CVE-2017-20159: Always escape quotes in attributes; support array attrs · rf-/keynote@05be435

Permalink

Browse files

Always escape quotes in attributes; support array attrs

The current behavior is to pass HTML-safe strings through unaltered, but this can still cause an XSS vulnerability if the string has an unescaped quote in it:

rails/rails@4394e90

I also added support for array attributes, since I noticed Rails does it when I was copying their escaping code.

• Loading branch information

rf- committed

Jul 22, 2017

1 parent 87d309c commit 05be4356b0a6ca7de48da926a9b997beb5ffeb4a

Showing 2 changed files with 26 additions and 6 deletions.

• • rumble.rb
• • rumble_spec.rb

@@ -323,10 +323,18 @@ def inspect; to_s.inspect end

def attrs_to_s

attributes.inject(“”) do |res, (name, value)|

if value

value = (value == true) ? name : Rumble.html_escape(value)

res << " #{name}=\"#{value}\""

end

next unless value

value =

if value.is_a?(Array)

value.map { |val| Rumble.html_escape(val) }.join(" ")

elsif value == true

name

else

Rumble.html_escape(value)

end

res << " #{name}=\"#{value.gsub('"’.freeze, '"’.freeze)}\""

res

end

end

@@ -67,11 +67,23 @@ def test_string_data

def test_hash_data

str = <<-HTML

<div data-modal="true" data-test=""test""></div>

<div data-modal="true" data-safe=""""" data-unsafe=""&quot;"">

</div>

HTML

assert_rumble str do

div data: { modal: true, safe: '"""’.html_safe, unsafe: ‘"""’ }

end

end

def test_array_attrs

str = <<-HTML

<div class="hello “uns&amp;fe” "w&rld"">

</div>

HTML

assert_rumble str do

div data: { modal: true, test: ‘"test"’ }

div class: ["hello", '"uns&fe"’, '"w&rld"’.html_safe]

end

end

0 comments on commit 05be435

Please sign in to comment.