Bump to 1.9.1

See GHSA-242p-4v39-2v8g
phlex-ruby · Mar 11, 2024 · 775cc75 · 775cc75
1 parent 5f0c9b0
commit 775cc75
Show file tree

Hide file tree

Showing 4 changed files with 36 additions and 11 deletions.
diff --git a/Gemfile b/Gemfile
@@ -9,7 +9,7 @@ gem "rubocop"
 gem "sus"
 gem "benchmark-ips"
 gem "yard"
-gem "green_dots", github: "joeldrapper/green_dots"
+# gem "green_dots", github: "joeldrapper/green_dots"
 
 group :test do
 	gem "i18n"

diff --git a/lib/phlex/sgml.rb b/lib/phlex/sgml.rb
@@ -366,14 +366,6 @@ def __final_attributes__(**attributes)
 				attributes = process_attributes(**attributes)
 			end
 
-			if attributes[:href]&.start_with?(/\s*javascript:/)
-				attributes.delete(:href)
-			end
-
-			if attributes["href"]&.start_with?(/\s*javascript:/)
-				attributes.delete("href")
-			end
-
 			buffer = +""
 			__build_attributes__(attributes, buffer: buffer)
 
@@ -391,8 +383,11 @@ def __build_attributes__(attributes, buffer:)
 					else raise ArgumentError, "Attribute keys should be Strings or Symbols."
 				end
 
+				lower_name = name.downcase
+				next if lower_name == "href" && v.start_with?(/\s*javascript:/i)
+
 				# Detect unsafe attribute names. Attribute names are considered unsafe if they match an event attribute or include unsafe characters.
-				if HTML::EVENT_ATTRIBUTES[name] || name.match?(/[<>&"']/)
+				if HTML::EVENT_ATTRIBUTES[lower_name] || name.match?(/[<>&"']/)
 					raise ArgumentError, "Unsafe attribute name detected: #{k}."
 				end
 

diff --git a/lib/phlex/version.rb b/lib/phlex/version.rb
@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Phlex
-	VERSION = "1.9.0"
+	VERSION = "1.9.1"
 end
diff --git a/test/phlex/view/naughty_business.rb b/test/phlex/view/naughty_business.rb
@@ -3,6 +3,36 @@
 describe Phlex::HTML do
 	extend ViewHelper
 
+	with "naughty javascript links" do
+		view do
+			def template
+				a(href: "javascript:alert(1)") { "a" }
+				a(href: "JAVASCRIPT:alert(1)") { "b" }
+				a(href: :"JAVASCRIPT:alert(1)") { "c" }
+				a(HREF: "javascript:alert(1)") { "d" }
+			end
+		end
+
+		it "removes the href attributes" do
+			expect(output).to be == "<a>a</a><a>b</a><a>c</a><a>d</a>"
+		end
+	end
+
+	with "naughty uppercase event tag" do
+		view do
+			def template
+				button ONCLICK: "ALERT(1)" do
+					"naughty button"
+				end
+			end
+		end
+
+		it "raises" do
+			expect { output }.to raise_exception ArgumentError,
+				message: be == "Unsafe attribute name detected: ONCLICK."
+		end
+	end
+
 	with "naughty text" do
 		view do
 			def template