🚨 [security] Update phlex 1.11.0 → 2.4.1 (major)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

↗️ phlex (indirect, 1.11.0 → 2.4.1) · Repo · Changelog

Security Advisories 🚨

🚨 Phlex XSS protection bypass via attribute splatting, dynamic tags, and href values

Impact

During a security audit conducted with Claude Opus 4.6 and GPT-5.3-Codex, we identified three specific ways to bypass the XSS (cross-site-scripting) protection built into Phlex.

1. The first bypass could happen if user-provided attributes with string keys were splatted into HTML tag, e.g. div(**user_attributes).
2. The second bypass could happen if user-provided tag names were passed to the tag method, e.g. tag(some_tag_name_from_user).
3. The third bypass could happen if user’s links were passed to href attributes, e.g. a(href: user_provided_link).

All three of these patterns are meant to be safe and all have now been patched.

Patches

Phlex has patched all three issues and introduced new tests that run against Safari, Firefox and Chrome.

The patched versions are:

• 2.4.1
• 2.3.2
• 2.2.2
• 2.1.3
• 2.0.2
• 1.11.1

Phlex has also patched the main branch in GitHub.

Workarounds

If a project uses a secure CSP (content security policy) or if the application doesn’t use any of the above patterns, it is not at risk.

🚨 Phlex XSS protection bypass via attribute splatting, dynamic tags, and href values

Impact

During a security audit conducted with Claude Opus 4.6 and GPT-5.3-Codex, we identified three specific ways to bypass the XSS (cross-site-scripting) protection built into Phlex.

1. The first bypass could happen if user-provided attributes with string keys were splatted into HTML tag, e.g. div(**user_attributes).
2. The second bypass could happen if user-provided tag names were passed to the tag method, e.g. tag(some_tag_name_from_user).
3. The third bypass could happen if user’s links were passed to href attributes, e.g. a(href: user_provided_link).

All three of these patterns are meant to be safe and all have now been patched.

Patches

Phlex has patched all three issues and introduced new tests that run against Safari, Firefox and Chrome.

The patched versions are:

• 2.4.1
• 2.3.2
• 2.2.2
• 2.1.3
• 2.0.2
• 1.11.1

Phlex has also patched the main branch in GitHub.

Workarounds

If a project uses a secure CSP (content security policy) or if the application doesn’t use any of the above patterns, it is not at risk.

🚨 Phlex XSS protection bypass via attribute splatting, dynamic tags, and href values

Impact

During a security audit conducted with Claude Opus 4.6 and GPT-5.3-Codex, we identified three specific ways to bypass the XSS (cross-site-scripting) protection built into Phlex.

1. The first bypass could happen if user-provided attributes with string keys were splatted into HTML tag, e.g. div(**user_attributes).
2. The second bypass could happen if user-provided tag names were passed to the tag method, e.g. tag(some_tag_name_from_user).
3. The third bypass could happen if user’s links were passed to href attributes, e.g. a(href: user_provided_link).

All three of these patterns are meant to be safe and all have now been patched.

Patches

Phlex has patched all three issues and introduced new tests that run against Safari, Firefox and Chrome.

The patched versions are:

• 2.4.1
• 2.3.2
• 2.2.2
• 2.1.3
• 2.0.2
• 1.11.1

Phlex has also patched the main branch in GitHub.

Workarounds

If a project uses a secure CSP (content security policy) or if the application doesn’t use any of the above patterns, it is not at risk.

🚨 Phlex XSS protection bypass via attribute splatting, dynamic tags, and href values

Impact

During a security audit conducted with Claude Opus 4.6 and GPT-5.3-Codex, we identified three specific ways to bypass the XSS (cross-site-scripting) protection built into Phlex.

1. The first bypass could happen if user-provided attributes with string keys were splatted into HTML tag, e.g. div(**user_attributes).
2. The second bypass could happen if user-provided tag names were passed to the tag method, e.g. tag(some_tag_name_from_user).
3. The third bypass could happen if user’s links were passed to href attributes, e.g. a(href: user_provided_link).

All three of these patterns are meant to be safe and all have now been patched.

Patches

Phlex has patched all three issues and introduced new tests that run against Safari, Firefox and Chrome.

The patched versions are:

• 2.4.1
• 2.3.2
• 2.2.2
• 2.1.3
• 2.0.2
• 1.11.1

Phlex has also patched the main branch in GitHub.

Workarounds

If a project uses a secure CSP (content security policy) or if the application doesn’t use any of the above patterns, it is not at risk.

🚨 Phlex XSS protection bypass via attribute splatting, dynamic tags, and href values

Impact

During a security audit conducted with Claude Opus 4.6 and GPT-5.3-Codex, we identified three specific ways to bypass the XSS (cross-site-scripting) protection built into Phlex.

1. The first bypass could happen if user-provided attributes with string keys were splatted into HTML tag, e.g. div(**user_attributes).
2. The second bypass could happen if user-provided tag names were passed to the tag method, e.g. tag(some_tag_name_from_user).
3. The third bypass could happen if user’s links were passed to href attributes, e.g. a(href: user_provided_link).

All three of these patterns are meant to be safe and all have now been patched.

Patches

Phlex has patched all three issues and introduced new tests that run against Safari, Firefox and Chrome.

The patched versions are:

• 2.4.1
• 2.3.2
• 2.2.2
• 2.1.3
• 2.0.2
• 1.11.1

Phlex has also patched the main branch in GitHub.

Workarounds

If a project uses a secure CSP (content security policy) or if the application doesn’t use any of the above patterns, it is not at risk.

🚨 Phlex XSS protection bypass via attribute splatting, dynamic tags, and href values

Impact

During a security audit conducted with Claude Opus 4.6 and GPT-5.3-Codex, we identified three specific ways to bypass the XSS (cross-site-scripting) protection built into Phlex.

1. The first bypass could happen if user-provided attributes with string keys were splatted into HTML tag, e.g. div(**user_attributes).
2. The second bypass could happen if user-provided tag names were passed to the tag method, e.g. tag(some_tag_name_from_user).
3. The third bypass could happen if user’s links were passed to href attributes, e.g. a(href: user_provided_link).

All three of these patterns are meant to be safe and all have now been patched.

Patches

Phlex has patched all three issues and introduced new tests that run against Safari, Firefox and Chrome.

The patched versions are:

• 2.4.1
• 2.3.2
• 2.2.2
• 2.1.3
• 2.0.2
• 1.11.1

Phlex has also patched the main branch in GitHub.

Workarounds

If a project uses a secure CSP (content security policy) or if the application doesn’t use any of the above patterns, it is not at risk.

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

✳️ phlex-rails (1.2.2 → 2.4.0) · Repo · Changelog

Release Notes

2.4.0

• Removed support for inline and sidecar ERB templates
• Fixed a rendering context bug
• Added support for passing as attributes objects that respond to to_h
• Added the foundations of a new compiler for HTML components — this will be completed and enabled in a subsequent release

2.3.1

Highlights

A new RubyLSP indexing enhancement for register_element provides auto-complete for your own custom elements.

Full Changelog: 2.3.0...2.3.1

2.3.0

Highlights

• You can now pass Date and Time objects as HTML attributes.
• Specific HTML attributes on specific HTML elements (e.g. img[srcset]) now generate comma-separated token lists when passed a Ruby Array. Previously they generated space-separated token lists.

What's Changed

• Update doc comment in sgml.rb by @christopher-b in #895
• Prefer inline access modifiers by @joeldrapper in #901
• Add support for Date/Time attribute values by @joeldrapper in #903
• Comma-separated tokens by @joeldrapper in #904

New Contributors

• @christopher-b made their first contribution in #895

Full Changelog: 2.2.1...2.3.0

2.1.1

[Experimental] support for ERB snippets

In this non-breaking release, we’ve added support for ERB snippets. Anything that you would have defined as a Ruby method, e.g. view_template can now be defined as ERB.

Basic inline example

In this example, we create a Nav component and define its view_template using ERB instead of Ruby. The erb class method defines the view_template method with the compiled ERB for us. We also expose an item snippet — again defined with ERB. This time it defines the item instance method. Here, we specify locals: %(href:), which means the method will be defined as def item(href:).

class Nav < Phlex::HTML
  erb :view_template, <<~ERB
    <nav>
      <% yield %>
    </nav>
  ERB
erb :item, <<~ERB, locals: %(href:)

    <a href="<%= href %>">

      <% yield %>

    </a>

  ERB

end

Locals

You can put anything in the locals string that you would regularly put in a Ruby method signature:

Required positional argument

erb :method_name, <<~ERB, locals: %(foo)

Optional positional argument

erb :method_name, <<~ERB, locals: %(foo = nil)

Positional argument with default

erb :method_name, <<~ERB, locals: %(foo = "test")

Required keyword argument

erb :method_name, <<~ERB, locals: %(foo:)

Optional keyword argument

erb :method_name, <<~ERB, locals: %(foo: nil)

Keyword argument with default

erb :method_name, <<~ERB, locals: %(foo: "test")

Note: we may rename locals: to params: or something else. Send us your feedback.

Sidecar templates

Instead of defining the ERB templates inline, you can alternatively define them as sidecar files. You’ll still need to define the method signatures in your component. Let’s go back to our nav component. We can remove the inline ERB.

class Nav < Phlex::HTML
  erb :view_template
  erb :item, locals: %(href:)
end

If this Nav component is defined in app/components/nav.rb, Phlex will search for the following sidecar files:

1. app/components/nav/view_template.html.erb
2. app/components/nav/item.html.erb

In the case of the view_template snippet, If Phlex can’t find app/components/nav/view_template.html.erb, it will also try app/components/nav.html.erb.

Performance

All ERB templates are compiled into methods once at boot so performance should be excellent.

Compatibility

For the most part, these ERB snippets should be completely compatible with Ruby snippets and all the Phlex features like fragments, caching, etc. When it comes to caching, the technique we use to bust the cache when you make changes in development mode with Rails will not work if you use external sidecar ERB files.

Security

Because ERB is not structural, we can’t provide all the same security features. It is possible, for example to write ERB like this, and since we don’t know you’re writing to an href attribute, we can’t strip javascript: from the start of the href.

<a href="<%= user_data %>">Click me</a>

The main concern with inline ERB support was making sure you couldn’t unintentionally interpolate unescaped user data with #{} interpolation. Our solution to this is to only support the definition of ERB snippets at the class level where it’s very unlikely any user data will be in scope.

The correct way to output user data is with <%= %> tags, though it can’t be as safe as regular Phlex output because it is string-based, not structural.

PRs

• [EXPERIMENTAL] Add support for ERB snippets and sidecar templates by @joeldrapper in #867

Full Changelog: 2.1.0...2.1.1

2.1.0

Highlights

• Building CSVs is now faster and we deprecated view_template for row_template in Phlex::CSV views.
• You can now use CDATA sections in Phlex::SVG components with the new cdata method. Phlex is no longer a “leaky abstraction”.
• There’s a new json_escape helper available on Phlex::HTML and Phlex::SVG components for escaping JSON inside JavaScript strings..

PRs

• Add delimiter override option for CSVs by @evenreven in #865
• Add VERSION to autoloads by @paul in #869
• Support calculated buffers by @joeldrapper in #871
• Add JSON escape helper to Phlex::SGML by @joeldrapper in #872
• Add support for CDATA sections in SVGs by @joeldrapper in #873
• Ensure HTML output by @joeldrapper in #864
• Faster CSVs by @joeldrapper in #866

New Contributors

• @evenreven made their first contribution in #865
• @paul made their first contribution in #869

Full Changelog: 2.0.2...2.1.0

2.0.2

What's Changed

If you try to access context before the component starts being rendered (e.g. from your initializer), it will now raise a helpful error message. This is non-breaking because it was always raising an error message. The previous error message was that it couldn’t find the method user_context on nil.

Full Changelog: 2.0.1...2.0.2

2.0.1

What's Changed

This non-breaking release fixes a regression that meant the render? predicate was called before the context was set. This meant an error would be raised if you called out to a helper in the render? method.

Full Changelog: 2.0.0...2.0.1

2.0.0

What's Changed

Many things [updated releases notes coming soon.]

New Contributors

• @alexanderadam made their first contribution in #722
• @ElMassimo made their first contribution in #737
• @bquorning made their first contribution in #742
• @AnthonySuper made their first contribution in #746
• @Xanderwot made their first contribution in #755

Full Changelog: 1.11.0...2.0.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

🆕 prism (added, 1.9.0)

🆕 refract (added, 1.1.0)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

Go to the Depfu Dashboard to see the state of your dependencies and to customize how Depfu works.