RubyGems - trek - Versions diffs - 0.1.22 → 0.1.23 - Mend

trek 0.1.22 → 0.1.23

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

checksums.yaml +4 -4
data/Gemfile.lock +2 -2
data/app/components/trek/icon/sprite_component.rb +54 -8
data/lib/trek/version.rb +1 -1
data/package.json +1 -1
metadata +1 -1

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: bb5c6af64a8d5934859280f654a6c835a44af7d87125da7f76246abc0c77e974
-  data.tar.gz: 72f797bee0d73262a8636b0a2e08b753c275c4529b9fca26a9a2dac8fd61bd30
+  metadata.gz: c441a015bd63b8e650c1f39c225b2a40f6a6beebeff6db95d295a84a2c22eae2
+  data.tar.gz: 2f7543789a5cb718fdb9a69e6c6f4b9143164a525ea7d5620c5b8816e9d35e01
 SHA512:
-  metadata.gz: abdfd7fd9b23d6a1d7ea200df36cf61dc339f00be775dc3de25d982841e280a7ec1adc32613ff96c2c004c06773b888436ab54977ee1f75656f6a7b7b867cdec
-  data.tar.gz: 54835b0a50cdcd83003b162a6ee061c161d7fa2c29293f421c9a11a300516131f30ca538091b3a99c793fb3fe88ac9f220fbf14bad661f9b89ed7da80b294271
+  metadata.gz: 1086f69da18c67aa88915c9556c511bca3f30eb981d768078d7f962f8ebf340769be08b0b131f8e873544cd4a152b715a28d7baacabaf19993a685e1c090083c
+  data.tar.gz: 8507af27451b4ed7445fe1748e00a246392631d20c2804f213826356fa898a8b29aaf77a716a64233470022e7817209fbd103fbaa98b8482335f59b1279a0f33

data/Gemfile.lock CHANGED Viewed

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    trek (0.1.22)
+    trek (0.1.23)
       action_policy (~> 0.6)
       actioncable
       acts_as_list (~> 1.1)
@@ -288,7 +288,7 @@ GEM
     mobility (1.3.2)
       i18n (>= 0.6.10, < 2)
       request_store (~> 1.0)
-    net-imap (0.6.4)
+    net-imap (0.6.4.1)
       date
       net-protocol
     net-pop (0.1.2)

data/app/components/trek/icon/sprite_component.rb CHANGED Viewed

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
+require "rails-html-sanitizer"
 module Trek
   module Icon
     class SpriteComponent < Trek::Component
@@ -43,6 +45,56 @@ module Trek
       private
+      # rubocop:disable Rails/OutputSafety
+      def sanitized_svg(key, svg_string)
+        sanitizer = Rails::Html::SafeListSanitizer.new
+        # First pass: sanitize svg element with only symbol attributes
+        svg_sanitized = sanitizer.sanitize(
+          svg_string,
+          tags: %w[svg],
+          attributes: allowed_symbol_attributes
+        )
+        # Second pass: sanitize children with child attributes
+        children_sanitized = sanitizer.sanitize(
+          svg_string,
+          tags: allowed_child_tags,
+          attributes: allowed_child_attributes
+        )
+        # Extract inner content (children) from the second pass
+        inner_content = children_sanitized.sub(/<svg[^>]*>/, "").sub("</svg>", "")
+        # Combine: symbol element from first pass + children from second pass
+        svg_sanitized
+          .sub("<svg", "<symbol id=\"c-icon-#{key}\"")
+          .gsub(/#0{3,6}/, "currentColor")
+          .sub(">", ">#{inner_content}")
+          .sub("</svg>", "</symbol>")
+          .gsub(/[\r\n]+/, "")
+          .strip
+          .html_safe
+      end
+      # rubocop:enable Rails/OutputSafety
+      def allowed_child_tags
+        %w[path circle rect line polyline polygon ellipse g defs use]
+      end
+      def allowed_symbol_attributes
+        %w[viewbox fill stroke stroke-width stroke-linecap stroke-linejoin stroke-miterlimit]
+      end
+      def allowed_child_attributes
+        %w[
+          x x1 x2 y y1 y2 cx cy r rx ry d fill stroke stroke-width height width
+          stroke-linecap stroke-linejoin stroke-miterlimit transform
+        ]
+      end
+      #
       # rubocop:disable Rails/OutputSafety
       # rubocop:disable Metrics/MethodLength
       def svg_as_symbol(key)
@@ -51,14 +103,8 @@ module Trek
         return if icon_files.empty?
         file = File.open(icon_files.last, "rb")
-        file
-          .read
-          .gsub("<svg ", "<symbol id=\"c-icon-#{key}\" ")
-          .gsub("</svg", "</symbol")
-          .gsub(/#0{3,6}/, "currentColor")
-          .gsub(/ ?(height|width|version|xmlns)="([^"]+)"/, "")
-          .gsub("xmlns=\"http://www.w3.org/2000/svg\"", "")
-          .html_safe
+        sanitized_svg(key, file.read)
       end
       # rubocop:enable Metrics/MethodLength
       # rubocop:enable Rails/OutputSafety

data/lib/trek/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 module Trek
-  VERSION = "0.1.22"
+  VERSION = "0.1.23"
 end

data/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@etaminstudio/trek",
-  "version": "0.1.22",
+  "version": "0.1.23",
   "description": "A modern CMS for Ruby on Rails",
   "main": "app/javascript/trek.js",
   "repository": {

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: trek
 version: !ruby/object:Gem::Version
-  version: 0.1.22
+  version: 0.1.23
 platform: ruby
 authors:
 - Mohamed Bengrich