---
gem: actionview
framework: rails
cve: 2020-5267
date: 2020-03-19
url: https://groups.google.com/forum/#!topic/rubyonrails-security/55reWMM_Pg8
title: Possible XSS vulnerability in ActionView
description: |
  There is a possible XSS vulnerability in ActionView's JavaScript literal
  escape helpers.  Views that use the `j` or `escape_javascript` methods
  may be susceptible to XSS attacks.

  Versions Affected:  All.
  Not affected:       None.
  Fixed Versions:     6.0.2.2, 5.2.4.2

  Impact
  ------
  There is a possible XSS vulnerability in the `j` and `escape_javascript`
  methods in ActionView.  These methods are used for escaping JavaScript string
  literals.  Impacted code will look something like this:

  ```erb
  <script>let a = `<%= j unknown_input %>`</script>
  ```

  or

  ```erb
  <script>let a = `<%= escape_javascript unknown_input %>`</script>
  ```

  Releases
  --------
  The 6.0.2.2 and 5.2.4.2 releases are available at the normal locations.

  Workarounds
  -----------
  For those that can't upgrade, the following monkey patch may be used:

  ```ruby
  ActionView::Helpers::JavaScriptHelper::JS_ESCAPE_MAP.merge!(
    {
      "`" => "\\`",
      "$" => "\\$"
    }
  )

  module ActionView::Helpers::JavaScriptHelper
    alias :old_ej :escape_javascript
    alias :old_j :j

    def escape_javascript(javascript)
      javascript = javascript.to_s
      if javascript.empty?
        result = ""
      else
        result = javascript.gsub(/(\\|<\/|\r\n|\342\200\250|\342\200\251|[\n\r"']|[`]|[$])/u, JS_ESCAPE_MAP)
      end
      javascript.html_safe? ? result.html_safe : result
    end

    alias :j :escape_javascript
  end
  ```

patched_versions:
  - "~> 5.2.4, >= 5.2.4.2"
  - ">= 6.0.2.2"