apps/workbench/config/initializers/actionview_xss_fix.rb

   1 # Copyright (C) The Arvados Authors. All rights reserved.
   2 #
   3 # SPDX-License-Identifier: AGPL-3.0
   4
   5 # This is related to:
   6 # * https://github.com/advisories/GHSA-65cv-r6x7-79hv
   7 # * https://nvd.nist.gov/vuln/detail/CVE-2020-5267
   8 #
   9 # Until we upgrade to rails 5.2, this monkeypatch should be enough
  10 ActionView::Helpers::JavaScriptHelper::JS_ESCAPE_MAP.merge!(
  11   {
  12     "`" => "\\`",
  13     "$" => "\\$"
  14   }
  15 )
  16
  17 module ActionView::Helpers::JavaScriptHelper
  18   alias :old_ej :escape_javascript
  19   alias :old_j :j
  20
  21   def escape_javascript(javascript)
  22     javascript = javascript.to_s
  23     if javascript.empty?
  24       result = ""
  25     else
  26       result = javascript.gsub(/(\\|<\/|\r\n|\342\200\250|\342\200\251|[\n\r"']|[`]|[$])/u, JS_ESCAPE_MAP)
  27     end
  28     javascript.html_safe? ? result.html_safe : result
  29   end
  30
  31   alias :j :escape_javascript
  32 end