1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
|
Description: Fix possible XSS vector in JS escape helper
This commit escapes dollar signs and backticks to prevent
JS XSS issues when using the `j` or `javascript_escape` helper
Author: Aaron Patterson <aaron.patterson@gmail.com>
Author: Utkarsh Gupta <utkarsh@debian.org>
Origin: https://www.openwall.com/lists/oss-security/2020/03/19/1/1
Bug-Debian: https://bugs.debian.org/954304
Last-Update: 2020-03-19
--- a/actionview/lib/action_view/helpers/javascript_helper.rb
+++ b/actionview/lib/action_view/helpers/javascript_helper.rb
@@ -10,7 +10,9 @@
"\n" => '\n',
"\r" => '\n',
'"' => '\\"',
- "'" => "\\'"
+ "'" => "\\'",
+ "`" => "\\`",
+ "$" => "\\$"
}
JS_ESCAPE_MAP["\342\200\250".force_encoding(Encoding::UTF_8).encode!] = '
'
@@ -24,7 +26,7 @@
# $('some_element').replaceWith('<%=j render 'some/element_template' %>');
def escape_javascript(javascript)
if javascript
- result = javascript.gsub(/(\\|<\/|\r\n|\342\200\250|\342\200\251|[\n\r"'])/u) {|match| JS_ESCAPE_MAP[match] }
+ result = javascript.gsub(/(\\|<\/|\r\n|\342\200\250|\342\200\251|[\n\r"']|[`]|[$])/u, JS_ESCAPE_MAP)
javascript.html_safe? ? result.html_safe : result
else
''
--- a/actionview/test/template/javascript_helper_test.rb
+++ b/actionview/test/template/javascript_helper_test.rb
@@ -33,6 +33,14 @@
assert_equal %(dont <\\/close> tags), j(%(dont </close> tags))
end
+ def test_escape_backtick
+ assert_equal "\\`", escape_javascript("`")
+ end
+
+ def test_escape_dollar_sign
+ assert_equal "\\$", escape_javascript("$")
+ end
+
def test_escape_javascript_with_safebuffer
given = %('quoted' "double-quoted" new-line:\n </closed>)
expect = %(\\'quoted\\' \\"double-quoted\\" new-line:\\n <\\/closed>)
|
