From 6ece1687de00d314ab6fbdc4dad1065642a2c712 Mon Sep 17 00:00:00 2001 From: Holger Just Date: Sun, 6 Jan 2013 20:15:05 +0100 Subject: [PATCH] Fix XSS vulnerabilities in Rails (CVE-2012-3464, CVE-2012-3465) #1113 #1114 --- config/initializers/10-patches.rb | 64 +++++++++++++++++++++++++++++++ 1 file changed, 64 insertions(+) diff --git a/config/initializers/10-patches.rb b/config/initializers/10-patches.rb index 69165274..2d4ab3d4 100644 --- a/config/initializers/10-patches.rb +++ b/config/initializers/10-patches.rb @@ -326,3 +326,67 @@ module ActiveRecord end end end + +# Backported fix for CVE-2012-3465 +# https://groups.google.com/d/msg/rubyonrails-security/FgVEtBajcTY/tYLS1JJTu38J +# TODO: Remove this once we are on Rails >= 3.2.8 +require 'action_view/helpers/sanitize_helper' +module ActionView::Helpers::SanitizeHelper + def strip_tags(html) + self.class.full_sanitizer.sanitize(html) + end +end + +# Backported fix for CVE-2012-3464 +# https://groups.google.com/d/msg/rubyonrails-security/kKGNeMrnmiY/r2yM7xy-G48J +# TODO: Remove this once we are on Rails >= 3.2.8 +require 'active_support/core_ext/string/output_safety' +class ERB + module Util + HTML_ESCAPE["'"] = ''' + + if RUBY_VERSION >= '1.9' + # A utility method for escaping HTML tag characters. + # This method is also aliased as h. + # + # In your ERB templates, use this method to escape any unsafe content. For example: + # <%=h @person.name %> + # + # ==== Example: + # puts html_escape("is a > 0 & a < 10?") + # # => is a > 0 & a < 10? + def html_escape(s) + s = s.to_s + if s.html_safe? + s + else + s.gsub(/[&"'><]/, HTML_ESCAPE).html_safe + end + end + else + def html_escape(s) #:nodoc: + s = s.to_s + if s.html_safe? + s + else + s.gsub(/[&"'><]/n) { |special| HTML_ESCAPE[special] }.html_safe + end + end + end + + # Aliasing twice issues a warning "discarding old...". Remove first to avoid it. + remove_method(:h) + alias h html_escape + + module_function :h + + singleton_class.send(:remove_method, :html_escape) + module_function :html_escape + end +end +require 'action_view/helpers/tag_helper' +module ActionView::Helpers::TagHelper + def escape_once(html) + ActiveSupport::Multibyte.clean(html.to_s).gsub(/[\"\'><]|&(?!([a-zA-Z]+|(#\d+));)/) { |special| ERB::Util::HTML_ESCAPE[special] } + end +end