smart_titles 0.4.0 → 0.4.1

checksums.yaml

@@ -1,15 +1,7 @@
 ---
-!binary "U0hBMQ==":
-  metadata.gz: !binary |-
-    ZmM2MjRlNTYzMzZhNDdmM2ZkNmIzNDQ3MTExN2I1NzQ5ZDU0YjYwYw==
-  data.tar.gz: !binary |-
-    NzM4Y2Q3YjRmNzI0ZWM3NDljYjcwYjVjYTkwNTE5NTUzOGViN2M5Ng==
-!binary "U0hBNTEy":
-  metadata.gz: !binary |-
-    YzBlNGY3YzgzMTg2YTYwM2JmYTUzMzI1MGIzNWViZjVkMWYyM2ZiODkxNmZi
-    MWNhMjY3Y2M0Yzk4MmVjOTMyYzhhYzBjNjE0ZTdjNWE1MTRiYTRkODUzM2Q5
-    ZjVhMTc5NDdhNzkzY2NkMTc2NTdmMTQwYjVkM2UyNmM2MDBmYTc=
-  data.tar.gz: !binary |-
-    MTM2ODMyZDU1NzY3ZDVkODNiOTEzODg0YzY1ZTYxOWFlY2MxOTdiMDRhMmY1
-    YjgxMDcwYWVmMzNmOTVlMTUxOTZjNTFjN2RiNWUyYTQ2MmZmNTNlM2EyNWI4
-    ZTQ0Y2QwMzQ3MzhlNmViYTAzMDA5NDFkNmI5N2FkYzA4ODI4Y2U=
+SHA1:
+  metadata.gz: 169123fe04d64048f27bc19d1b846c7259d0caf3
+  data.tar.gz: a82477fa9f9b231e0db25a1d47dfd79fa8610170
+SHA512:
+  metadata.gz: c599748e4160dcb4f62d1edf15efdb502852f10040c28e1e69f5fcf3f73a756c828ed9c276cf578888bf20c8a4998e8f0b580fd6918a3ade3261533e8e1f75a0
+  data.tar.gz: 169da91edabc4395076f3f62045f0dcdbd86bd383681726f311c473d14ea9b0499526f0ead181b330d77ce702c7c1512264f5b4291e05bdf358854c46a237aec

data/Readme.md

@@ -80,6 +80,21 @@ And now products#index page will have "Products from the Coolest Store" browser'
 Changelog
 ---
 
+### 0.4.1
+This update fixes XSS vulnerability introduced in 0.3.2. H1 tag returned by "title" would skip HTML-escaping.
+Your app is affected if you include untrusted user input in the title and output the tag:
+
+    <%= title post.title %>
+    <%= title "My blog - #{post.title}" %>
+
+Not affected:
+
+    <% title post.title %> - no output
+    <%= title category.name %> - if your categories are not edited by users
+
+You are advised to upgrade. Alternatively, you can downgrade to 0.3.1 or below.
+Versions affected: 0.3.2, 0.4.0.
+
 ### 0.4.0
 The website title and template translations can now be scoped by layout. Example:
 

data/lib/smart_titles/helper.rb

@@ -41,8 +41,7 @@ module SmartTitles
                 rescue I18n::MissingTranslationData
                 end
 
-      title &&= title.html_safe
-      provide(:page_title, title)
+      provide(:page_title, title && title.html_safe) # "provide" already escapes
       content_tag(:h1, title) if title
     end
   end

data/lib/smart_titles/version.rb

@@ -1,3 +1,3 @@
 module SmartTitles
-  VERSION = "0.4.0"
+  VERSION = "0.4.1"
 end

data/test/smart_titles/helper_test.rb

@@ -63,7 +63,7 @@ class SmartTitlesHelperTest < ActionView::TestCase
   end
 
   def test_head_title_with_no_title
-    assert_includes head_title, "translation missing: en.title"
+    assert_includes head_title, "translation missing"
   end
 
 
@@ -116,8 +116,9 @@ class SmartTitlesHelperTest < ActionView::TestCase
   end
 
   def test_head_title_is_not_double_escaped
-    title 'New "post"'
+    result = title 'New "post"'
     assert_equal 'New &quot;post&quot;', h(head_title)
+    assert_equal '<h1>New &quot;post&quot;</h1>', h(result)
   end
 
 

metadata

@@ -1,43 +1,43 @@
 --- !ruby/object:Gem::Specification
 name: smart_titles
 version: !ruby/object:Gem::Version
-  version: 0.4.0
+  version: 0.4.1
 platform: ruby
 authors:
 - Semyon Perepelitsa
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-05-23 00:00:00.000000000 Z
+date: 2013-12-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
-  prerelease: false
   name: activesupport
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ! '>='
-      - !ruby/object:Gem::Version
-        version: '0'
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ! '>='
+    - - '>='
       - !ruby/object:Gem::Version
         version: '0'
   type: :runtime
-- !ruby/object:Gem::Dependency
   prerelease: false
-  name: actionpack
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ! '>='
+    - - '>='
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: actionpack
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ! '>='
+    - - '>='
       - !ruby/object:Gem::Version
         version: '0'
   type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
 description: 
 email: sema@sema.in
 executables: []
@@ -68,17 +68,17 @@ require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ! '>='
+  - - '>='
     - !ruby/object:Gem::Version
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ! '>='
+  - - '>='
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.0.3
+rubygems_version: 2.1.11
 signing_key: 
 specification_version: 4
 summary: Really convenient way to set up page titles in a Rails application.