view_component 2.49.0 → 2.49.1

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of view_component might be problematic. Click here for more details.

checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 8feda954b97fc366da967bee72554a1975a40f50aef0cbd1cde6f83f97547d49
4
- data.tar.gz: 92312db0824d58d24ee8f74f56c3a14e961f03fc71bb1669b1a529fedfb225f3
3
+ metadata.gz: ef9372866a072103dd38b8da27bfcf57ad66012524b6a80f6caf311a97533435
4
+ data.tar.gz: 654c9561c09c8cae7ca8720d126060e8196d38b0cd832d6a5a6e1f7e8c8ad133
5
5
  SHA512:
6
- metadata.gz: 1ff56022e2212300d6ae5f8ea8700364fc5675354476b1830e05885c6f4beff3f7b75d6733531eea10aa1b0830917e025686bf17af89606ed2e457aaf1004f73
7
- data.tar.gz: 5d8dddd267a4a627af6ba0a07507d9d0c2dd2ae38da92f542a690e2fa3052bdc56aa37488e1fde440c9a064b825f0ef1db3ec838f06eba4a4598b4e8c95e315f
6
+ metadata.gz: fbd9bf43a06132fa0d26fba5155382be904bba9aaf181c9bb0f715a3caf103f5ae7bff74640e62c31e3ea8600a61f5405e364553b5f56f3cbc5af7a22a77f5f8
7
+ data.tar.gz: 946639d557fd6dd76889c6a645187fc1235bd7e76817944429f306be1d7798ac9fe9b8005301f3ea106c564d6502d3e1bc21fc1ea5b9902784d99296979c8d93
data/docs/CHANGELOG.md CHANGED
@@ -7,6 +7,12 @@ title: Changelog
7
7
 
8
8
  ## main
9
9
 
10
+ ## 2.49.1
11
+
12
+ * Patch XSS vulnerability in `Translatable` module caused by improperly escaped interpolation arguments.
13
+
14
+ *Cameron Dutro*
15
+
10
16
  ## 2.49.0
11
17
 
12
18
  * Fix path handling for evaluated view components that broke in Ruby 3.1.
@@ -657,6 +663,12 @@ _Note: This release includes an underlying change to Slots that may affect incor
657
663
 
658
664
  *Joel Hawksley*
659
665
 
666
+ ## 2.29.1
667
+
668
+ * Patch XSS vulnerability in `ViewComponent::Translatable` module caused by improperly escaped interpolation arguments.
669
+
670
+ *Cameron Dutro*
671
+
660
672
  ## 2.29.0
661
673
 
662
674
  * Allow Slot lambdas to share data from the parent component and allow chaining on the returned component.
@@ -1,5 +1,6 @@
1
1
  # frozen_string_literal: true
2
2
 
3
+ require "erb"
3
4
  require "set"
4
5
  require "i18n"
5
6
  require "action_view/helpers/translation_helper"
@@ -70,6 +71,10 @@ module ViewComponent
70
71
  key = key&.to_s unless key.is_a?(String)
71
72
  key = "#{i18n_scope}#{key}" if key.start_with?(".")
72
73
 
74
+ if HTML_SAFE_TRANSLATION_KEY.match?(key)
75
+ html_escape_translation_options!(options)
76
+ end
77
+
73
78
  if key.start_with?(i18n_scope + ".")
74
79
  translated =
75
80
  catch(:exception) do
@@ -96,5 +101,30 @@ module ViewComponent
96
101
  def i18n_scope
97
102
  self.class.i18n_scope
98
103
  end
104
+
105
+ def html_safe_translation(translation)
106
+ if translation.respond_to?(:map)
107
+ translation.map { |element| html_safe_translation(element) }
108
+ else
109
+ # It's assumed here that objects loaded by the i18n backend will respond to `#html_safe?`.
110
+ # It's reasonable that if we're in Rails, `active_support/core_ext/string/output_safety.rb`
111
+ # will provide this to `Object`.
112
+ translation.html_safe # rubocop:disable Rails/OutputSafety
113
+ end
114
+ end
115
+
116
+ private
117
+
118
+ def html_escape_translation_options!(options)
119
+ options.each do |name, value|
120
+ unless i18n_option?(name) || (name == :count && value.is_a?(Numeric))
121
+ options[name] = ERB::Util.html_escape(value.to_s)
122
+ end
123
+ end
124
+ end
125
+
126
+ def i18n_option?(name)
127
+ (@i18n_option_names ||= I18n::RESERVED_KEYS.to_set).include?(name)
128
+ end
99
129
  end
100
130
  end
@@ -4,7 +4,7 @@ module ViewComponent
4
4
  module VERSION
5
5
  MAJOR = 2
6
6
  MINOR = 49
7
- PATCH = 0
7
+ PATCH = 1
8
8
 
9
9
  STRING = [MAJOR, MINOR, PATCH].join(".")
10
10
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: view_component
3
3
  version: !ruby/object:Gem::Version
4
- version: 2.49.0
4
+ version: 2.49.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - GitHub Open Source
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2022-02-11 00:00:00.000000000 Z
11
+ date: 2022-03-02 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: activesupport
@@ -373,7 +373,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
373
373
  - !ruby/object:Gem::Version
374
374
  version: '0'
375
375
  requirements: []
376
- rubygems_version: 3.3.3
376
+ rubygems_version: 3.2.32
377
377
  signing_key:
378
378
  specification_version: 4
379
379
  summary: View components for Rails