mirror of
https://github.com/rails/rails.git
synced 2022-11-09 12:12:34 -05:00
Fix possible XSS vector in JS escape helper
This commit escapes dollar signs and backticks to prevent JS XSS issues when using the `j` or `javascript_escape` helper CVE-2020-5267
This commit is contained in:
parent
5c188c12ee
commit
033a738817
2 changed files with 12 additions and 2 deletions
|
@ -12,7 +12,9 @@ module ActionView
|
||||||
"\n" => '\n',
|
"\n" => '\n',
|
||||||
"\r" => '\n',
|
"\r" => '\n',
|
||||||
'"' => '\\"',
|
'"' => '\\"',
|
||||||
"'" => "\\'"
|
"'" => "\\'",
|
||||||
|
"`" => "\\`",
|
||||||
|
"$" => "\\$"
|
||||||
}
|
}
|
||||||
|
|
||||||
JS_ESCAPE_MAP[(+"\342\200\250").force_encoding(Encoding::UTF_8).encode!] = "
"
|
JS_ESCAPE_MAP[(+"\342\200\250").force_encoding(Encoding::UTF_8).encode!] = "
"
|
||||||
|
@ -29,7 +31,7 @@ module ActionView
|
||||||
if javascript.empty?
|
if javascript.empty?
|
||||||
result = ""
|
result = ""
|
||||||
else
|
else
|
||||||
result = javascript.gsub(/(\\|<\/|\r\n|\342\200\250|\342\200\251|[\n\r"'])/u, JS_ESCAPE_MAP)
|
result = javascript.gsub(/(\\|<\/|\r\n|\342\200\250|\342\200\251|[\n\r"']|[`]|[$])/u, JS_ESCAPE_MAP)
|
||||||
end
|
end
|
||||||
javascript.html_safe? ? result.html_safe : result
|
javascript.html_safe? ? result.html_safe : result
|
||||||
end
|
end
|
||||||
|
|
|
@ -36,6 +36,14 @@ class JavaScriptHelperTest < ActionView::TestCase
|
||||||
assert_equal %(dont <\\/close> tags), j(%(dont </close> tags))
|
assert_equal %(dont <\\/close> tags), j(%(dont </close> tags))
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def test_escape_backtick
|
||||||
|
assert_equal "\\`", escape_javascript("`")
|
||||||
|
end
|
||||||
|
|
||||||
|
def test_escape_dollar_sign
|
||||||
|
assert_equal "\\$", escape_javascript("$")
|
||||||
|
end
|
||||||
|
|
||||||
def test_escape_javascript_with_safebuffer
|
def test_escape_javascript_with_safebuffer
|
||||||
given = %('quoted' "double-quoted" new-line:\n </closed>)
|
given = %('quoted' "double-quoted" new-line:\n </closed>)
|
||||||
expect = %(\\'quoted\\' \\"double-quoted\\" new-line:\\n <\\/closed>)
|
expect = %(\\'quoted\\' \\"double-quoted\\" new-line:\\n <\\/closed>)
|
||||||
|
|
Loading…
Reference in a new issue