view_component 2.31.1 → 2.31.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of view_component might be problematic. Click here for more details.

Files changed (5) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +6 -0
  3. data/lib/view_component/translatable.rb +19 -0
  4. data/lib/view_component/version.rb +1 -1
  5. metadata +7 -7
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: f29c10730d8ec00ec04c0a7236b5f0eefb56235012c866b9af8566f2b4d25a1b
4
- data.tar.gz: e1ebe3cab15bb375740e012474aef4d31a4d44dbf5cfc302ad2248567b704009
3
+ metadata.gz: aed268c7e5731efdfba6e0d5764f04bcca9e456329afa15f31ebe7198c6bc79e
4
+ data.tar.gz: bc455dc076927f9a374788cd4a043df0a8905f9e6b64f5475fa9b7f1b1f38cc3
5
5
  SHA512:
6
- metadata.gz: 479fc618baf4e945087b0738d0dcf0c621060a8f81f0916149c9f93be0cd7dc2f715fd1f5e45c2ecf365ed5db44bfa4c1e34c406bdfab443556f08c1aaabf2cb
7
- data.tar.gz: '099ee8077b1d6c866710dc16abe53c9e9159c2966f9505bdf1492a370f411a4f242191feba37d0fb9e74d158b3f87b41e1cb2f812fb0da012ae7a93caccf4818'
6
+ metadata.gz: 455f1f06841908fe6239c93d9f4e2f99aa42e2bba64a6293bd4f2d5e8823225322566962c35ca46c0788bbfa085096ab15ede650e229759a05aa0c2f0f6b5e5c
7
+ data.tar.gz: b2fde290f722b87ca420bfd2f722184e4f3d79a987bb3ea93c29ae8f7c587a090276e9cdcf94e7434147b6ff02b8fb8492db86945c107c9e328b1c3ab4798786
data/CHANGELOG.md CHANGED
@@ -2,6 +2,12 @@
2
2
 
3
3
  ## main
4
4
 
5
+ ## 2.31.2
6
+
7
+ * Patch XSS vulnerability in `Translatable` module caused by improperly escaped interpolation arguments.
8
+
9
+ *Cameron Dutro*
10
+
5
11
  ## 2.31.1
6
12
 
7
13
  * Fix `DEPRECATION WARNING: before_render_check` when compiling `ViewComponent::Base`
data/lib/view_component/translatable.rb CHANGED
@@ -1,5 +1,6 @@
1
1
  # frozen_string_literal: true
2
2
 
3
+ require "erb"
3
4
  require "set"
4
5
  require "i18n"
5
6
  require "action_view/helpers/translation_helper"
@@ -70,6 +71,10 @@ module ViewComponent
70
71
  key = key&.to_s unless key.is_a?(String)
71
72
  key = "#{i18n_scope}#{key}" if key.start_with?(".")
72
73
 
74
+ if HTML_SAFE_TRANSLATION_KEY.match?(key)
75
+ html_escape_translation_options!(options)
76
+ end
77
+
73
78
  translated = catch(:exception) do
74
79
  i18n_backend.translate(locale, key, options)
75
80
  end
@@ -91,5 +96,19 @@ module ViewComponent
91
96
  def i18n_scope
92
97
  self.class.i18n_scope
93
98
  end
99
+
100
+ private
101
+
102
+ def html_escape_translation_options!(options)
103
+ options.each do |name, value|
104
+ unless i18n_option?(name) || (name == :count && value.is_a?(Numeric))
105
+ options[name] = ERB::Util.html_escape(value.to_s)
106
+ end
107
+ end
108
+ end
109
+
110
+ def i18n_option?(name)
111
+ (@i18n_option_names ||= I18n::RESERVED_KEYS.to_set).include?(name)
112
+ end
94
113
  end
95
114
  end
data/lib/view_component/version.rb CHANGED
@@ -4,7 +4,7 @@ module ViewComponent
4
4
  module VERSION
5
5
  MAJOR = 2
6
6
  MINOR = 31
7
- PATCH = 1
7
+ PATCH = 2
8
8
 
9
9
  STRING = [MAJOR, MINOR, PATCH].join(".")
10
10
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: view_component
3
3
  version: !ruby/object:Gem::Version
4
- version: 2.31.1
4
+ version: 2.31.2
5
5
  platform: ruby
6
6
  authors:
7
7
  - GitHub Open Source
8
- autorequire:
8
+ autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2021-04-27 00:00:00.000000000 Z
11
+ date: 2022-03-02 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: activesupport
@@ -212,7 +212,7 @@ dependencies:
212
212
  - - "~>"
213
213
  - !ruby/object:Gem::Version
214
214
  version: '0.13'
215
- description:
215
+ description:
216
216
  email:
217
217
  - opensource+view_component@github.com
218
218
  executables: []
@@ -272,7 +272,7 @@ licenses:
272
272
  - MIT
273
273
  metadata:
274
274
  allowed_push_host: https://rubygems.org
275
- post_install_message:
275
+ post_install_message:
276
276
  rdoc_options: []
277
277
  require_paths:
278
278
  - lib
@@ -287,8 +287,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
287
287
  - !ruby/object:Gem::Version
288
288
  version: '0'
289
289
  requirements: []
290
- rubygems_version: 3.1.2
291
- signing_key:
290
+ rubygems_version: 3.2.22
291
+ signing_key:
292
292
  specification_version: 4
293
293
  summary: View components for Rails
294
294
  test_files: []