Overview

File CVE-2016-6316.patch of Package rubygem-actionview-4_1

commit 04e03e20fddcee85ce69a55565ee377e8d79bf7a
Author: Andrew Carpenter <andrew@criticaljuncture.org>
Date:   Thu Jul 28 16:12:21 2016 -0700

    ensure tag/content_tag escapes " in attribute vals
    
    Many helpers mark content as HTML-safe without escaping double quotes -- including `sanitize`. Regardless of whether or not the attribute values are HTML-escaped, we want to be sure they don't include double quotes, as that can cause XSS issues. For example: `content_tag(:div, "foo", title: sanitize('" onmouseover="alert(1);//'))`
    
    CVE-2016-6316

diff --git a/actionview/lib/action_view/helpers/tag_helper.rb b/actionview/lib/action_view/helpers/tag_helper.rb
index 3528381..54bc570 100644
--- a/actionview/lib/action_view/helpers/tag_helper.rb
+++ b/actionview/lib/action_view/helpers/tag_helper.rb
@@ -169,7 +169,7 @@ module ActionView
         def tag_option(key, value, escape)
           value = value.join(" ") if value.is_a?(Array)
           value = ERB::Util.h(value) if escape
-          %(#{key}="#{value}")
+          %(#{key}="#{value.gsub(/"/, '&quot;'.freeze)}")
         end
     end
   end
openSUSE Build Service is sponsored by
Places