File CVE-2020-5267.patch of Package rubygem-actionview-4_2.26221
From 033a738817abd6e446e1b320cb7d1a5c15224e9a Mon Sep 17 00:00:00 2001
From: Aaron Patterson <aaron.patterson@gmail.com>
Date: Thu, 12 Mar 2020 10:25:48 -0700
Subject: [PATCH] Fix possible XSS vector in JS escape helper
This commit escapes dollar signs and backticks to prevent JS XSS issues
when using the `j` or `javascript_escape` helper
CVE-2020-5267
---
--- a/lib/action_view/helpers/javascript_helper.rb 2017-06-26 23:29:05.000000000 +0200
+++ b/lib/action_view/helpers/javascript_helper.rb 2020-03-20 16:07:03.179065491 +0100
@@ -10,7 +10,9 @@
"\n" => '\n',
"\r" => '\n',
'"' => '\\"',
- "'" => "\\'"
+ "'" => "\\'",
+ "`" => "\\`",
+ "$" => "\\$"
}
JS_ESCAPE_MAP["\342\200\250".force_encoding(Encoding::UTF_8).encode!] = '
'
@@ -24,7 +26,7 @@
# $('some_element').replaceWith('<%=j render 'some/element_template' %>');
def escape_javascript(javascript)
if javascript
- result = javascript.gsub(/(\\|<\/|\r\n|\342\200\250|\342\200\251|[\n\r"'])/u) {|match| JS_ESCAPE_MAP[match] }
+ result = javascript.gsub(/(\\|<\/|\r\n|\342\200\250|\342\200\251|[\n\r"']|[`]|[$])/u) {|match| JS_ESCAPE_MAP[match] }
javascript.html_safe? ? result.html_safe : result
else
''
