Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package rubygem-actionview-7.0 for
openSUSE:Factory checked in at 2022-04-30 22:52:18
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/rubygem-actionview-7.0 (Old)
and /work/SRC/openSUSE:Factory/.rubygem-actionview-7.0.new.1538 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-actionview-7.0"
Sat Apr 30 22:52:18 2022 rev:3 rq:974038 version:7.0.2.4
Changes:
--------
---
/work/SRC/openSUSE:Factory/rubygem-actionview-7.0/rubygem-actionview-7.0.changes
2022-03-11 11:35:09.378189154 +0100
+++
/work/SRC/openSUSE:Factory/.rubygem-actionview-7.0.new.1538/rubygem-actionview-7.0.changes
2022-04-30 22:52:23.748212723 +0200
@@ -1,0 +2,18 @@
+Thu Apr 28 05:10:47 UTC 2022 - Stephan Kulow <co...@suse.com>
+
+updated to version 7.0.2.4
+ see installed CHANGELOG.md
+
+ ## Rails 7.0.2.4 (April 26, 2022) ##
+
+ * Fix and add protections for XSS in `ActionView::Helpers` and `ERB::Util`.
+
+ Escape dangerous characters in names of tags and names of attributes in
the
+ tag helpers, following the XML specification. Rename the option
+ `:escape_attributes` to `:escape`, to simplify by applying the option to
the
+ whole tag.
+
+ *??lvaro Mart??n Fraguas*
+
+
+-------------------------------------------------------------------
Old:
----
actionview-7.0.2.3.gem
New:
----
actionview-7.0.2.4.gem
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ rubygem-actionview-7.0.spec ++++++
--- /var/tmp/diff_new_pack.r8kpO1/_old 2022-04-30 22:52:24.636213925 +0200
+++ /var/tmp/diff_new_pack.r8kpO1/_new 2022-04-30 22:52:24.640213930 +0200
@@ -24,7 +24,7 @@
#
Name: rubygem-actionview-7.0
-Version: 7.0.2.3
+Version: 7.0.2.4
Release: 0
%define mod_name actionview
%define mod_full_name %{mod_name}-%{version}
++++++ actionview-7.0.2.3.gem -> actionview-7.0.2.4.gem ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/CHANGELOG.md new/CHANGELOG.md
--- old/CHANGELOG.md 2022-03-08 18:50:07.000000000 +0100
+++ new/CHANGELOG.md 2022-04-26 21:32:40.000000000 +0200
@@ -1,3 +1,14 @@
+## Rails 7.0.2.4 (April 26, 2022) ##
+
+* Fix and add protections for XSS in `ActionView::Helpers` and `ERB::Util`.
+
+ Escape dangerous characters in names of tags and names of attributes in the
+ tag helpers, following the XML specification. Rename the option
+ `:escape_attributes` to `:escape`, to simplify by applying the option to
the
+ whole tag.
+
+ *??lvaro Mart??n Fraguas*
+
## Rails 7.0.2.3 (March 08, 2022) ##
* No changes.
Binary files old/checksums.yaml.gz and new/checksums.yaml.gz differ
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/action_view/gem_version.rb
new/lib/action_view/gem_version.rb
--- old/lib/action_view/gem_version.rb 2022-03-08 18:50:07.000000000 +0100
+++ new/lib/action_view/gem_version.rb 2022-04-26 21:32:40.000000000 +0200
@@ -10,7 +10,7 @@
MAJOR = 7
MINOR = 0
TINY = 2
- PRE = "3"
+ PRE = "4"
STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/action_view/helpers/tag_helper.rb
new/lib/action_view/helpers/tag_helper.rb
--- old/lib/action_view/helpers/tag_helper.rb 2022-03-08 18:50:07.000000000
+0100
+++ new/lib/action_view/helpers/tag_helper.rb 2022-04-26 21:32:40.000000000
+0200
@@ -65,18 +65,25 @@
tag_string(:p, *arguments, **options, &block)
end
- def tag_string(name, content = nil, escape_attributes: true,
**options, &block)
+ def tag_string(name, content = nil, **options, &block)
+ escape = handle_deprecated_escape_options(options)
+
content = @view_context.capture(self, &block) if block_given?
if (HTML_VOID_ELEMENTS.include?(name) ||
SVG_VOID_ELEMENTS.include?(name)) && content.nil?
- "<#{name.to_s.dasherize}#{tag_options(options,
escape_attributes)}>".html_safe
+ "<#{name.to_s.dasherize}#{tag_options(options, escape)}>".html_safe
else
- content_tag_string(name.to_s.dasherize, content || "", options,
escape_attributes)
+ content_tag_string(name.to_s.dasherize, content || "", options,
escape)
end
end
def content_tag_string(name, content, options, escape = true)
tag_options = tag_options(options, escape) if options
- content = ERB::Util.unwrapped_html_escape(content) if escape
+
+ if escape
+ name = ERB::Util.xml_name_escape(name)
+ content = ERB::Util.unwrapped_html_escape(content)
+ end
+
"<#{name}#{tag_options}>#{PRE_CONTENT_STRINGS[name]}#{content}</#{name}>".html_safe
end
@@ -127,6 +134,8 @@
end
def tag_option(key, value, escape)
+ key = ERB::Util.xml_name_escape(key) if escape
+
case value
when Array, Hash
value = TagHelper.build_tag_values(value) if key.to_s == "class"
@@ -137,6 +146,7 @@
value = escape ? ERB::Util.unwrapped_html_escape(value) :
value.to_s
end
value = value.gsub('"', """) if value.include?('"')
+
%(#{key}="#{value}")
end
@@ -153,6 +163,27 @@
true
end
+ def handle_deprecated_escape_options(options)
+ # The option :escape_attributes has been merged into the options
hash to be
+ # able to warn when it is used, so we need to handle default
values here.
+ escape_option_provided = options.has_key?(:escape)
+ escape_attributes_option_provided =
options.has_key?(:escape_attributes)
+
+ if escape_attributes_option_provided
+ ActiveSupport::Deprecation.warn(<<~MSG)
+ Use of the option :escape_attributes is deprecated. It
currently \
+ escapes both names and values of tags and attributes and it is
\
+ equivalent to :escape. If any of them are enabled, the
escaping \
+ is fully enabled.
+ MSG
+ end
+
+ return true unless escape_option_provided ||
escape_attributes_option_provided
+ escape_option = options.delete(:escape)
+ escape_attributes_option = options.delete(:escape_attributes)
+ escape_option || escape_attributes_option
+ end
+
def method_missing(called, *args, **options, &block)
tag_string(called, *args, **options, &block)
end
@@ -216,13 +247,13 @@
# tag.div data: { city_state: %w( Chicago IL ) }
# # => <div
data-city-state="["Chicago","IL"]"></div>
#
- # The generated attributes are escaped by default. This can be disabled
using
- # +escape_attributes+.
+ # The generated tag names and attributes are escaped by default. This
can be disabled using
+ # +escape+.
#
# tag.img src: 'open & shut.png'
# # => <img src="open & shut.png">
#
- # tag.img src: 'open & shut.png', escape_attributes: false
+ # tag.img src: 'open & shut.png', escape: false
# # => <img src="open & shut.png">
#
# The tag builder respects
@@ -300,6 +331,7 @@
if name.nil?
tag_builder
else
+ name = ERB::Util.xml_name_escape(name) if escape
"<#{name}#{tag_builder.tag_options(options, escape) if
options}#{open ? ">" : " />"}".html_safe
end
end
@@ -308,7 +340,7 @@
# HTML attributes by passing an attributes hash to +options+.
# Instead of passing the content as an argument, you can also use a block
# in which case, you pass your +options+ as the second parameter.
- # Set escape to false to disable attribute value escaping.
+ # Set escape to false to disable escaping.
# Note: this is legacy syntax, see +tag+ method description for details.
#
# ==== Options
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/metadata new/metadata
--- old/metadata 2022-03-08 18:50:07.000000000 +0100
+++ new/metadata 2022-04-26 21:32:40.000000000 +0200
@@ -1,14 +1,14 @@
--- !ruby/object:Gem::Specification
name: actionview
version: !ruby/object:Gem::Version
- version: 7.0.2.3
+ version: 7.0.2.4
platform: ruby
authors:
- David Heinemeier Hansson
autorequire:
bindir: bin
cert_chain: []
-date: 2022-03-08 00:00:00.000000000 Z
+date: 2022-04-26 00:00:00.000000000 Z
dependencies:
- !ruby/object:Gem::Dependency
name: activesupport
@@ -16,14 +16,14 @@
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 7.0.2.3
+ version: 7.0.2.4
type: :runtime
prerelease: false
version_requirements: !ruby/object:Gem::Requirement
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 7.0.2.3
+ version: 7.0.2.4
- !ruby/object:Gem::Dependency
name: builder
requirement: !ruby/object:Gem::Requirement
@@ -92,28 +92,28 @@
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 7.0.2.3
+ version: 7.0.2.4
type: :development
prerelease: false
version_requirements: !ruby/object:Gem::Requirement
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 7.0.2.3
+ version: 7.0.2.4
- !ruby/object:Gem::Dependency
name: activemodel
requirement: !ruby/object:Gem::Requirement
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 7.0.2.3
+ version: 7.0.2.4
type: :development
prerelease: false
version_requirements: !ruby/object:Gem::Requirement
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 7.0.2.3
+ version: 7.0.2.4
description: Simple, battle-tested conventions and helpers for building web
pages.
email: da...@loudthinking.com
executables: []
@@ -246,10 +246,10 @@
- MIT
metadata:
bug_tracker_uri: https://github.com/rails/rails/issues
- changelog_uri:
https://github.com/rails/rails/blob/v7.0.2.3/actionview/CHANGELOG.md
- documentation_uri: https://api.rubyonrails.org/v7.0.2.3/
+ changelog_uri:
https://github.com/rails/rails/blob/v7.0.2.4/actionview/CHANGELOG.md
+ documentation_uri: https://api.rubyonrails.org/v7.0.2.4/
mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
- source_code_uri: https://github.com/rails/rails/tree/v7.0.2.3/actionview
+ source_code_uri: https://github.com/rails/rails/tree/v7.0.2.4/actionview
rubygems_mfa_required: 'true'
post_install_message:
rdoc_options: []
