Skip to content

Commit

Permalink
Bump to 1.4.1
Browse files Browse the repository at this point in the history
  • Loading branch information
joeldrapper committed Mar 11, 2024
1 parent a54939c commit 8213b03
Show file tree
Hide file tree
Showing 4 changed files with 36 additions and 11 deletions.
2 changes: 1 addition & 1 deletion .ruby-version
Original file line number Diff line number Diff line change
@@ -1 +1 @@
3.2.1
3.3.0
13 changes: 4 additions & 9 deletions lib/phlex/sgml.rb
Original file line number Diff line number Diff line change
Expand Up @@ -258,14 +258,6 @@ def capture(&block)

# @api private
private def __final_attributes__(**attributes)
if attributes[:href]&.start_with?(/\s*javascript:/)
attributes.delete(:href)
end

if attributes["href"]&.start_with?(/\s*javascript:/)
attributes.delete("href")
end

buffer = +""
__build_attributes__(attributes, buffer: buffer)

Expand All @@ -283,8 +275,11 @@ def capture(&block)
else k.to_s
end

lower_name = name.downcase
next if lower_name == "href" && v.start_with?(/\s*javascript:/i)

# Detect unsafe attribute names. Attribute names are considered unsafe if they match an event attribute or include unsafe characters.
if HTML::EVENT_ATTRIBUTES[name] || name.match?(/[<>&"']/)
if HTML::EVENT_ATTRIBUTES[lower_name] || name.match?(/[<>&"']/)
raise ArgumentError, "Unsafe attribute name detected: #{k}."
end

Expand Down
2 changes: 1 addition & 1 deletion lib/phlex/version.rb
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
# frozen_string_literal: true

module Phlex
VERSION = "1.4.0"
VERSION = "1.4.1"
end
30 changes: 30 additions & 0 deletions test/phlex/view/naughty_business.rb
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,36 @@
describe Phlex::HTML do
extend ViewHelper

with "naughty javascript links" do
view do
def template
a(href: "javascript:alert(1)") { "a" }
a(href: "JAVASCRIPT:alert(1)") { "b" }
a(href: :"JAVASCRIPT:alert(1)") { "c" }
a(HREF: "javascript:alert(1)") { "d" }
end
end

it "removes the href attributes" do
expect(output).to be == "<a>a</a><a>b</a><a>c</a><a>d</a>"
end
end

with "naughty uppercase event tag" do
view do
def template
button ONCLICK: "ALERT(1)" do
"naughty button"
end
end
end

it "raises" do
expect { output }.to raise_exception ArgumentError,
message: be == "Unsafe attribute name detected: ONCLICK."
end
end

with "naughty text" do
view do
def template
Expand Down

0 comments on commit 8213b03

Please sign in to comment.