view_component 2.30.0 → 2.31.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6bb3c2781d5f07f404e5bf9582758537704a05c3937529c250ae657541d4f664
-  data.tar.gz: 0efa6d2e3bbf03ed206e02b9dad11bea1f5649ab655dfff78d1f48c68414129f
+  metadata.gz: aed268c7e5731efdfba6e0d5764f04bcca9e456329afa15f31ebe7198c6bc79e
+  data.tar.gz: bc455dc076927f9a374788cd4a043df0a8905f9e6b64f5475fa9b7f1b1f38cc3
 SHA512:
-  metadata.gz: 9222381535158cc047e33e37341329c232ac984ee3f6895e95251cd9dabc9b92baebb69b336500932c264b48eb7f74ef0b7d3f918473d8fe83151ad73c18323b
-  data.tar.gz: 4da1bd8980affd316288695a52e9fcdccad912f3447081f0186194190ad48e52d397f36c34b3bea70ea743d32f2eda8d37779ecb588b50cbd626f7d89a4f365c
+  metadata.gz: 455f1f06841908fe6239c93d9f4e2f99aa42e2bba64a6293bd4f2d5e8823225322566962c35ca46c0788bbfa085096ab15ede650e229759a05aa0c2f0f6b5e5c
+  data.tar.gz: b2fde290f722b87ca420bfd2f722184e4f3d79a987bb3ea93c29ae8f7c587a090276e9cdcf94e7434147b6ff02b8fb8492db86945c107c9e328b1c3ab4798786

data/CHANGELOG.md

@@ -2,6 +2,48 @@
 
 ## main
 
+## 2.31.2
+
+* Patch XSS vulnerability in `Translatable` module caused by improperly escaped interpolation arguments.
+
+    *Cameron Dutro*
+
+## 2.31.1
+
+* Fix `DEPRECATION WARNING: before_render_check` when compiling `ViewComponent::Base`
+
+    *Dave Kroondyk*
+
+## 2.31.0
+
+* Add `#with_content` to allow setting content without a block.
+
+    *Jordan Raine, Manuel Puyol*
+
+* Add `with_request_url` test helper.
+
+    *Mario Schüttel*
+
+* Improve feature parity with Rails translations
+  * Don't create a translation backend if the component has no translation file
+  * Mark translation keys ending with `html` as HTML-safe
+  * Always convert keys to String
+  * Support multiple keys
+
+    *Elia Schito*
+
+* Fix errors on `asset_url` helpers when `asset_host` has no protocol.
+
+    *Elia Schito*
+
+* Prevent slots from overriding the `#content` method when registering a slot with that name.
+
+    *Blake Williams*
+
+* Deprecate `with_slot` in favor of the new [slots API](https://viewcomponent.org/guide/slots.html).
+
+    *Manuel Puyol*
+
 ## 2.30.0
 
 * Deprecate `with_content_areas` in favor of [slots](https://viewcomponent.org/guide/slots.html).

data/lib/view_component/base.rb

@@ -7,12 +7,14 @@ require "view_component/compile_cache"
 require "view_component/previewable"
 require "view_component/slotable"
 require "view_component/slotable_v2"
+require "view_component/with_content_helper"
 
 module ViewComponent
   class Base < ActionView::Base
     include ActiveSupport::Configurable
     include ViewComponent::Previewable
     include ViewComponent::SlotableV2
+    include ViewComponent::WithContentHelper
 
     ViewContextCalledBeforeRenderError = Class.new(StandardError)
 
@@ -79,6 +81,8 @@ module ViewComponent
       old_current_template = @current_template
       @current_template = self
 
+      raise ArgumentError.new("Block provided after calling `with_content`. Use one or the other.") if block && defined?(@_content_set_by_with_content)
+
       @_content_evaluated = false
       @_render_in_block = block
 
@@ -169,8 +173,6 @@ module ViewComponent
       self
     end
 
-    private
-
     # Exposes the current request to the component.
     # Use sparingly as doing so introduces coupling
     # that inhibits encapsulation & reuse.
@@ -178,6 +180,8 @@ module ViewComponent
       @request ||= controller.request
     end
 
+    private
+
     attr_reader :view_context
 
     def content
@@ -186,6 +190,8 @@ module ViewComponent
 
       @_content = if @view_context && @_render_in_block
         view_context.capture(self, &@_render_in_block)
+      elsif defined?(@_content_set_by_with_content)
+        @_content_set_by_with_content
       end
     end
 
@@ -280,7 +286,7 @@ module ViewComponent
       end
 
       def compiled?
-        template_compiler.compiled?
+        compiler.compiled?
       end
 
       # Compile templates to instance methods, assuming they haven't been compiled already.
@@ -288,11 +294,11 @@ module ViewComponent
       # Do as much work as possible in this step, as doing so reduces the amount
       # of work done each time a component is rendered.
       def compile(raise_errors: false)
-        template_compiler.compile(raise_errors: raise_errors)
+        compiler.compile(raise_errors: raise_errors)
       end
 
-      def template_compiler
-        @_template_compiler ||= Compiler.new(self)
+      def compiler
+        @_compiler ||= Compiler.new(self)
       end
 
       # we'll eventually want to update this to support other types
@@ -365,7 +371,7 @@ module ViewComponent
       def validate_initialization_parameters!
         return unless initialize_parameter_names.include?(RESERVED_PARAMETER)
 
-        raise ArgumentError.new(
+        raise ViewComponent::ComponentError.new(
           "#{self} initializer cannot contain " \
           "`#{RESERVED_PARAMETER}` since it will override a " \
           "public ViewComponent method."
@@ -385,7 +391,7 @@ module ViewComponent
       end
 
       def counter_argument_present?
-        instance_method(:initialize).parameters.map(&:second).include?(collection_counter_parameter)
+        initialize_parameter_names.include?(collection_counter_parameter)
       end
 
       private

data/lib/view_component/compiler.rb

@@ -13,12 +13,18 @@ module ViewComponent
     def compile(raise_errors: false)
       return if compiled?
 
+      subclass_instance_methods = component_class.instance_methods(false)
+
+      if subclass_instance_methods.include?(:with_content) && raise_errors
+        raise ViewComponent::ComponentError.new("#{component_class} implements a reserved method, `with_content`.")
+      end
+
       if template_errors.present?
         raise ViewComponent::TemplateError.new(template_errors) if raise_errors
         return false
       end
 
-      if component_class.instance_methods(false).include?(:before_render_check)
+      if subclass_instance_methods.include?(:before_render_check)
         ActiveSupport::Deprecation.warn(
           "`before_render_check` will be removed in v3.0.0. Use `before_render` instead."
         )

data/lib/view_component/component_error.rb

@@ -0,0 +1,6 @@
+# frozen_string_literal: true
+
+module ViewComponent
+  class ComponentError < StandardError
+  end
+end

data/lib/view_component/slot_v2.rb

@@ -1,7 +1,11 @@
 # frozen_string_literal: true
 
+require "view_component/with_content_helper"
+
 module ViewComponent
   class SlotV2
+    include ViewComponent::WithContentHelper
+
     attr_writer :_component_instance, :_content_block, :_content
 
     def initialize(parent)
@@ -26,10 +30,18 @@ module ViewComponent
 
       view_context = @parent.send(:view_context)
 
+      raise ArgumentError.new("Block provided after calling `with_content`. Use one or the other.") if defined?(@_content_block) && defined?(@_content_set_by_with_content)
+
       @content = if defined?(@_component_instance)
-        # render_in is faster than `parent.render`
-        if defined?(@_content_block)
+        if defined?(@_content_set_by_with_content)
+          @_component_instance.with_content(@_content_set_by_with_content)
+
+          view_context.capture do
+            @_component_instance.render_in(view_context)
+          end
+        elsif defined?(@_content_block)
           view_context.capture do
+            # render_in is faster than `parent.render`
             @_component_instance.render_in(view_context, &@_content_block)
           end
         else
@@ -41,6 +53,8 @@ module ViewComponent
         @_content
       elsif defined?(@_content_block)
         view_context.capture(&@_content_block)
+      elsif defined?(@_content_set_by_with_content)
+        @_content_set_by_with_content
       end
 
       @content

data/lib/view_component/slotable.rb

@@ -23,6 +23,11 @@ module ViewComponent
       #   class_name: "Header" # class name string, used to instantiate Slot
       # )
       def with_slot(*slot_names, collection: false, class_name: nil)
+        ActiveSupport::Deprecation.warn(
+          "`with_slot` is deprecated and will be removed in ViewComponent v3.0.0.\n" \
+          "Use the new slots API (https://viewcomponent.org/guide/slots.html) instead."
+        )
+
         slot_names.each do |slot_name|
           # Ensure slot_name is not already declared
           if self.slots.key?(slot_name)

data/lib/view_component/slotable_v2.rb

@@ -175,6 +175,10 @@ module ViewComponent
       end
 
       def validate_slot_name(slot_name)
+        if slot_name.to_sym == :content
+          raise ArgumentError.new("#{slot_name} is not a valid slot name.")
+        end
+
         if self.registered_slots.key?(slot_name)
           # TODO remove? This breaks overriding slots when slots are inherited
           raise ArgumentError.new("#{slot_name} slot declared multiple times")
@@ -251,7 +255,7 @@ module ViewComponent
         @_set_slots[slot_name] = slot
       end
 
-      nil
+      slot
     end
   end
 end

data/lib/view_component/test_helpers.rb

@@ -60,6 +60,17 @@ module ViewComponent
       @controller = old_controller
     end
 
+    def with_request_url(path)
+      old_request_path_parameters = request.path_parameters
+      old_controller = defined?(@controller) && @controller
+
+      request.path_parameters = Rails.application.routes.recognize_path(path)
+      yield
+    ensure
+      request.path_parameters = old_request_path_parameters
+      @controller = old_controller
+    end
+
     def build_controller(klass)
       klass.new.tap { |c| c.request = request }.extend(Rails.application.routes.url_helpers)
     end

data/lib/view_component/translatable.rb

@@ -1,5 +1,6 @@
 # frozen_string_literal: true
 
+require "erb"
 require "set"
 require "i18n"
 require "action_view/helpers/translation_helper"
@@ -9,6 +10,8 @@ module ViewComponent
   module Translatable
     extend ActiveSupport::Concern
 
+    HTML_SAFE_TRANSLATION_KEY = /(?:_|\b)html\z/.freeze
+
     included do
       class_attribute :i18n_backend, instance_writer: false, instance_predicate: false
     end
@@ -21,11 +24,16 @@ module ViewComponent
       def _after_compile
         super
 
-        unless CompileCache.compiled? self
+        return if CompileCache.compiled? self
+
+        if (translation_files = _sidecar_files(%w[yml yaml])).any?
           self.i18n_backend = I18nBackend.new(
             i18n_scope: i18n_scope,
-            load_paths: _sidecar_files(%w[yml yaml]),
+            load_paths: translation_files,
           )
+        else
+          # Cleanup if translations file has been removed since the last compilation
+          self.i18n_backend = nil
         end
       end
     end
@@ -55,21 +63,32 @@ module ViewComponent
       end
     end
 
-    def translate(key = nil, locale: nil, **options)
-      locale ||= ::I18n.locale
+    def translate(key = nil, **options)
+      return super unless i18n_backend
+      return key.map { |k| translate(k, **options) } if key.is_a?(Array)
 
+      locale = options.delete(:locale) || ::I18n.locale
+      key = key&.to_s unless key.is_a?(String)
       key = "#{i18n_scope}#{key}" if key.start_with?(".")
 
-      result = catch(:exception) do
+      if HTML_SAFE_TRANSLATION_KEY.match?(key)
+        html_escape_translation_options!(options)
+      end
+
+      translated = catch(:exception) do
         i18n_backend.translate(locale, key, options)
       end
 
       # Fallback to the global translations
-      if result.is_a? ::I18n::MissingTranslation
-        result = helpers.t(key, locale: locale, **options)
+      if translated.is_a? ::I18n::MissingTranslation
+        return super(key, locale: locale, **options)
       end
 
-      result
+      if HTML_SAFE_TRANSLATION_KEY.match?(key)
+        translated = translated.html_safe
+      end
+
+      translated
     end
     alias :t :translate
 
@@ -77,5 +96,19 @@ module ViewComponent
     def i18n_scope
       self.class.i18n_scope
     end
+
+    private
+
+    def html_escape_translation_options!(options)
+      options.each do |name, value|
+        unless i18n_option?(name) || (name == :count && value.is_a?(Numeric))
+          options[name] = ERB::Util.html_escape(value.to_s)
+        end
+      end
+    end
+
+    def i18n_option?(name)
+      (@i18n_option_names ||= I18n::RESERVED_KEYS.to_set).include?(name)
+    end
   end
 end

data/lib/view_component/version.rb

@@ -3,8 +3,8 @@
 module ViewComponent
   module VERSION
     MAJOR = 2
-    MINOR = 30
-    PATCH = 0
+    MINOR = 31
+    PATCH = 2
 
     STRING = [MAJOR, MINOR, PATCH].join(".")
   end

data/lib/view_component/with_content_helper.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+module ViewComponent
+  module WithContentHelper
+    def with_content(value)
+      if value.nil?
+        raise ArgumentError.new("No content provided.")
+      else
+        @_content_set_by_with_content = value
+      end
+
+      self
+    end
+  end
+end

data/lib/view_component.rb

@@ -7,6 +7,7 @@ module ViewComponent
 
   autoload :Base
   autoload :Compiler
+  autoload :ComponentError
   autoload :Preview
   autoload :PreviewTemplateError
   autoload :TestHelpers

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: view_component
 version: !ruby/object:Gem::Version
-  version: 2.30.0
+  version: 2.31.2
 platform: ruby
 authors:
 - GitHub Open Source
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-04-02 00:00:00.000000000 Z
+date: 2022-03-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -212,7 +212,7 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0.13'
-description: 
+description:
 email:
 - opensource+view_component@github.com
 executables: []
@@ -246,6 +246,7 @@ files:
 - lib/view_component/collection.rb
 - lib/view_component/compile_cache.rb
 - lib/view_component/compiler.rb
+- lib/view_component/component_error.rb
 - lib/view_component/engine.rb
 - lib/view_component/preview.rb
 - lib/view_component/preview_template_error.rb
@@ -265,12 +266,13 @@ files:
 - lib/view_component/test_helpers.rb
 - lib/view_component/translatable.rb
 - lib/view_component/version.rb
+- lib/view_component/with_content_helper.rb
 homepage: https://github.com/github/view_component
 licenses:
 - MIT
 metadata:
   allowed_push_host: https://rubygems.org
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -285,8 +287,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.2
-signing_key: 
+rubygems_version: 3.2.22
+signing_key:
 specification_version: 4
 summary: View components for Rails
 test_files: []