Bump to 1.2.2

See GHSA-242p-4v39-2v8g

Author: joeldrapper

.ruby-version

@@ -1 +1 @@
-3.2.0
+3.3.0

lib/phlex/html.rb

@@ -356,14 +356,6 @@ def capture
 		end
 
 		private def __attributes__(**attributes)
-			if attributes[:href]&.start_with?(/\s*javascript/)
-				attributes.delete(:href)
-			end
-
-			if attributes["href"]&.start_with?(/\s*javascript/)
-				attributes.delete("href")
-			end
-
 			buffer = +""
 			__build_attributes__(attributes, buffer: buffer)
 
@@ -384,8 +376,11 @@ def capture
 					else k.to_s
 				end
 
+				lower_name = name.downcase
+				next if lower_name == "href" && v.start_with?(/\s*javascript:/i)
+
 				# Detect unsafe attribute names. Attribute names are considered unsafe if they match an event attribute or include unsafe characters.
-				if HTML::EVENT_ATTRIBUTES[name] || name.match?(/[<>&"']/)
+				if HTML::EVENT_ATTRIBUTES[lower_name] || name.match?(/[<>&"']/)
 					raise ArgumentError, "Unsafe attribute name detected: #{k}."
 				end
 

lib/phlex/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Phlex
-	VERSION = "1.2.1"
+	VERSION = "1.2.2"
 end

test/phlex/view/naughty_business.rb

@@ -3,6 +3,36 @@
 describe Phlex::HTML do
 	extend ViewHelper
 
+	with "naughty javascript links" do
+		view do
+			def template
+				a(href: "javascript:alert(1)") { "a" }
+				a(href: "JAVASCRIPT:alert(1)") { "b" }
+				a(href: :"JAVASCRIPT:alert(1)") { "c" }
+				a(HREF: "javascript:alert(1)") { "d" }
+			end
+		end
+
+		it "removes the href attributes" do
+			expect(output).to be == "<a>a</a><a>b</a><a>c</a><a>d</a>"
+		end
+	end
+
+	with "naughty uppercase event tag" do
+		view do
+			def template
+				button ONCLICK: "ALERT(1)" do
+					"naughty button"
+				end
+			end
+		end
+
+		it "raises" do
+			expect { output }.to raise_exception ArgumentError,
+				message: be == "Unsafe attribute name detected: ONCLICK."
+		end
+	end
+
 	with "naughty text" do
 		view do
 			def template