Apply escape_javascript security patch

This patch was included in the Rails 5.2.x series, but since we haven't upgraded yet, we need to apply it manually.
2020-04-06 16:08:32 +02:00
parent 0d43d677da
commit 03c135e5fd
2 changed files with 26 additions and 0 deletions
--- a/config/initializers/escape_javascript_fix.rb
+++ b/config/initializers/escape_javascript_fix.rb
@@ -0,0 +1,25 @@
+# Code taken from https://github.com/rails/rails/security/advisories/GHSA-65cv-r6x7-79hv
+# Remove this code after upgrading to Rails 5.2
+ActionView::Helpers::JavaScriptHelper::JS_ESCAPE_MAP.merge!(
+  {
+    "`" => "\\`",
+    "$" => "\\$"
+  }
+)
+
+module ActionView::Helpers::JavaScriptHelper
+  alias :old_ej :escape_javascript
+  alias :old_j :j
+
+  def escape_javascript(javascript)
+    javascript = javascript.to_s
+    if javascript.empty?
+      result = ""
+    else
+      result = javascript.gsub(/(\\|<\/|\r\n|\342\200\250|\342\200\251|[\n\r"']|[`]|[$])/u, JS_ESCAPE_MAP)
+    end
+    javascript.html_safe? ? result.html_safe : result
+  end
+
+  alias :j :escape_javascript
+end