="#{escape(section_classes)}">
         #{section_html}
-        <input class="#{submit_classes}" type="submit" value="#{submit_text}"></input>
+        <input class="#{escape(submit_classes)}" type="submit" value="#{escape(submit_text)}">
       </div>)
     end
 
@@ -87,15 +91,10 @@ module Repost
     end
 
     def auto_submit_script
-      nonce_attr = %Q( nonce="#{autosubmit_nonce}") if autosubmit_nonce
+      nonce_attr = %Q( nonce="#{escape(autosubmit_nonce)}") if autosubmit_nonce
       %Q(<script#{nonce_attr}>
-        document.getElementById("#{form_id}").submit();
+        document.getElementById("#{escape(form_id)}").submit();
       </script>)
     end
-
-    def process_value(value)
-      return value if value.is_a?(Integer)
-      %Q("#{value.to_s.gsub("\"", '\'')}")
-    end
   end
 end

data/lib/repost/version.rb

@@ -1,3 +1,3 @@
 module Repost
-  VERSION = "0.4.2"
+  VERSION = "0.5.1"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: repost
 version: !ruby/object:Gem::Version
-  version: 0.4.2
+  version: 0.5.1
 platform: ruby
 authors:
 - YaroslavO
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2023-11-10 00:00:00.000000000 Z
+date: 2026-01-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -72,7 +72,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.15
+rubygems_version: 3.4.6
 signing_key:
 specification_version: 4
 summary: Gem implements Redirect using POST method