From 03c135e5fd8ac477a83f59164b7cfa5c79ab8a33 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Javi=20Mart=C3=ADn?= <javim@elretirao.net>
Date: Mon, 6 Apr 2020 16:08:32 +0200
Subject: [PATCH] Apply escape_javascript security patch

This patch was included in the Rails 5.2.x series, but since we haven't
upgraded yet, we need to apply it manually.
---
 .rubocop.yml                                 |  1 +
 config/initializers/escape_javascript_fix.rb | 25 ++++++++++++++++++++
 2 files changed, 26 insertions(+)
 create mode 100644 config/initializers/escape_javascript_fix.rb

diff --git a/.rubocop.yml b/.rubocop.yml
index 545422c6d..7c151d364 100644
--- a/.rubocop.yml
+++ b/.rubocop.yml
@@ -259,6 +259,7 @@ Rails/OutputSafety:
   Severity: warning
   Exclude:
     - app/helpers/text_with_links_helper.rb
+    - config/initializers/escape_javascript_fix.rb
 
 Rails/PluralizationGrammar:
   Enabled: true
diff --git a/config/initializers/escape_javascript_fix.rb b/config/initializers/escape_javascript_fix.rb
new file mode 100644
index 000000000..0f693fdf6
--- /dev/null
+++ b/config/initializers/escape_javascript_fix.rb
@@ -0,0 +1,25 @@
+# Code taken from https://github.com/rails/rails/security/advisories/GHSA-65cv-r6x7-79hv
+# Remove this code after upgrading to Rails 5.2
+ActionView::Helpers::JavaScriptHelper::JS_ESCAPE_MAP.merge!(
+  {
+    "`" => "\\`",
+    "$" => "\\$"
+  }
+)
+
+module ActionView::Helpers::JavaScriptHelper
+  alias :old_ej :escape_javascript
+  alias :old_j :j
+
+  def escape_javascript(javascript)
+    javascript = javascript.to_s
+    if javascript.empty?
+      result = ""
+    else
+      result = javascript.gsub(/(\\|<\/|\r\n|\342\200\250|\342\200\251|[\n\r"']|[`]|[$])/u, JS_ESCAPE_MAP)
+    end
+    javascript.html_safe? ? result.html_safe : result
+  end
+
+  alias :j :escape_javascript
+end