From 4bcccf5ecd81a6272479537911b7d9760c5be164 Mon Sep 17 00:00:00 2001
From: Andrew Carpenter <andrew@criticaljuncture.org>
Date: Thu, 28 Jul 2016 16:12:21 -0700
Subject: ensure tag/content_tag escapes " in attribute vals

Many helpers mark content as HTML-safe without escaping double quotes -- including `sanitize`. Regardless of whether or not the attribute values are HTML-escaped, we want to be sure they don't include double quotes, as that can cause XSS issues. For example: `content_tag(:div, "foo", title: sanitize('" onmouseover="alert(1);//'))`

CVE-2016-6316
---
 actionpack/test/template/tag_helper_test.rb | 10 ++++++++++
 1 file changed, 10 insertions(+)

(limited to 'actionpack/test/template/tag_helper_test.rb')

diff --git a/actionpack/test/template/tag_helper_test.rb b/actionpack/test/template/tag_helper_test.rb
index e36295569e..9c3d636765 100644
--- a/actionpack/test/template/tag_helper_test.rb
+++ b/actionpack/test/template/tag_helper_test.rb
@@ -101,6 +101,16 @@ class TagHelperTest < ActionView::TestCase
     end
   end
 
+  def test_tag_does_not_honor_html_safe_double_quotes_as_attributes
+    assert_dom_equal '<p title="&quot;">content</p>',
+      content_tag('p', "content", title: '"'.html_safe)
+  end
+
+  def test_data_tag_does_not_honor_html_safe_double_quotes_as_attributes
+    assert_dom_equal '<p data-title="&quot;">content</p>',
+      content_tag('p', "content", data: { title: '"'.html_safe })
+  end
+
   def test_skip_invalid_escaped_attributes
     ['&1;', '&#1dfa3;', '& #123;'].each do |escaped|
       assert_equal %(<a href="#{escaped.gsub(/&/, '&amp;')}" />), tag('a', :href => escaped)
-- 
cgit v1.2.3