RubyGems - twitter-bootstrap-rails-confirm - Versions diffs - 2.0.1 → 2.0.2 - Mend

twitter-bootstrap-rails-confirm 2.0.1 → 2.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

checksums.yaml +4 -4
data/README.md +4 -0
data/lib/twitter-bootstrap-rails-confirm/version.rb +1 -1
data/vendor/assets/javascripts/twitter/bootstrap/rails/confirm.js +9 -4
metadata +6 -6

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: b4af854cb39f612728a02d3eb6197d9e39ca4243
-  data.tar.gz: 104a72de5382e6907e83300859c3fa8aad70b2a5
+  metadata.gz: 5c6fc0126e16b808c7ee4fb81e5e5c589693a33c
+  data.tar.gz: 35b26a8694584f33e5c9d11be9d5fb12472a0cef
 SHA512:
-  metadata.gz: 1815f79cf919fb1c21d3348373bba37cbed840ba2cc18d07d246067ac2a12e9bad1aa70711d460d1c73d7ff7de652fdb4186b29ecd3c5cebc482772e6ab151d7
-  data.tar.gz: 1bf20de563029a8abd3fc399cec25d0d3db3c5a711591ea081ce966550c6acaad7bcfa3eb89cddcf0ba4abc84434e15f074cde86ff2ffb301bd4c7df1e75e8be
+  metadata.gz: e81136caf2cc11ab8630b67fa600637ede0e87438bcf177ecaeb35b6a67d299bff42ad018e7a66eac1499fc964531e9f569cf96704db60866049bb0c8fb6deb7
+  data.tar.gz: 00efad5027fa893dc46f0e3099c518b9442615e01b3d5fbc94ec713bc64860e32757b58c29d12a4996797ef275185cf01a761684bacb2bf213aa1548e2af0849

data/README.md CHANGED Viewed

@@ -93,6 +93,10 @@ simple app that loads Bootstrap and this gem.
 ## Changelog
+### 2.0.2 (January 18, 2022)
+* BREAKING: Resolved possible XSS by using .text() over .html()
 ### 2.0.1 (January 14, 2018)
 * [(eirvandelden)](https://github.com/eirvandelden) [Bootstrap 4 version is stored in Tooltip.VERSION](https://github.com/bluerail/twitter-bootstrap-rails-confirm/pull/38)

data/lib/twitter-bootstrap-rails-confirm/version.rb CHANGED Viewed

@@ -2,7 +2,7 @@ module Twitter
   module Bootstrap
     module Rails
       module Confirm
-        VERSION = "2.0.1"
+        VERSION = "2.0.2"
       end
     end
   end

data/vendor/assets/javascripts/twitter/bootstrap/rails/confirm.js CHANGED Viewed

@@ -42,12 +42,17 @@
       $dialog.addClass("fade");
     }
-    $dialog.find(".modal-header .modal-title").html(element.data("confirm-title") || $.fn.twitter_bootstrap_confirmbox.defaults.title || window.top.location.origin);
+    $dialog.find(".modal-header .modal-title").text(element.data("confirm-title") || $.fn.twitter_bootstrap_confirmbox.defaults.title || window.top.location.origin);
-    $dialog.find(".modal-body").html(message.toString().replace(/\n/g, "<br />"));
+    var dialog_body = $dialog.find(".modal-body");
+    var paragraphs = message.toString().split(/\n/);
+    dialog_body.html('');
+    for (var paragraph_index in paragraphs) {
+      $("<p></p>").appendTo(dialog_body).text(paragraphs[paragraph_index]);
+    }
     var cancel_buton = $("<a />", { href: "#", "data-dismiss": "modal" });
-    cancel_buton.html(element.data("confirm-cancel") || $.fn.twitter_bootstrap_confirmbox.defaults.cancel);
+    cancel_buton.text(element.data("confirm-cancel") || $.fn.twitter_bootstrap_confirmbox.defaults.cancel);
     cancel_buton.addClass($.fn.twitter_bootstrap_confirmbox.defaults.cancel_class);
     cancel_buton.addClass(element.data("confirm-cancel-class") || (bootstrap_version === 4 ? "btn-secondary" : void 0) || "btn-default");
     cancel_buton.click(function(event) {
@@ -57,7 +62,7 @@
     $dialog.find(".modal-footer").append(cancel_buton);
     var confirm_button = $("<a />", { href: "#" });
-    confirm_button.html(element.data("confirm-proceed") || $.fn.twitter_bootstrap_confirmbox.defaults.proceed);
+    confirm_button.text(element.data("confirm-proceed") || $.fn.twitter_bootstrap_confirmbox.defaults.proceed);
     confirm_button.addClass($.fn.twitter_bootstrap_confirmbox.defaults.proceed_class);
     confirm_button.addClass(element.data("confirm-proceed-class") || "btn-primary");
     confirm_button.click(function(event) {

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: twitter-bootstrap-rails-confirm
 version: !ruby/object:Gem::Version
-  version: 2.0.1
+  version: 2.0.2
 platform: ruby
 authors:
 - Rene van Lieshout
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2019-01-15 00:00:00.000000000 Z
+date: 2022-01-18 00:00:00.000000000 Z
 dependencies: []
 description: Confirm dialogs using Twitter Bootstrap
 email:
@@ -17,7 +17,7 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
-- ".gitignore"
+- .gitignore
 - Gemfile
 - LICENSE
 - README.md
@@ -37,17 +37,17 @@ require_paths:
 - vendor
 required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - '>='
     - !ruby/object:Gem::Version
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - '>='
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
 rubyforge_project:
-rubygems_version: 2.5.2.3
+rubygems_version: 2.0.14.1
 signing_key:
 specification_version: 4
 summary: Applies a custom confirm dialog for elements with a data-confirm attribute.