view_component 2.49.0 → 2.49.1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of view_component might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/docs/CHANGELOG.md +12 -0
- data/lib/view_component/translatable.rb +30 -0
- data/lib/view_component/version.rb +1 -1
- metadata +3 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: ef9372866a072103dd38b8da27bfcf57ad66012524b6a80f6caf311a97533435
|
|
4
|
+
data.tar.gz: 654c9561c09c8cae7ca8720d126060e8196d38b0cd832d6a5a6e1f7e8c8ad133
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: fbd9bf43a06132fa0d26fba5155382be904bba9aaf181c9bb0f715a3caf103f5ae7bff74640e62c31e3ea8600a61f5405e364553b5f56f3cbc5af7a22a77f5f8
|
|
7
|
+
data.tar.gz: 946639d557fd6dd76889c6a645187fc1235bd7e76817944429f306be1d7798ac9fe9b8005301f3ea106c564d6502d3e1bc21fc1ea5b9902784d99296979c8d93
|
data/docs/CHANGELOG.md
CHANGED
|
@@ -7,6 +7,12 @@ title: Changelog
|
|
|
7
7
|
|
|
8
8
|
## main
|
|
9
9
|
|
|
10
|
+
## 2.49.1
|
|
11
|
+
|
|
12
|
+
* Patch XSS vulnerability in `Translatable` module caused by improperly escaped interpolation arguments.
|
|
13
|
+
|
|
14
|
+
*Cameron Dutro*
|
|
15
|
+
|
|
10
16
|
## 2.49.0
|
|
11
17
|
|
|
12
18
|
* Fix path handling for evaluated view components that broke in Ruby 3.1.
|
|
@@ -657,6 +663,12 @@ _Note: This release includes an underlying change to Slots that may affect incor
|
|
|
657
663
|
|
|
658
664
|
*Joel Hawksley*
|
|
659
665
|
|
|
666
|
+
## 2.29.1
|
|
667
|
+
|
|
668
|
+
* Patch XSS vulnerability in `ViewComponent::Translatable` module caused by improperly escaped interpolation arguments.
|
|
669
|
+
|
|
670
|
+
*Cameron Dutro*
|
|
671
|
+
|
|
660
672
|
## 2.29.0
|
|
661
673
|
|
|
662
674
|
* Allow Slot lambdas to share data from the parent component and allow chaining on the returned component.
|
|
@@ -1,5 +1,6 @@
|
|
|
1
1
|
# frozen_string_literal: true
|
|
2
2
|
|
|
3
|
+
require "erb"
|
|
3
4
|
require "set"
|
|
4
5
|
require "i18n"
|
|
5
6
|
require "action_view/helpers/translation_helper"
|
|
@@ -70,6 +71,10 @@ module ViewComponent
|
|
|
70
71
|
key = key&.to_s unless key.is_a?(String)
|
|
71
72
|
key = "#{i18n_scope}#{key}" if key.start_with?(".")
|
|
72
73
|
|
|
74
|
+
if HTML_SAFE_TRANSLATION_KEY.match?(key)
|
|
75
|
+
html_escape_translation_options!(options)
|
|
76
|
+
end
|
|
77
|
+
|
|
73
78
|
if key.start_with?(i18n_scope + ".")
|
|
74
79
|
translated =
|
|
75
80
|
catch(:exception) do
|
|
@@ -96,5 +101,30 @@ module ViewComponent
|
|
|
96
101
|
def i18n_scope
|
|
97
102
|
self.class.i18n_scope
|
|
98
103
|
end
|
|
104
|
+
|
|
105
|
+
def html_safe_translation(translation)
|
|
106
|
+
if translation.respond_to?(:map)
|
|
107
|
+
translation.map { |element| html_safe_translation(element) }
|
|
108
|
+
else
|
|
109
|
+
# It's assumed here that objects loaded by the i18n backend will respond to `#html_safe?`.
|
|
110
|
+
# It's reasonable that if we're in Rails, `active_support/core_ext/string/output_safety.rb`
|
|
111
|
+
# will provide this to `Object`.
|
|
112
|
+
translation.html_safe # rubocop:disable Rails/OutputSafety
|
|
113
|
+
end
|
|
114
|
+
end
|
|
115
|
+
|
|
116
|
+
private
|
|
117
|
+
|
|
118
|
+
def html_escape_translation_options!(options)
|
|
119
|
+
options.each do |name, value|
|
|
120
|
+
unless i18n_option?(name) || (name == :count && value.is_a?(Numeric))
|
|
121
|
+
options[name] = ERB::Util.html_escape(value.to_s)
|
|
122
|
+
end
|
|
123
|
+
end
|
|
124
|
+
end
|
|
125
|
+
|
|
126
|
+
def i18n_option?(name)
|
|
127
|
+
(@i18n_option_names ||= I18n::RESERVED_KEYS.to_set).include?(name)
|
|
128
|
+
end
|
|
99
129
|
end
|
|
100
130
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: view_component
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 2.49.
|
|
4
|
+
version: 2.49.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- GitHub Open Source
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2022-02
|
|
11
|
+
date: 2022-03-02 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: activesupport
|
|
@@ -373,7 +373,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
373
373
|
- !ruby/object:Gem::Version
|
|
374
374
|
version: '0'
|
|
375
375
|
requirements: []
|
|
376
|
-
rubygems_version: 3.
|
|
376
|
+
rubygems_version: 3.2.32
|
|
377
377
|
signing_key:
|
|
378
378
|
specification_version: 4
|
|
379
379
|
summary: View components for Rails
|