Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix possible XSS vector in JS escape helper
This commit escapes dollar signs and backticks to prevent JS XSS issues
when using the `j` or `javascript_escape` helper

CVE-2020-5267
  • Loading branch information
tenderlove committed Mar 19, 2020
1 parent 5c188c1 commit 033a738
Show file tree
Hide file tree
Showing 2 changed files with 12 additions and 2 deletions.
6 changes: 4 additions & 2 deletions actionview/lib/action_view/helpers/javascript_helper.rb
Expand Up @@ -12,7 +12,9 @@ module JavaScriptHelper
"\n" => '\n',
"\r" => '\n',
'"' => '\\"',
"'" => "\\'"
"'" => "\\'",
"`" => "\\`",
"$" => "\\$"
}

JS_ESCAPE_MAP[(+"\342\200\250").force_encoding(Encoding::UTF_8).encode!] = "
"
Expand All @@ -29,7 +31,7 @@ def escape_javascript(javascript)
if javascript.empty?
result = ""
else
result = javascript.gsub(/(\\|<\/|\r\n|\342\200\250|\342\200\251|[\n\r"'])/u, JS_ESCAPE_MAP)
result = javascript.gsub(/(\\|<\/|\r\n|\342\200\250|\342\200\251|[\n\r"']|[`]|[$])/u, JS_ESCAPE_MAP)
end
javascript.html_safe? ? result.html_safe : result
end
Expand Down
8 changes: 8 additions & 0 deletions actionview/test/template/javascript_helper_test.rb
Expand Up @@ -36,6 +36,14 @@ def test_escape_javascript
assert_equal %(dont <\\/close> tags), j(%(dont </close> tags))
end

def test_escape_backtick
assert_equal "\\`", escape_javascript("`")
end

def test_escape_dollar_sign
assert_equal "\\$", escape_javascript("$")
end

def test_escape_javascript_with_safebuffer
given = %('quoted' "double-quoted" new-line:\n </closed>)
expect = %(\\'quoted\\' \\"double-quoted\\" new-line:\\n <\\/closed>)
Expand Down

0 comments on commit 033a738

Please sign in to comment.