1
0
Fork 0
mirror of https://github.com/rails/rails.git synced 2022-11-09 12:12:34 -05:00

Fix possible XSS vector in JS escape helper

This commit escapes dollar signs and backticks to prevent JS XSS issues
when using the `j` or `javascript_escape` helper

CVE-2020-5267
This commit is contained in:
Aaron Patterson 2020-03-12 10:25:48 -07:00
parent 5c188c12ee
commit 033a738817
No known key found for this signature in database
GPG key ID: 953170BCB4FFAFC6
2 changed files with 12 additions and 2 deletions

View file

@ -12,7 +12,9 @@ module ActionView
"\n" => '\n',
"\r" => '\n',
'"' => '\\"',
"'" => "\\'"
"'" => "\\'",
"`" => "\\`",
"$" => "\\$"
}
JS_ESCAPE_MAP[(+"\342\200\250").force_encoding(Encoding::UTF_8).encode!] = "
"
@ -29,7 +31,7 @@ module ActionView
if javascript.empty?
result = ""
else
result = javascript.gsub(/(\\|<\/|\r\n|\342\200\250|\342\200\251|[\n\r"'])/u, JS_ESCAPE_MAP)
result = javascript.gsub(/(\\|<\/|\r\n|\342\200\250|\342\200\251|[\n\r"']|[`]|[$])/u, JS_ESCAPE_MAP)
end
javascript.html_safe? ? result.html_safe : result
end

View file

@ -36,6 +36,14 @@ class JavaScriptHelperTest < ActionView::TestCase
assert_equal %(dont <\\/close> tags), j(%(dont </close> tags))
end
def test_escape_backtick
assert_equal "\\`", escape_javascript("`")
end
def test_escape_dollar_sign
assert_equal "\\$", escape_javascript("$")
end
def test_escape_javascript_with_safebuffer
given = %('quoted' "double-quoted" new-line:\n </closed>)
expect = %(\\'quoted\\' \\"double-quoted\\" new-line:\\n <\\/closed>)