Skip to content
Permalink
Browse files Browse the repository at this point in the history
Always escape quotes in attributes; support array attrs
The current behavior is to pass HTML-safe strings through unaltered, but
this can still cause an XSS vulnerability if the string has an unescaped
quote in it:

    rails/rails@4394e90

I also added support for array attributes, since I noticed Rails does
it when I was copying their escaping code.
  • Loading branch information
rf- committed Jul 22, 2017
1 parent 87d309c commit 05be435
Show file tree
Hide file tree
Showing 2 changed files with 26 additions and 6 deletions.
16 changes: 12 additions & 4 deletions lib/keynote/rumble.rb
Expand Up @@ -323,10 +323,18 @@ def inspect; to_s.inspect end

def attrs_to_s
attributes.inject("") do |res, (name, value)|
if value
value = (value == true) ? name : Rumble.html_escape(value)
res << " #{name}=\"#{value}\""
end
next unless value

value =
if value.is_a?(Array)
value.map { |val| Rumble.html_escape(val) }.join(" ")
elsif value == true
name
else
Rumble.html_escape(value)
end

res << " #{name}=\"#{value.gsub('"'.freeze, '&quot;'.freeze)}\""
res
end
end
Expand Down
16 changes: 14 additions & 2 deletions spec/rumble_spec.rb
Expand Up @@ -67,11 +67,23 @@ def test_string_data

def test_hash_data
str = <<-HTML
<div data-modal="true" data-test="&quot;test&quot;"></div>
<div data-modal="true" data-safe="&quot;&quot;&quot;" data-unsafe="&quot;&amp;quot;&quot;">
</div>
HTML

assert_rumble str do
div data: { modal: true, safe: '"&quot;"'.html_safe, unsafe: '"&quot;"' }
end
end

def test_array_attrs
str = <<-HTML
<div class="hello &quot;uns&amp;amp;fe&quot; &quot;w&amp;rld&quot;">
</div>
HTML

assert_rumble str do
div data: { modal: true, test: '"test"' }
div class: ["hello", '"uns&amp;fe"', '"w&amp;rld"'.html_safe]
end
end

Expand Down

0 comments on commit 05be435

Please sign in to comment.