consul/nairobi
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #3963 from consul/escape_xss

Browse Source 
Apply escape_javascript security patch
This commit is contained in:
Javier Martín
2020-04-07 15:08:18 +02:00
committed by GitHub
parent 7212f6d701 03c135e5fd
commit 54c6b413ce
2 changed files with 26 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
.rubocop.yml
View File

@@ -259,6 +259,7 @@ Rails/OutputSafety:
Severity: warning
Exclude:
- app/helpers/text_with_links_helper.rb
- config/initializers/escape_javascript_fix.rb
Rails/PluralizationGrammar:
Enabled: true

25
config/initializers/escape_javascript_fix.rb Normal file
View File

@@ -0,0 +1,25 @@
# Code taken from https://github.com/rails/rails/security/advisories/GHSA-65cv-r6x7-79hv
# Remove this code after upgrading to Rails 5.2
ActionView::Helpers::JavaScriptHelper::JS_ESCAPE_MAP.merge!(
{
"`" => "\\`",
"$" => "\\$"
}
)
module ActionView::Helpers::JavaScriptHelper
alias :old_ej :escape_javascript
alias :old_j :j
def escape_javascript(javascript)
javascript = javascript.to_s
if javascript.empty?
result = ""
else
result = javascript.gsub(/(\\|<\/|\r\n|\342\200\250|\342\200\251|[\n\r"']|[`]|[$])/u, JS_ESCAPE_MAP)
end
javascript.html_safe? ? result.html_safe : result
end
alias :j :escape_javascript
end