Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix tag helper regression #45027

Merged
merged 1 commit into from May 5, 2022
Merged

Fix tag helper regression #45027

merged 1 commit into from May 5, 2022

Conversation

eileencodes
Copy link
Member

@eileencodes eileencodes commented May 5, 2022

Vue.js, alpinejs, and potentially other JS libraries support tags
starting with @ symbols. This was broken by the recent security release in
649516c

I've only added @ to the list even though there are potentially other
safe characters. We can add more if necessary (and if safe).

Fixes:

cc/ @tenderlove

Vue.js, alpinejs, and potentially other JS libraries support tags
starting with `@` symbols. This was broken by the recent security release in
649516c

I've only added `@` to the list even though there are potentially other
safe characters. We can add more if necessary (and if safe).

Fixes:
* #45014
* #44972
@eileencodes eileencodes merged commit 480edd4 into main May 5, 2022
5 checks passed
@eileencodes eileencodes deleted the fix-tag-helper-regression branch May 5, 2022
eileencodes added a commit that referenced this issue May 5, 2022
eileencodes added a commit that referenced this issue May 5, 2022
eileencodes added a commit that referenced this issue May 5, 2022
eileencodes added a commit that referenced this issue May 5, 2022
amartinfraguas added a commit to amartinfraguas/rails that referenced this issue Jun 1, 2022
A previous fix for protections for XSS in `ActionView::Helpers` and
`ERB::Util` introduced a regression by not filtering HTML characters
properly. This is a complete fix, related to rails#45027.

We would need to support XHTML, HTML4 and HTML5. But since XHTML and
HTML4 have had a note for future deprecation in the documentation for
more than 5 years, simplify the filtering by removing support for XHTML
an HTML4.
amartinfraguas added a commit to amartinfraguas/rails that referenced this issue Jun 1, 2022
A previous fix for protections for XSS in `ActionView::Helpers` and
`ERB::Util` introduced a regression by not filtering HTML characters
properly. This is a complete fix, related to rails#45027.

We would need to support XHTML, HTML4 and HTML5. But since XHTML and
HTML4 have had a note for future deprecation in the documentation for
more than 5 years, simplify the filtering by removing support for XHTML
and HTML4.
amartinfraguas added a commit to amartinfraguas/rails that referenced this issue Jun 1, 2022
A previous fix for protections for XSS in `ActionView::Helpers` and
`ERB::Util` introduced a regression by not filtering HTML characters
properly. This is a complete fix for that regression, related to rails#45027.

We would need to support XHTML, HTML4 and HTML5. But since XHTML and
HTML4 have had a note for future deprecation in the documentation for
more than 5 years, simplify the filtering by removing support for XHTML
and HTML4.
amartinfraguas added a commit to amartinfraguas/rails that referenced this issue Jun 1, 2022
A previous fix for protections for XSS in `ActionView::Helpers` and
`ERB::Util` introduced a regression by not filtering HTML characters
properly. This is a complete fix for that regression, related to rails#45027.

We would need to support XHTML, HTML4 and HTML5. But since XHTML and
HTML4 have had a note for future deprecation in the documentation for
more than 5 years, simplify the filtering by removing support for XHTML
and HTML4.
amartinfraguas added a commit to amartinfraguas/rails that referenced this issue Jun 1, 2022
A previous fix for protections for XSS in `ActionView::Helpers` and
`ERB::Util` introduced a regression by not filtering HTML characters
properly. This is a complete fix for that regression, related to rails#45027.

We would need to support XHTML, HTML4 and HTML5. But since XHTML and
HTML4 have had a note for future deprecation in the documentation for
more than 5 years, simplify the filtering by removing support for XHTML
and HTML4.
@amartinfraguas
Copy link
Contributor

@amartinfraguas amartinfraguas commented Jun 1, 2022

Hi, @eileencodes , @tenderlove , I am the author of the initial security patch. Sorry for the mess... I have just created a pull request to fix the issue completely, could you please review it? #45236

amartinfraguas added a commit to amartinfraguas/rails that referenced this issue Jun 1, 2022
A previous fix for protections for XSS in `ActionView::Helpers` and
`ERB::Util` introduced a regression by not filtering HTML characters
properly. This is a complete fix for that regression, related to rails#45027.

We would need to support XHTML, HTML4 and HTML5. But since XHTML and
HTML4 have had a note for future deprecation in the documentation for
more than 5 years, simplify the filtering by removing support for XHTML
and HTML4.
amartinfraguas added a commit to amartinfraguas/rails that referenced this issue Jun 1, 2022
A previous fix for protections for XSS in `ActionView::Helpers` and
`ERB::Util` introduced a regression by not filtering HTML characters
properly. This is a complete fix for that regression, related to rails#45027.

We would need to support XHTML, HTML4 and HTML5. But since XHTML and
HTML4 have had a note for future deprecation in the documentation for
more than 5 years, simplify the filtering by removing support for XHTML
and HTML4.
amartinfraguas added a commit to amartinfraguas/rails that referenced this issue Jun 15, 2022
A previous fix for protections for XSS in `ActionView::Helpers` and
`ERB::Util` introduced a regression by not filtering HTML characters
properly. This is a complete fix for that regression, related to rails#45027.

We would need to support XHTML, HTML4 and HTML5. But since XHTML and
HTML4 have had a note for future deprecation in the documentation for
more than 5 years, simplify the filtering by removing support for XHTML
and HTML4.
amartinfraguas added a commit to amartinfraguas/rails that referenced this issue Jun 15, 2022
A previous fix for protections for XSS in `ActionView::Helpers` and
`ERB::Util` introduced a regression by not filtering HTML characters
properly. This is a complete fix for that regression, related to rails#45027.

We would need to support XHTML, HTML4 and HTML5. But since XHTML and
HTML4 have had a note for future deprecation in the documentation for
more than 5 years, simplify the filtering by removing support for XHTML
and HTML4.
amartinfraguas added a commit to amartinfraguas/rails that referenced this issue Jun 15, 2022
A previous fix for protections for XSS in `ActionView::Helpers` and
`ERB::Util` introduced a regression by not filtering HTML characters
properly. This is a complete fix for that regression, related to rails#45027.

We would need to support XHTML, HTML4 and HTML5. But since XHTML and
HTML4 have had a note for future deprecation in the documentation for
more than 5 years, simplify the filtering by removing support for XHTML
and HTML4.
amartinfraguas added a commit to amartinfraguas/rails that referenced this issue Jun 15, 2022
A previous fix for protections for XSS in `ActionView::Helpers` and
`ERB::Util` introduced a regression by not filtering HTML characters
properly. This is a complete fix for that regression, related to rails#45027.

We would need to support XHTML, HTML4 and HTML5. But since XHTML and
HTML4 have had a note for future deprecation in the documentation for
more than 5 years, simplify the filtering by removing support for XHTML
and HTML4.
amartinfraguas added a commit to amartinfraguas/rails that referenced this issue Jun 15, 2022
A previous fix for protections for XSS in `ActionView::Helpers` and
`ERB::Util` introduced a regression by not filtering HTML characters
properly. This is a complete fix for that regression, related to rails#45027.

We would need to support XHTML, HTML4 and HTML5. But since XHTML and
HTML4 have had a note for future deprecation in the documentation for
more than 5 years, simplify the filtering by removing support for XHTML
and HTML4.
amartinfraguas added a commit to amartinfraguas/rails that referenced this issue Jun 16, 2022
A previous fix for protections for XSS in `ActionView::Helpers` and
`ERB::Util` introduced a regression by not filtering HTML characters
properly. This is a complete fix for that regression, related to rails#45027.

We would need to support XHTML, HTML4 and HTML5. But since XHTML and
HTML4 have had a note for future deprecation in the documentation for
more than 5 years, simplify the filtering by removing support for XHTML
and HTML4.
amartinfraguas added a commit to amartinfraguas/rails that referenced this issue Jun 16, 2022
A previous fix for protections for XSS in `ActionView::Helpers` and
`ERB::Util` introduced a regression by not filtering HTML characters
properly. This is a complete fix for that regression, related to rails#45027.

We would need to support XHTML, HTML4 and HTML5. But since XHTML and
HTML4 have had a note for future deprecation in the documentation for
more than 5 years, simplify the filtering by removing support for XHTML
and HTML4.
amartinfraguas added a commit to amartinfraguas/rails that referenced this issue Jun 16, 2022
A previous fix for protections for XSS in `ActionView::Helpers` and
`ERB::Util` introduced a regression by not filtering HTML characters
properly. This is a complete fix for that regression, related to rails#45027.

We would need to support XHTML, HTML4 and HTML5. But since XHTML and
HTML4 have had a note for future deprecation in the documentation for
more than 5 years, simplify the filtering by removing support for XHTML
and HTML4.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants