Apply escape_javascript security patch
This patch was included in the Rails 5.2.x series, but since we haven't upgraded yet, we need to apply it manually.
This commit is contained in:
Javi Martín
@@ -259,6 +259,7 @@ Rails/OutputSafety:
|
|||||||
Severity: warning
|
Severity: warning
|
||||||
Exclude:
|
Exclude:
|
||||||
- app/helpers/text_with_links_helper.rb
|
- app/helpers/text_with_links_helper.rb
|
||||||
|
- config/initializers/escape_javascript_fix.rb
|
||||||
|
|
||||||
Rails/PluralizationGrammar:
|
Rails/PluralizationGrammar:
|
||||||
Enabled: true
|
Enabled: true
|
||||||
|
|||||||
25
config/initializers/escape_javascript_fix.rb
Normal file
25
config/initializers/escape_javascript_fix.rb
Normal file
@@ -0,0 +1,25 @@
|
|||||||
|
# Code taken from https://github.com/rails/rails/security/advisories/GHSA-65cv-r6x7-79hv
|
||||||
|
# Remove this code after upgrading to Rails 5.2
|
||||||
|
ActionView::Helpers::JavaScriptHelper::JS_ESCAPE_MAP.merge!(
|
||||||
|
{
|
||||||
|
"`" => "\\`",
|
||||||
|
"$" => "\\$"
|
||||||
|
}
|
||||||
|
)
|
||||||
|
|
||||||
|
module ActionView::Helpers::JavaScriptHelper
|
||||||
|
alias :old_ej :escape_javascript
|
||||||
|
alias :old_j :j
|
||||||
|
|
||||||
|
def escape_javascript(javascript)
|
||||||
|
javascript = javascript.to_s
|
||||||
|
if javascript.empty?
|
||||||
|
result = ""
|
||||||
|
else
|
||||||
|
result = javascript.gsub(/(\\|<\/|\r\n|\342\200\250|\342\200\251|[\n\r"']|[`]|[$])/u, JS_ESCAPE_MAP)
|
||||||
|
end
|
||||||
|
javascript.html_safe? ? result.html_safe : result
|
||||||
|
end
|
||||||
|
|
||||||
|
alias :j :escape_javascript
|
||||||
|
end
|
||||||
Reference in New Issue
Block a user