RubyGems - smart_titles - Versions diffs - 0.4.0 → 0.4.1 - Mend

smart_titles 0.4.0 → 0.4.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

checksums.yaml +6 -14
data/Readme.md +15 -0
data/lib/smart_titles/helper.rb +1 -2
data/lib/smart_titles/version.rb +1 -1
data/test/smart_titles/helper_test.rb +3 -2
metadata +16 -16

checksums.yaml CHANGED Viewed

@@ -1,15 +1,7 @@
 ---
-!binary "U0hBMQ==":
-  metadata.gz: !binary |-
-    ZmM2MjRlNTYzMzZhNDdmM2ZkNmIzNDQ3MTExN2I1NzQ5ZDU0YjYwYw==
-  data.tar.gz: !binary |-
-    NzM4Y2Q3YjRmNzI0ZWM3NDljYjcwYjVjYTkwNTE5NTUzOGViN2M5Ng==
-!binary "U0hBNTEy":
-  metadata.gz: !binary |-
-    YzBlNGY3YzgzMTg2YTYwM2JmYTUzMzI1MGIzNWViZjVkMWYyM2ZiODkxNmZi
-    MWNhMjY3Y2M0Yzk4MmVjOTMyYzhhYzBjNjE0ZTdjNWE1MTRiYTRkODUzM2Q5
-    ZjVhMTc5NDdhNzkzY2NkMTc2NTdmMTQwYjVkM2UyNmM2MDBmYTc=
-  data.tar.gz: !binary |-
-    MTM2ODMyZDU1NzY3ZDVkODNiOTEzODg0YzY1ZTYxOWFlY2MxOTdiMDRhMmY1
-    YjgxMDcwYWVmMzNmOTVlMTUxOTZjNTFjN2RiNWUyYTQ2MmZmNTNlM2EyNWI4
-    ZTQ0Y2QwMzQ3MzhlNmViYTAzMDA5NDFkNmI5N2FkYzA4ODI4Y2U=
+SHA1:
+  metadata.gz: 169123fe04d64048f27bc19d1b846c7259d0caf3
+  data.tar.gz: a82477fa9f9b231e0db25a1d47dfd79fa8610170
+SHA512:
+  metadata.gz: c599748e4160dcb4f62d1edf15efdb502852f10040c28e1e69f5fcf3f73a756c828ed9c276cf578888bf20c8a4998e8f0b580fd6918a3ade3261533e8e1f75a0
+  data.tar.gz: 169da91edabc4395076f3f62045f0dcdbd86bd383681726f311c473d14ea9b0499526f0ead181b330d77ce702c7c1512264f5b4291e05bdf358854c46a237aec

data/Readme.md CHANGED Viewed

@@ -80,6 +80,21 @@ And now products#index page will have "Products from the Coolest Store" browser'
 Changelog
 ---
+### 0.4.1
+This update fixes XSS vulnerability introduced in 0.3.2. H1 tag returned by "title" would skip HTML-escaping.
+Your app is affected if you include untrusted user input in the title and output the tag:
+    <%= title post.title %>
+    <%= title "My blog - #{post.title}" %>
+Not affected:
+    <% title post.title %> - no output
+    <%= title category.name %> - if your categories are not edited by users
+You are advised to upgrade. Alternatively, you can downgrade to 0.3.1 or below.
+Versions affected: 0.3.2, 0.4.0.
 ### 0.4.0
 The website title and template translations can now be scoped by layout. Example:

data/lib/smart_titles/helper.rb CHANGED Viewed

@@ -41,8 +41,7 @@ module SmartTitles
                 rescue I18n::MissingTranslationData
                 end
-      title &&= title.html_safe
-      provide(:page_title, title)
+      provide(:page_title, title && title.html_safe) # "provide" already escapes
       content_tag(:h1, title) if title
     end
   end

data/lib/smart_titles/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module SmartTitles
-  VERSION = "0.4.0"
+  VERSION = "0.4.1"
 end

data/test/smart_titles/helper_test.rb CHANGED Viewed

@@ -63,7 +63,7 @@ class SmartTitlesHelperTest < ActionView::TestCase
   end
   def test_head_title_with_no_title
-    assert_includes head_title, "translation missing: en.title"
+    assert_includes head_title, "translation missing"
   end
@@ -116,8 +116,9 @@ class SmartTitlesHelperTest < ActionView::TestCase
   end
   def test_head_title_is_not_double_escaped
-    title 'New "post"'
+    result = title 'New "post"'
     assert_equal 'New &quot;post&quot;', h(head_title)
+    assert_equal '<h1>New &quot;post&quot;</h1>', h(result)
   end

metadata CHANGED Viewed

@@ -1,43 +1,43 @@
 --- !ruby/object:Gem::Specification
 name: smart_titles
 version: !ruby/object:Gem::Version
-  version: 0.4.0
+  version: 0.4.1
 platform: ruby
 authors:
 - Semyon Perepelitsa
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2013-05-23 00:00:00.000000000 Z
+date: 2013-12-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
-  prerelease: false
   name: activesupport
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ! '>='
-      - !ruby/object:Gem::Version
-        version: '0'
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ! '>='
+    - - '>='
       - !ruby/object:Gem::Version
         version: '0'
   type: :runtime
-- !ruby/object:Gem::Dependency
   prerelease: false
-  name: actionpack
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ! '>='
+    - - '>='
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: actionpack
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ! '>='
+    - - '>='
       - !ruby/object:Gem::Version
         version: '0'
   type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
 description:
 email: sema@sema.in
 executables: []
@@ -68,17 +68,17 @@ require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ! '>='
+  - - '>='
     - !ruby/object:Gem::Version
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ! '>='
+  - - '>='
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
 rubyforge_project:
-rubygems_version: 2.0.3
+rubygems_version: 2.1.11
 signing_key:
 specification_version: 4
 summary: Really convenient way to set up page titles in a Rails application.