Fix possible XSS vector in JS escape helper

This commit escapes dollar signs and backticks to prevent JS XSS issues when using the `j` or `javascript_escape` helper CVE-2020-5267
2020-03-12 10:25:48 -07:00 · 2020-03-12 10:25:48 -07:00 · 033a738817
parent 5c188c12ee
commit 033a738817
2 changed files with 12 additions and 2 deletions
--- a/actionview/lib/action_view/helpers/javascript_helper.rb
+++ b/actionview/lib/action_view/helpers/javascript_helper.rb
@ -12,7 +12,9 @@ module ActionView
        "\n"    => '\n',
        "\r"    => '\n',
        '"'     => '\\"',
-        "'"     => "\\'"
+        "'"     => "\\'",
+        "`"     => "\\`",
+        "$"     => "\\$"
      }

      JS_ESCAPE_MAP[(+"\342\200\250").force_encoding(Encoding::UTF_8).encode!] = "&#x2028;"
@ -29,7 +31,7 @@ module ActionView
        if javascript.empty?
          result = ""
        else
-          result = javascript.gsub(/(\\|<\/|\r\n|\342\200\250|\342\200\251|[\n\r"'])/u, JS_ESCAPE_MAP)
+          result = javascript.gsub(/(\\|<\/|\r\n|\342\200\250|\342\200\251|[\n\r"']|[`]|[$])/u, JS_ESCAPE_MAP)
        end
        javascript.html_safe? ? result.html_safe : result
      end
--- a/actionview/test/template/javascript_helper_test.rb
+++ b/actionview/test/template/javascript_helper_test.rb
@ -36,6 +36,14 @@ class JavaScriptHelperTest < ActionView::TestCase
    assert_equal %(dont <\\/close> tags), j(%(dont </close> tags))
  end

+  def test_escape_backtick
+    assert_equal "\\`", escape_javascript("`")
+  end
+
+  def test_escape_dollar_sign
+    assert_equal "\\$", escape_javascript("$")
+  end
+
  def test_escape_javascript_with_safebuffer
    given = %('quoted' "double-quoted" new-line:\n </closed>)
    expect = %(\\'quoted\\' \\"double-quoted\\" new-line:\\n <\\/closed>)