gems view_component 3.25.0
on Ruby Gems

10 hours ago

  • Support Rails render_in options signature. Rails #50623 changed the render_in signature from render_in(view_context, &block) to render_in(view_context, **options, &block). ViewComponent::Base#render_in, ViewComponent::Collection#render_in, and ViewComponent::Instrumentation#render_in now accept **options, restoring compatibility with Rails main and silencing the deprecation warning.

    Joel Hawksley

  • Fix stale render context on reused component instances. A ViewComponent::Base instance memoized its controller, helpers, request, view context, lookup context, view flow, and requested format/variant on first render via ||=. Rendering the same instance a second time (intentionally or via aliasing) reused that stale context, which could leak data across requests, sessions, or users. #render_in now resets these ivars on every call so each render derives its context from the current view.

    Joel Hawksley

  • Fix path traversal vulnerability in ViewComponentsSystemTestController where sibling directories sharing a string prefix with the allowed temp directory could bypass the path containment check. The start_with? check has been replaced with a separator-aware prefix check, and nefarious path errors now return a 404 instead of an unhandled exception.

    Joel Hawksley

  • Fix preview route vulnerability where inherited methods on ViewComponent::Preview (such as render_with_template) could be invoked via the preview URL, allowing arbitrary internal Rails templates to be rendered with attacker-controlled locals and request parameters. render_args now raises AbstractController::ActionNotFound for any example not explicitly declared on the preview subclass.

    Joel Hawksley

Check out latest releases or
releases around view_component 3.25.0

Don't miss a new view_component release

NewReleases is sending notifications on new releases.

Get notifications