diff options
| author | Andrew Carpenter <andrew@criticaljuncture.org> | 2016-07-28 16:12:21 -0700 |
|---|---|---|
| committer | Aaron Patterson <aaron.patterson@gmail.com> | 2016-08-11 10:47:46 -0700 |
| commit | 4394e9075189ee6031944491aecd64fb269cdf54 (patch) | |
| tree | 0f9a9e118875666ae5225713fef44125fc28a11d /actionview/lib/action_view/helpers/tag_helper.rb | |
| parent | b9f71e49ae43c53258da95bda50325a8d0c99a52 (diff) | |
| download | rails-4394e9075189ee6031944491aecd64fb269cdf54.tar.gz rails-4394e9075189ee6031944491aecd64fb269cdf54.tar.bz2 rails-4394e9075189ee6031944491aecd64fb269cdf54.zip | |
ensure tag/content_tag escapes " in attribute vals
Many helpers mark content as HTML-safe without escaping double quotes -- including `sanitize`. Regardless of whether or not the attribute values are HTML-escaped, we want to be sure they don't include double quotes, as that can cause XSS issues. For example: `content_tag(:div, "foo", title: sanitize('" onmouseover="alert(1);//'))`
CVE-2016-6316
Diffstat (limited to 'actionview/lib/action_view/helpers/tag_helper.rb')
| -rw-r--r-- | actionview/lib/action_view/helpers/tag_helper.rb | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/actionview/lib/action_view/helpers/tag_helper.rb b/actionview/lib/action_view/helpers/tag_helper.rb index 030d07845b..7af26edf95 100644 --- a/actionview/lib/action_view/helpers/tag_helper.rb +++ b/actionview/lib/action_view/helpers/tag_helper.rb @@ -90,7 +90,7 @@ module ActionView else value = escape ? ERB::Util.unwrapped_html_escape(value) : value end - %(#{key}="#{value}") + %(#{key}="#{value.gsub(/"/, '"'.freeze)}") end private |