From 4bcccf5ecd81a6272479537911b7d9760c5be164 Mon Sep 17 00:00:00 2001
From: Andrew Carpenter <andrew@criticaljuncture.org>
Date: Thu, 28 Jul 2016 16:12:21 -0700
Subject: ensure tag/content_tag escapes " in attribute vals

Many helpers mark content as HTML-safe without escaping double quotes -- including `sanitize`. Regardless of whether or not the attribute values are HTML-escaped, we want to be sure they don't include double quotes, as that can cause XSS issues. For example: `content_tag(:div, "foo", title: sanitize('" onmouseover="alert(1);//'))`

CVE-2016-6316
---
 actionpack/lib/action_view/helpers/tag_helper.rb | 15 +++++++++++----
 actionpack/test/template/tag_helper_test.rb      | 10 ++++++++++
 2 files changed, 21 insertions(+), 4 deletions(-)

diff --git a/actionpack/lib/action_view/helpers/tag_helper.rb b/actionpack/lib/action_view/helpers/tag_helper.rb
index 7f58a27d6a..34741b8d79 100644
--- a/actionpack/lib/action_view/helpers/tag_helper.rb
+++ b/actionpack/lib/action_view/helpers/tag_helper.rb
@@ -141,20 +141,27 @@ module ActionView
                   unless v.is_a?(String) || v.is_a?(Symbol) || v.is_a?(BigDecimal)
                     v = v.to_json
                   end
-                  v = ERB::Util.html_escape(v) if escape
-                  attrs << %(data-#{k.to_s.dasherize}="#{v}")
+                  attrs << tag_option("data-#{k.to_s.dasherize}", v, escape)
                 end
               elsif BOOLEAN_ATTRIBUTES.include?(key)
                 attrs << %(#{key}="#{key}") if value
               elsif !value.nil?
                 final_value = value.is_a?(Array) ? value.join(" ") : value
-                final_value = ERB::Util.html_escape(final_value) if escape
-                attrs << %(#{key}="#{final_value}")
+                attrs << tag_option(key, value, escape)
               end
             end
             " #{attrs.sort * ' '}".html_safe unless attrs.empty?
           end
         end
+
+        def tag_option(key, value, escape)
+          if value.is_a?(Array)
+            value = escape ? safe_join(value, " ") : value.join(" ")
+          else
+            value = escape ? ERB::Util.html_escape(value) : value
+          end
+          %(#{key}="#{value.gsub(/"/, '&quot;'.freeze)}")
+        end
     end
   end
 end
diff --git a/actionpack/test/template/tag_helper_test.rb b/actionpack/test/template/tag_helper_test.rb
index e36295569e..9c3d636765 100644
--- a/actionpack/test/template/tag_helper_test.rb
+++ b/actionpack/test/template/tag_helper_test.rb
@@ -101,6 +101,16 @@ class TagHelperTest < ActionView::TestCase
     end
   end
 
+  def test_tag_does_not_honor_html_safe_double_quotes_as_attributes
+    assert_dom_equal '<p title="&quot;">content</p>',
+      content_tag('p', "content", title: '"'.html_safe)
+  end
+
+  def test_data_tag_does_not_honor_html_safe_double_quotes_as_attributes
+    assert_dom_equal '<p data-title="&quot;">content</p>',
+      content_tag('p', "content", data: { title: '"'.html_safe })
+  end
+
   def test_skip_invalid_escaped_attributes
     ['&1;', '&#1dfa3;', '& #123;'].each do |escaped|
       assert_equal %(<a href="#{escaped.gsub(/&/, '&amp;')}" />), tag('a', :href => escaped)
-- 
cgit v1.2.3


From ebc3639139d21eeb8452edb28ce62530cc075198 Mon Sep 17 00:00:00 2001
From: Aaron Patterson <aaron.patterson@gmail.com>
Date: Wed, 10 Aug 2016 15:23:08 -0700
Subject: bumping version

---
 RAILS_VERSION                                 | 2 +-
 actionmailer/lib/action_mailer/version.rb     | 2 +-
 actionpack/lib/action_pack/version.rb         | 2 +-
 activemodel/lib/active_model/version.rb       | 2 +-
 activerecord/lib/active_record/version.rb     | 2 +-
 activeresource/lib/active_resource/version.rb | 2 +-
 activesupport/lib/active_support/version.rb   | 2 +-
 railties/lib/rails/version.rb                 | 2 +-
 version.rb                                    | 2 +-
 9 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/RAILS_VERSION b/RAILS_VERSION
index 7ccb616656..f05e43bdbc 100644
--- a/RAILS_VERSION
+++ b/RAILS_VERSION
@@ -1 +1 @@
-3.2.22.2
+3.2.22.3
diff --git a/actionmailer/lib/action_mailer/version.rb b/actionmailer/lib/action_mailer/version.rb
index 0cb34f8021..669b5851da 100644
--- a/actionmailer/lib/action_mailer/version.rb
+++ b/actionmailer/lib/action_mailer/version.rb
@@ -3,7 +3,7 @@ module ActionMailer
     MAJOR = 3
     MINOR = 2
     TINY  = 22
-    PRE   = "2"
+    PRE   = "3"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
   end
diff --git a/actionpack/lib/action_pack/version.rb b/actionpack/lib/action_pack/version.rb
index 4fdf8cbf91..9c08a5d9a6 100644
--- a/actionpack/lib/action_pack/version.rb
+++ b/actionpack/lib/action_pack/version.rb
@@ -3,7 +3,7 @@ module ActionPack
     MAJOR = 3
     MINOR = 2
     TINY  = 22
-    PRE   = "2"
+    PRE   = "3"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
   end
diff --git a/activemodel/lib/active_model/version.rb b/activemodel/lib/active_model/version.rb
index b37dcc731a..b6a041f964 100644
--- a/activemodel/lib/active_model/version.rb
+++ b/activemodel/lib/active_model/version.rb
@@ -3,7 +3,7 @@ module ActiveModel
     MAJOR = 3
     MINOR = 2
     TINY  = 22
-    PRE   = "2"
+    PRE   = "3"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
   end
diff --git a/activerecord/lib/active_record/version.rb b/activerecord/lib/active_record/version.rb
index 97d779e388..7cfe3fff79 100644
--- a/activerecord/lib/active_record/version.rb
+++ b/activerecord/lib/active_record/version.rb
@@ -3,7 +3,7 @@ module ActiveRecord
     MAJOR = 3
     MINOR = 2
     TINY  = 22
-    PRE   = "2"
+    PRE   = "3"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
   end
diff --git a/activeresource/lib/active_resource/version.rb b/activeresource/lib/active_resource/version.rb
index b12992013e..e8b791bb60 100644
--- a/activeresource/lib/active_resource/version.rb
+++ b/activeresource/lib/active_resource/version.rb
@@ -3,7 +3,7 @@ module ActiveResource
     MAJOR = 3
     MINOR = 2
     TINY  = 22
-    PRE   = "2"
+    PRE   = "3"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
   end
diff --git a/activesupport/lib/active_support/version.rb b/activesupport/lib/active_support/version.rb
index 0739bd494d..17b1993ed9 100644
--- a/activesupport/lib/active_support/version.rb
+++ b/activesupport/lib/active_support/version.rb
@@ -3,7 +3,7 @@ module ActiveSupport
     MAJOR = 3
     MINOR = 2
     TINY  = 22
-    PRE   = "2"
+    PRE   = "3"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
   end
diff --git a/railties/lib/rails/version.rb b/railties/lib/rails/version.rb
index e8b85992ec..f0b4234780 100644
--- a/railties/lib/rails/version.rb
+++ b/railties/lib/rails/version.rb
@@ -3,7 +3,7 @@ module Rails
     MAJOR = 3
     MINOR = 2
     TINY  = 22
-    PRE   = "2"
+    PRE   = "3"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
   end
diff --git a/version.rb b/version.rb
index e8b85992ec..f0b4234780 100644
--- a/version.rb
+++ b/version.rb
@@ -3,7 +3,7 @@ module Rails
     MAJOR = 3
     MINOR = 2
     TINY  = 22
-    PRE   = "2"
+    PRE   = "3"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
   end
-- 
cgit v1.2.3