Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package rubygem-actionview-7.0 for openSUSE:Factory checked in at 2022-04-30 22:52:18 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/rubygem-actionview-7.0 (Old) and /work/SRC/openSUSE:Factory/.rubygem-actionview-7.0.new.1538 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-actionview-7.0" Sat Apr 30 22:52:18 2022 rev:3 rq:974038 version:7.0.2.4 Changes: -------- --- /work/SRC/openSUSE:Factory/rubygem-actionview-7.0/rubygem-actionview-7.0.changes 2022-03-11 11:35:09.378189154 +0100 +++ /work/SRC/openSUSE:Factory/.rubygem-actionview-7.0.new.1538/rubygem-actionview-7.0.changes 2022-04-30 22:52:23.748212723 +0200 @@ -1,0 +2,18 @@ +Thu Apr 28 05:10:47 UTC 2022 - Stephan Kulow <co...@suse.com> + +updated to version 7.0.2.4 + see installed CHANGELOG.md + + ## Rails 7.0.2.4 (April 26, 2022) ## + + * Fix and add protections for XSS in `ActionView::Helpers` and `ERB::Util`. + + Escape dangerous characters in names of tags and names of attributes in the + tag helpers, following the XML specification. Rename the option + `:escape_attributes` to `:escape`, to simplify by applying the option to the + whole tag. + + *??lvaro Mart??n Fraguas* + + +------------------------------------------------------------------- Old: ---- actionview-7.0.2.3.gem New: ---- actionview-7.0.2.4.gem ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ rubygem-actionview-7.0.spec ++++++ --- /var/tmp/diff_new_pack.r8kpO1/_old 2022-04-30 22:52:24.636213925 +0200 +++ /var/tmp/diff_new_pack.r8kpO1/_new 2022-04-30 22:52:24.640213930 +0200 @@ -24,7 +24,7 @@ # Name: rubygem-actionview-7.0 -Version: 7.0.2.3 +Version: 7.0.2.4 Release: 0 %define mod_name actionview %define mod_full_name %{mod_name}-%{version} ++++++ actionview-7.0.2.3.gem -> actionview-7.0.2.4.gem ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/CHANGELOG.md new/CHANGELOG.md --- old/CHANGELOG.md 2022-03-08 18:50:07.000000000 +0100 +++ new/CHANGELOG.md 2022-04-26 21:32:40.000000000 +0200 @@ -1,3 +1,14 @@ +## Rails 7.0.2.4 (April 26, 2022) ## + +* Fix and add protections for XSS in `ActionView::Helpers` and `ERB::Util`. + + Escape dangerous characters in names of tags and names of attributes in the + tag helpers, following the XML specification. Rename the option + `:escape_attributes` to `:escape`, to simplify by applying the option to the + whole tag. + + *??lvaro Mart??n Fraguas* + ## Rails 7.0.2.3 (March 08, 2022) ## * No changes. Binary files old/checksums.yaml.gz and new/checksums.yaml.gz differ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/action_view/gem_version.rb new/lib/action_view/gem_version.rb --- old/lib/action_view/gem_version.rb 2022-03-08 18:50:07.000000000 +0100 +++ new/lib/action_view/gem_version.rb 2022-04-26 21:32:40.000000000 +0200 @@ -10,7 +10,7 @@ MAJOR = 7 MINOR = 0 TINY = 2 - PRE = "3" + PRE = "4" STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".") end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/action_view/helpers/tag_helper.rb new/lib/action_view/helpers/tag_helper.rb --- old/lib/action_view/helpers/tag_helper.rb 2022-03-08 18:50:07.000000000 +0100 +++ new/lib/action_view/helpers/tag_helper.rb 2022-04-26 21:32:40.000000000 +0200 @@ -65,18 +65,25 @@ tag_string(:p, *arguments, **options, &block) end - def tag_string(name, content = nil, escape_attributes: true, **options, &block) + def tag_string(name, content = nil, **options, &block) + escape = handle_deprecated_escape_options(options) + content = @view_context.capture(self, &block) if block_given? if (HTML_VOID_ELEMENTS.include?(name) || SVG_VOID_ELEMENTS.include?(name)) && content.nil? - "<#{name.to_s.dasherize}#{tag_options(options, escape_attributes)}>".html_safe + "<#{name.to_s.dasherize}#{tag_options(options, escape)}>".html_safe else - content_tag_string(name.to_s.dasherize, content || "", options, escape_attributes) + content_tag_string(name.to_s.dasherize, content || "", options, escape) end end def content_tag_string(name, content, options, escape = true) tag_options = tag_options(options, escape) if options - content = ERB::Util.unwrapped_html_escape(content) if escape + + if escape + name = ERB::Util.xml_name_escape(name) + content = ERB::Util.unwrapped_html_escape(content) + end + "<#{name}#{tag_options}>#{PRE_CONTENT_STRINGS[name]}#{content}</#{name}>".html_safe end @@ -127,6 +134,8 @@ end def tag_option(key, value, escape) + key = ERB::Util.xml_name_escape(key) if escape + case value when Array, Hash value = TagHelper.build_tag_values(value) if key.to_s == "class" @@ -137,6 +146,7 @@ value = escape ? ERB::Util.unwrapped_html_escape(value) : value.to_s end value = value.gsub('"', """) if value.include?('"') + %(#{key}="#{value}") end @@ -153,6 +163,27 @@ true end + def handle_deprecated_escape_options(options) + # The option :escape_attributes has been merged into the options hash to be + # able to warn when it is used, so we need to handle default values here. + escape_option_provided = options.has_key?(:escape) + escape_attributes_option_provided = options.has_key?(:escape_attributes) + + if escape_attributes_option_provided + ActiveSupport::Deprecation.warn(<<~MSG) + Use of the option :escape_attributes is deprecated. It currently \ + escapes both names and values of tags and attributes and it is \ + equivalent to :escape. If any of them are enabled, the escaping \ + is fully enabled. + MSG + end + + return true unless escape_option_provided || escape_attributes_option_provided + escape_option = options.delete(:escape) + escape_attributes_option = options.delete(:escape_attributes) + escape_option || escape_attributes_option + end + def method_missing(called, *args, **options, &block) tag_string(called, *args, **options, &block) end @@ -216,13 +247,13 @@ # tag.div data: { city_state: %w( Chicago IL ) } # # => <div data-city-state="["Chicago","IL"]"></div> # - # The generated attributes are escaped by default. This can be disabled using - # +escape_attributes+. + # The generated tag names and attributes are escaped by default. This can be disabled using + # +escape+. # # tag.img src: 'open & shut.png' # # => <img src="open & shut.png"> # - # tag.img src: 'open & shut.png', escape_attributes: false + # tag.img src: 'open & shut.png', escape: false # # => <img src="open & shut.png"> # # The tag builder respects @@ -300,6 +331,7 @@ if name.nil? tag_builder else + name = ERB::Util.xml_name_escape(name) if escape "<#{name}#{tag_builder.tag_options(options, escape) if options}#{open ? ">" : " />"}".html_safe end end @@ -308,7 +340,7 @@ # HTML attributes by passing an attributes hash to +options+. # Instead of passing the content as an argument, you can also use a block # in which case, you pass your +options+ as the second parameter. - # Set escape to false to disable attribute value escaping. + # Set escape to false to disable escaping. # Note: this is legacy syntax, see +tag+ method description for details. # # ==== Options diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/metadata new/metadata --- old/metadata 2022-03-08 18:50:07.000000000 +0100 +++ new/metadata 2022-04-26 21:32:40.000000000 +0200 @@ -1,14 +1,14 @@ --- !ruby/object:Gem::Specification name: actionview version: !ruby/object:Gem::Version - version: 7.0.2.3 + version: 7.0.2.4 platform: ruby authors: - David Heinemeier Hansson autorequire: bindir: bin cert_chain: [] -date: 2022-03-08 00:00:00.000000000 Z +date: 2022-04-26 00:00:00.000000000 Z dependencies: - !ruby/object:Gem::Dependency name: activesupport @@ -16,14 +16,14 @@ requirements: - - '=' - !ruby/object:Gem::Version - version: 7.0.2.3 + version: 7.0.2.4 type: :runtime prerelease: false version_requirements: !ruby/object:Gem::Requirement requirements: - - '=' - !ruby/object:Gem::Version - version: 7.0.2.3 + version: 7.0.2.4 - !ruby/object:Gem::Dependency name: builder requirement: !ruby/object:Gem::Requirement @@ -92,28 +92,28 @@ requirements: - - '=' - !ruby/object:Gem::Version - version: 7.0.2.3 + version: 7.0.2.4 type: :development prerelease: false version_requirements: !ruby/object:Gem::Requirement requirements: - - '=' - !ruby/object:Gem::Version - version: 7.0.2.3 + version: 7.0.2.4 - !ruby/object:Gem::Dependency name: activemodel requirement: !ruby/object:Gem::Requirement requirements: - - '=' - !ruby/object:Gem::Version - version: 7.0.2.3 + version: 7.0.2.4 type: :development prerelease: false version_requirements: !ruby/object:Gem::Requirement requirements: - - '=' - !ruby/object:Gem::Version - version: 7.0.2.3 + version: 7.0.2.4 description: Simple, battle-tested conventions and helpers for building web pages. email: da...@loudthinking.com executables: [] @@ -246,10 +246,10 @@ - MIT metadata: bug_tracker_uri: https://github.com/rails/rails/issues - changelog_uri: https://github.com/rails/rails/blob/v7.0.2.3/actionview/CHANGELOG.md - documentation_uri: https://api.rubyonrails.org/v7.0.2.3/ + changelog_uri: https://github.com/rails/rails/blob/v7.0.2.4/actionview/CHANGELOG.md + documentation_uri: https://api.rubyonrails.org/v7.0.2.4/ mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk - source_code_uri: https://github.com/rails/rails/tree/v7.0.2.3/actionview + source_code_uri: https://github.com/rails/rails/tree/v7.0.2.4/actionview rubygems_mfa_required: 'true' post_install_message: rdoc_options: []