RubyGems - view_component - Versions diffs - 2.31.1 → 2.31.2 - Mend

view_component 2.31.1 → 2.31.2

This version of view_component might be problematic. Click here for more details.

Files changed (5) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f29c10730d8ec00ec04c0a7236b5f0eefb56235012c866b9af8566f2b4d25a1b
-  data.tar.gz: e1ebe3cab15bb375740e012474aef4d31a4d44dbf5cfc302ad2248567b704009
+  metadata.gz: aed268c7e5731efdfba6e0d5764f04bcca9e456329afa15f31ebe7198c6bc79e
+  data.tar.gz: bc455dc076927f9a374788cd4a043df0a8905f9e6b64f5475fa9b7f1b1f38cc3
 SHA512:
-  metadata.gz: 479fc618baf4e945087b0738d0dcf0c621060a8f81f0916149c9f93be0cd7dc2f715fd1f5e45c2ecf365ed5db44bfa4c1e34c406bdfab443556f08c1aaabf2cb
-  data.tar.gz: '099ee8077b1d6c866710dc16abe53c9e9159c2966f9505bdf1492a370f411a4f242191feba37d0fb9e74d158b3f87b41e1cb2f812fb0da012ae7a93caccf4818'
+  metadata.gz: 455f1f06841908fe6239c93d9f4e2f99aa42e2bba64a6293bd4f2d5e8823225322566962c35ca46c0788bbfa085096ab15ede650e229759a05aa0c2f0f6b5e5c
+  data.tar.gz: b2fde290f722b87ca420bfd2f722184e4f3d79a987bb3ea93c29ae8f7c587a090276e9cdcf94e7434147b6ff02b8fb8492db86945c107c9e328b1c3ab4798786

data/CHANGELOG.md CHANGED Viewed

@@ -2,6 +2,12 @@
 ## main
+## 2.31.2
+* Patch XSS vulnerability in `Translatable` module caused by improperly escaped interpolation arguments.
+    *Cameron Dutro*
 ## 2.31.1
 * Fix `DEPRECATION WARNING: before_render_check` when compiling `ViewComponent::Base`

data/lib/view_component/translatable.rb CHANGED Viewed

@@ -1,5 +1,6 @@
 # frozen_string_literal: true
+require "erb"
 require "set"
 require "i18n"
 require "action_view/helpers/translation_helper"
@@ -70,6 +71,10 @@ module ViewComponent
       key = key&.to_s unless key.is_a?(String)
       key = "#{i18n_scope}#{key}" if key.start_with?(".")
+      if HTML_SAFE_TRANSLATION_KEY.match?(key)
+        html_escape_translation_options!(options)
+      end
       translated = catch(:exception) do
         i18n_backend.translate(locale, key, options)
       end
@@ -91,5 +96,19 @@ module ViewComponent
     def i18n_scope
       self.class.i18n_scope
     end
+    private
+    def html_escape_translation_options!(options)
+      options.each do |name, value|
+        unless i18n_option?(name) || (name == :count && value.is_a?(Numeric))
+          options[name] = ERB::Util.html_escape(value.to_s)
+        end
+      end
+    end
+    def i18n_option?(name)
+      (@i18n_option_names ||= I18n::RESERVED_KEYS.to_set).include?(name)
+    end
   end
 end

data/lib/view_component/version.rb CHANGED Viewed

@@ -4,7 +4,7 @@ module ViewComponent
   module VERSION
     MAJOR = 2
     MINOR = 31
-    PATCH = 1
+    PATCH = 2
     STRING = [MAJOR, MINOR, PATCH].join(".")
   end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: view_component
 version: !ruby/object:Gem::Version
-  version: 2.31.1
+  version: 2.31.2
 platform: ruby
 authors:
 - GitHub Open Source
-autorequire:
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-04-27 00:00:00.000000000 Z
+date: 2022-03-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -212,7 +212,7 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0.13'
-description:
+description:
 email:
 - opensource+view_component@github.com
 executables: []
@@ -272,7 +272,7 @@ licenses:
 - MIT
 metadata:
   allowed_push_host: https://rubygems.org
-post_install_message:
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -287,8 +287,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.2
-signing_key:
+rubygems_version: 3.2.22
+signing_key:
 specification_version: 4
 summary: View components for Rails
 test_files: []