repost 0.5.0 → 0.5.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (5) hide show
  1. checksums.yaml +4 -4
  2. data/lib/repost/extend_controller.rb +8 -7
  3. data/lib/repost/senpai.rb +18 -19
  4. data/lib/repost/version.rb +1 -1
  5. metadata +1 -1
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 7399517ab4d8add105196f6d329ede828d10f90f5fa3eb47e79c645d8f8269c2
4
- data.tar.gz: 18dbb378fddea7a84897dac996a5561ad2627496250d331a8c3a20500aa3b45c
3
+ metadata.gz: 77a301cd78a8e6ce5a6b34b8acb0538701b59ca4bc351e40a8095500b0e0a735
4
+ data.tar.gz: 9ee29217ffc133b3ccabe49090844757334e66904135c2aad686a7f17d1dddbe
5
5
  SHA512:
6
- metadata.gz: c4caed61603b62417cb1367fc8e162758ba134739f84c6ba5dc3c097d010c38c6024a3d3efe3b9e00461de5a761a6e99f387874b0d840532e5fa9dbd8811e6d7
7
- data.tar.gz: ad8fe848e483398718e7214744c6f207b75079a89f5644b969b0617c9eb99c4bbe5902f6ada82d19805082342420322547bac638bbb70d91f20fc9c1d29e4c76
6
+ metadata.gz: 68eab1a118f6407a1432fbad24e8fd553a0460c3821cbb945e829fd3b7afa14da183e323d7d2b64695ae1b454600840fe862b16bb05f7702d5d213ad24b2ad9d
7
+ data.tar.gz: 3e551dc5fa1045f106b7555894f13bb2cd02bc32a5ae6409df8e8096be848e8aea86b5db45d0ea9e7327ee8edf0f040b2958695c5280721d733f89d5828cc4e0
data/lib/repost/extend_controller.rb CHANGED
@@ -3,21 +3,22 @@ if defined?(Rails) && defined?(ActiveSupport)
3
3
  class ::ActionController::Base
4
4
  def repost(url, params: {}, options: {})
5
5
  status = options.delete(:status) || :ok
6
-
7
- token = if ['auto', :auto].include?(options[:authenticity_token])
8
- form_authenticity_token
9
- end
6
+ authenticity_token = if ['auto', :auto].include?(options[:authenticity_token])
7
+ form_authenticity_token
8
+ else
9
+ options[:authenticity_token]
10
+ end
10
11
 
11
12
  html_payload = Repost::Senpai.perform(
12
13
  url,
13
14
  params: params,
14
15
  options: options.merge({
15
- authenticity_token: token,
16
- autosubmit_nonce: content_security_policy_nonce,
16
+ authenticity_token: authenticity_token,
17
+ autosubmit_nonce: content_security_policy_nonce
17
18
  }.compact)
18
19
  )
19
20
 
20
- render html: ActionController::Base.helpers.sanitize(html_payload), status: status
21
+ render html: html_payload.html_safe, status: status
21
22
  end
22
23
 
23
24
  alias :redirect_post :repost
data/lib/repost/senpai.rb CHANGED
@@ -1,3 +1,5 @@
1
+ require 'cgi'
2
+
1
3
  module Repost
2
4
  class Senpai < Action
3
5
  DEFAULT_SUBMIT_BUTTON_TEXT = 'Continue'
@@ -21,10 +23,10 @@ module Repost
21
23
 
22
24
  def perform
23
25
  compiled_body = if autosubmit
24
- form_body << auto_submit_script << no_script
25
- else
26
- form_body << submit_section
27
- end
26
+ form_body << auto_submit_script << no_script
27
+ else
28
+ form_body << submit_section
29
+ end
28
30
  form_head << compiled_body << form_footer
29
31
  end
30
32
 
@@ -34,8 +36,12 @@ module Repost
34
36
  :section_classes, :section_html, :submit_classes,
35
37
  :submit_text, :authenticity_token, :charset, :autosubmit_nonce
36
38
 
39
+ def escape(value)
40
+ CGI.escapeHTML(value.to_s)
41
+ end
42
+
37
43
  def form_head
38
- %Q(<form id="#{form_id}" action="#{url}" method="#{method}" accept-charset="#{charset}">)
44
+ %Q(<form id="#{escape(form_id)}" action="#{escape(url)}" method="#{escape(method)}" accept-charset="#{escape(charset)}">)
39
45
  end
40
46
 
41
47
  def form_body
@@ -57,7 +63,7 @@ module Repost
57
63
  form_input("#{key}[]", inner_value)
58
64
  end.join
59
65
  else
60
- %Q(<input type="hidden" name="#{key}" value=#{process_value(value)}>)
66
+ %Q(<input type="hidden" name="#{escape(key)}" value="#{escape(value)}">)
61
67
  end
62
68
  end
63
69
 
@@ -66,19 +72,17 @@ module Repost
66
72
  end
67
73
 
68
74
  def csrf_token
69
- %Q(<input name="authenticity_token" value="#{authenticity_token}" type="hidden">)
75
+ %Q(<input name="authenticity_token" value="#{escape(authenticity_token)}" type="hidden">)
70
76
  end
71
77
 
72
78
  def no_script
73
- %Q(<noscript>
74
- #{submit_section}
75
- </noscript>)
79
+ %Q(<noscript>#{submit_section}</noscript>)
76
80
  end
77
81
 
78
82
  def submit_section
79
- %Q(<div class="#{section_classes}">
83
+ %Q(<div class="#{escape(section_classes)}">
80
84
  #{section_html}
81
- <input class="#{submit_classes}" type="submit" value="#{submit_text}"></input>
85
+ <input class="#{escape(submit_classes)}" type="submit" value="#{escape(submit_text)}">
82
86
  </div>)
83
87
  end
84
88
 
@@ -87,15 +91,10 @@ module Repost
87
91
  end
88
92
 
89
93
  def auto_submit_script
90
- nonce_attr = %Q( nonce="#{autosubmit_nonce}") if autosubmit_nonce
94
+ nonce_attr = %Q( nonce="#{escape(autosubmit_nonce)}") if autosubmit_nonce
91
95
  %Q(<script#{nonce_attr}>
92
- document.getElementById("#{form_id}").submit();
96
+ document.getElementById("#{escape(form_id)}").submit();
93
97
  </script>)
94
98
  end
95
-
96
- def process_value(value)
97
- return value if value.is_a?(Integer)
98
- %Q("#{value.to_s.gsub("\"", '\'')}")
99
- end
100
99
  end
101
100
  end
data/lib/repost/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  module Repost
2
- VERSION = "0.5.0"
2
+ VERSION = "0.5.1"
3
3
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: repost
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.5.0
4
+ version: 0.5.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - YaroslavO