1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45
|
From: Andrew Carpenter <andrew@criticaljuncture.org>
Date: Thu, 28 Jul 2016 16:12:21 -0700
Subject: ensure tag/content_tag escapes " in attribute vals
Many helpers mark content as HTML-safe without escaping double quotes -- including `sanitize`. Regardless of whether or not the attribute values are HTML-escaped, we want to be sure they don't include double quotes, as that can cause XSS issues. For example: `content_tag(:div, "foo", title: sanitize('" onmouseover="alert(1);//'))`
CVE-2016-6316
Author: Andrew Carpenter <andrew@criticaljuncture.org>
Backported-by: Antonio Terceiro <terceiro@debian.org>
---
actionview/lib/action_view/helpers/tag_helper.rb | 2 +-
actionview/test/template/tag_helper_test.rb | 18 ++++++++++++++++++
2 files changed, 19 insertions(+), 1 deletion(-)
--- a/actionview/lib/action_view/helpers/tag_helper.rb
+++ b/actionview/lib/action_view/helpers/tag_helper.rb
@@ -169,7 +169,7 @@ module ActionView
def tag_option(key, value, escape)
value = value.join(" ") if value.is_a?(Array)
value = ERB::Util.h(value) if escape
- %(#{key}="#{value}")
+ %(#{key}="#{value.to_s.gsub(/"/, '"'.freeze)}")
end
end
end
--- a/actionview/test/template/tag_helper_test.rb
+++ b/actionview/test/template/tag_helper_test.rb
@@ -116,6 +116,16 @@ class TagHelperTest < ActionView::TestCa
end
end
+ def test_tag_does_not_honor_html_safe_double_quotes_as_attributes
+ assert_dom_equal '<p title=""">content</p>',
+ content_tag('p', "content", title: '"'.html_safe)
+ end
+
+ def test_data_tag_does_not_honor_html_safe_double_quotes_as_attributes
+ assert_dom_equal '<p data-title=""">content</p>',
+ content_tag('p', "content", data: { title: '"'.html_safe })
+ end
+
def test_skip_invalid_escaped_attributes
['&1;', 'dfa3;', '& #123;'].each do |escaped|
assert_equal %(<a href="#{escaped.gsub(/&/, '&')}" />), tag('a', :href => escaped)
|