renamed raw component

jonasjabari · jonasjabari · commit 8f15972af709 · 2020-02-10T20:20:19.000+01:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,37 +6,6 @@
 
 [Solved Issues](https://github.com/basemate/matestack-ui-core/issues?q=is%3Aissue+is%3Aclosed+milestone%3A0.7.4)
 
-
-### Security Fixes
-
-XSS/Script Injection
-
---> until 0.7.3, matestack-ui-core is vulnerable to XSS/Script injection due to missing string escaping
---> this is especially dangerous, if you render a string which was submitted via a form through `plain` or any other string rendering such as `heading size: 1, text: "..."`
---> fixed in 0.7.4, please update immediately
-
-```ruby
-class Pages::MyApp::MyExamplePage < Matestack::Ui::Page
-
-  class FakeUser < Struct.new(:name)
-  end
-
-  def prepare
-    @user = FakeUser.new("<script>alert('such hack many wow')</script>")
-  end
-
-  def response
-    components {
-      div do
-        heading size: 1, text: "Hello #{@user.name}" # is not escaped
-        plain "Hello #{@user.name}" # is not escaped
-      end
-    }
-  end
-end
-
-```
-
 ### Improvements
 
 * On form submit, matestack form values are reset to previous values by fiedl
diff --git a/app/concepts/matestack/ui/core/raw/raw.rb b/app/concepts/matestack/ui/core/raw/raw.rb
diff --git a/app/concepts/matestack/ui/core/unescaped/unescaped.rb b/app/concepts/matestack/ui/core/unescaped/unescaped.rb
@@ -0,0 +1,7 @@
+module Matestack::Ui::Core::Unescaped
+  class Unescaped < Matestack::Ui::Core::Component::Static
+    def show
+      @argument
+    end
+  end
+end
diff --git a/spec/usage/base/xss_spec.rb b/spec/usage/base/xss_spec.rb
@@ -69,7 +69,7 @@ def response
 
       visit "/example"
 
-      expect(page.html).to include("id=\"something-&quot;><script>alert('hello');</script>")
+      expect(page.html).to include("id=\"something-&quot;&gt;&lt;script&gt;alert('hello');&lt;/script&gt;")
     end
   end
 end
diff --git a/spec/usage/components/unescaped_spec.rb b/spec/usage/components/unescaped_spec.rb
@@ -1,11 +1,11 @@
-describe "Raw Html Component", type: :feature, js: true do
+describe "Unescaped Component", type: :feature, js: true do
 
   it "allows the insertion of pure HTML: Example 1" do
 
     class ExamplePage < Matestack::Ui::Page
       def response
         components {
-          rawhtml <<~HTML
+          unescaped <<~HTML
           <h1>Hello World</h1>
           <script>alert('Really Hello!')</script>
           HTML
