Sha256: b99a1b6dd4774c1af5cee7d103fe0243101b9db5cfa6759c50f431ebdab17e13
Contents?: true
Size: 1.69 KB
Versions: 1
Compression:
Stored size: 1.69 KB
Contents
---
gem: actionview
framework: rails
cve: 2020-5267
date: 2020-03-19
url: https://groups.google.com/forum/#!topic/rubyonrails-security/55reWMM_Pg8
title: Possible XSS vulnerability in ActionView
description: |
There is a possible XSS vulnerability in ActionView's JavaScript literal
escape helpers. Views that use the `j` or `escape_javascript` methods
may be susceptible to XSS attacks.
Versions Affected: All.
Not affected: None.
Fixed Versions: 6.0.2.2, 5.2.4.2
Impact
------
There is a possible XSS vulnerability in the `j` and `escape_javascript`
methods in ActionView. These methods are used for escaping JavaScript string
literals. Impacted code will look something like this:
```erb
<script>let a = `<%= j unknown_input %>`</script>
```
or
```erb
<script>let a = `<%= escape_javascript unknown_input %>`</script>
```
Releases
--------
The 6.0.2.2 and 5.2.4.2 releases are available at the normal locations.
Workarounds
-----------
For those that can't upgrade, the following monkey patch may be used:
```ruby
ActionView::Helpers::JavaScriptHelper::JS_ESCAPE_MAP.merge!(
{
"`" => "\\`",
"$" => "\\$"
}
)
module ActionView::Helpers::JavaScriptHelper
alias :old_ej :escape_javascript
alias :old_j :j
def escape_javascript(javascript)
javascript = javascript.to_s
if javascript.empty?
result = ""
else
result = javascript.gsub(/(\\|<\/|\r\n|\342\200\250|\342\200\251|[\n\r"']|[`]|[$])/u, JS_ESCAPE_MAP)
end
javascript.html_safe? ? result.html_safe : result
end
alias :j :escape_javascript
end
```
patched_versions:
- "~> 5.2.4, >= 5.2.4.2"
- ">= 6.0.2.2"
Version data entries
1 entries across 1 versions & 1 rubygems
| Version | Path |
|---|---|
| bundler-audit-0.7.0.1 | data/ruby-advisory-db/gems/actionview/CVE-2020-5267.yml |