diff options
| author | Andrew Carpenter <andrew@criticaljuncture.org> | 2016-07-28 16:12:21 -0700 |
|---|---|---|
| committer | Aaron Patterson <aaron.patterson@gmail.com> | 2016-08-10 15:22:31 -0700 |
| commit | 4bcccf5ecd81a6272479537911b7d9760c5be164 (patch) | |
| tree | b4b963ba1d9ad119180b8506813480b7a8fe1706 | |
| parent | 1ac2ddbc433ec96dd06affb6f10f33d9eb12d52a (diff) | |
| download | rails-4bcccf5ecd81a6272479537911b7d9760c5be164.tar.gz rails-4bcccf5ecd81a6272479537911b7d9760c5be164.tar.bz2 rails-4bcccf5ecd81a6272479537911b7d9760c5be164.zip | |
ensure tag/content_tag escapes " in attribute vals
Many helpers mark content as HTML-safe without escaping double quotes -- including `sanitize`. Regardless of whether or not the attribute values are HTML-escaped, we want to be sure they don't include double quotes, as that can cause XSS issues. For example: `content_tag(:div, "foo", title: sanitize('" onmouseover="alert(1);//'))`
CVE-2016-6316
| -rw-r--r-- | actionpack/lib/action_view/helpers/tag_helper.rb | 15 | ||||
| -rw-r--r-- | actionpack/test/template/tag_helper_test.rb | 10 |
2 files changed, 21 insertions, 4 deletions
diff --git a/actionpack/lib/action_view/helpers/tag_helper.rb b/actionpack/lib/action_view/helpers/tag_helper.rb index 7f58a27d6a..34741b8d79 100644 --- a/actionpack/lib/action_view/helpers/tag_helper.rb +++ b/actionpack/lib/action_view/helpers/tag_helper.rb @@ -141,20 +141,27 @@ module ActionView unless v.is_a?(String) || v.is_a?(Symbol) || v.is_a?(BigDecimal) v = v.to_json end - v = ERB::Util.html_escape(v) if escape - attrs << %(data-#{k.to_s.dasherize}="#{v}") + attrs << tag_option("data-#{k.to_s.dasherize}", v, escape) end elsif BOOLEAN_ATTRIBUTES.include?(key) attrs << %(#{key}="#{key}") if value elsif !value.nil? final_value = value.is_a?(Array) ? value.join(" ") : value - final_value = ERB::Util.html_escape(final_value) if escape - attrs << %(#{key}="#{final_value}") + attrs << tag_option(key, value, escape) end end " #{attrs.sort * ' '}".html_safe unless attrs.empty? end end + + def tag_option(key, value, escape) + if value.is_a?(Array) + value = escape ? safe_join(value, " ") : value.join(" ") + else + value = escape ? ERB::Util.html_escape(value) : value + end + %(#{key}="#{value.gsub(/"/, '"'.freeze)}") + end end end end diff --git a/actionpack/test/template/tag_helper_test.rb b/actionpack/test/template/tag_helper_test.rb index e36295569e..9c3d636765 100644 --- a/actionpack/test/template/tag_helper_test.rb +++ b/actionpack/test/template/tag_helper_test.rb @@ -101,6 +101,16 @@ class TagHelperTest < ActionView::TestCase end end + def test_tag_does_not_honor_html_safe_double_quotes_as_attributes + assert_dom_equal '<p title=""">content</p>', + content_tag('p', "content", title: '"'.html_safe) + end + + def test_data_tag_does_not_honor_html_safe_double_quotes_as_attributes + assert_dom_equal '<p data-title=""">content</p>', + content_tag('p', "content", data: { title: '"'.html_safe }) + end + def test_skip_invalid_escaped_attributes ['&1;', 'dfa3;', '& #123;'].each do |escaped| assert_equal %(<a href="#{escaped.gsub(/&/, '&')}" />), tag('a', :href => escaped) |