mirror of
https://github.com/rails/rails.git
synced 2022-11-09 12:12:34 -05:00
Fix possible XSS vector in JS escape helper
This commit escapes dollar signs and backticks to prevent JS XSS issues when using the `j` or `javascript_escape` helper CVE-2020-5267
This commit is contained in:
parent
5c188c12ee
commit
033a738817
2 changed files with 12 additions and 2 deletions
|
@ -12,7 +12,9 @@ module ActionView
|
|||
"\n" => '\n',
|
||||
"\r" => '\n',
|
||||
'"' => '\\"',
|
||||
"'" => "\\'"
|
||||
"'" => "\\'",
|
||||
"`" => "\\`",
|
||||
"$" => "\\$"
|
||||
}
|
||||
|
||||
JS_ESCAPE_MAP[(+"\342\200\250").force_encoding(Encoding::UTF_8).encode!] = "
"
|
||||
|
@ -29,7 +31,7 @@ module ActionView
|
|||
if javascript.empty?
|
||||
result = ""
|
||||
else
|
||||
result = javascript.gsub(/(\\|<\/|\r\n|\342\200\250|\342\200\251|[\n\r"'])/u, JS_ESCAPE_MAP)
|
||||
result = javascript.gsub(/(\\|<\/|\r\n|\342\200\250|\342\200\251|[\n\r"']|[`]|[$])/u, JS_ESCAPE_MAP)
|
||||
end
|
||||
javascript.html_safe? ? result.html_safe : result
|
||||
end
|
||||
|
|
|
@ -36,6 +36,14 @@ class JavaScriptHelperTest < ActionView::TestCase
|
|||
assert_equal %(dont <\\/close> tags), j(%(dont </close> tags))
|
||||
end
|
||||
|
||||
def test_escape_backtick
|
||||
assert_equal "\\`", escape_javascript("`")
|
||||
end
|
||||
|
||||
def test_escape_dollar_sign
|
||||
assert_equal "\\$", escape_javascript("$")
|
||||
end
|
||||
|
||||
def test_escape_javascript_with_safebuffer
|
||||
given = %('quoted' "double-quoted" new-line:\n </closed>)
|
||||
expect = %(\\'quoted\\' \\"double-quoted\\" new-line:\\n <\\/closed>)
|
||||
|
|
Loading…
Reference in a new issue