There is a possible XSS vulnerability in ActionView's JavaScript literal
escape helpers. Views that use the j or escape_javascript methods
may be susceptible to XSS attacks.
Versions Affected: All.
Not affected: None.
Fixed Versions: 6.0.2.2, 5.2.4.2
Impact
There is a possible XSS vulnerability in the j and escape_javascript
methods in ActionView. These methods are used for escaping JavaScript string
literals. Impacted code will look something like this:
<script>let a =`<%= j unknown_input %>`</script>
or
<script>let a =`<%= escape_javascript unknown_input %>`</script>
Releases
The 6.0.2.2 and 5.2.4.2 releases are available at the normal locations.
Workarounds
For those that can't upgrade, the following monkey patch may be used:
ActionView::Helpers::JavaScriptHelper::JS_ESCAPE_MAP.merge!(
{
"`" => "\\`",
"$" => "\\$"
}
)
moduleActionView::Helpers::JavaScriptHelperalias:old_ej:escape_javascriptalias:old_j:jdefescape_javascript(javascript)
javascript = javascript.to_s
if javascript.empty?
result =""else
result = javascript.gsub(/(\\|<\/|\r\n|\342\200\250|\342\200\251|[\n\r"']|[`]|[$])/u, JS_ESCAPE_MAP)
end
javascript.html_safe? ? result.html_safe : result
endalias:j:escape_javascriptend
🚨 We recommend to merge and deploy this update as soon as possible! 🚨
Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.
Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.
All Depfu comment commands
@depfu rebase
Rebases against your default branch and redoes this update
@depfu recreate
Recreates this PR, overwriting any edits that you've made to it
@depfu merge
Merges this PR once your tests are passing and conflicts are resolved
@depfu close
Closes this PR and deletes the branch
@depfu reopen
Restores the branch and reopens this PR (if it's closed)
@depfu pause
Ignores all future updates for this dependency and closes this PR
@depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR
@depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)
🚨 Your version of actionview has known security vulnerabilities 🚨
Advisory: CVE-2020-5267 Disclosed: March 19, 2020 URL: https://groups.google.com/forum/#!topic/rubyonrails-security/55reWMM_Pg8
Possible XSS vulnerability in ActionView
🚨 We recommend to merge and deploy this update as soon as possible! 🚨
Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.
What changed?
✳️ rails (5.2.3 → 5.2.4.2) · Repo
Release Notes
5.2.4.1
5.2.4
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ actioncable (indirect, 5.2.3 → 5.2.4.2) · Repo · Changelog
Release Notes
5.2.4.1
5.2.4
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ actionmailer (indirect, 5.2.3 → 5.2.4.2) · Repo · Changelog
Release Notes
5.2.4.1
5.2.4
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ actionpack (indirect, 5.2.3 → 5.2.4.2) · Repo · Changelog
Release Notes
5.2.4.1
5.2.4
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ actionview (indirect, 5.2.3 → 5.2.4.2) · Repo · Changelog
Release Notes
5.2.4.1
5.2.4
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ activejob (indirect, 5.2.3 → 5.2.4.2) · Repo · Changelog
Release Notes
5.2.4.1
5.2.4
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ activemodel (indirect, 5.2.3 → 5.2.4.2) · Repo · Changelog
Release Notes
5.2.4.1
5.2.4
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ activerecord (indirect, 5.2.3 → 5.2.4.2) · Repo · Changelog
Release Notes
5.2.4.1
5.2.4
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ activestorage (indirect, 5.2.3 → 5.2.4.2) · Repo · Changelog
↗️ activesupport (indirect, 5.2.3 → 5.2.4.2) · Repo · Changelog
Release Notes
5.2.4.1
5.2.4
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ builder (indirect, 3.2.3 → 3.2.4) · Repo · Changelog
↗️ concurrent-ruby (indirect, 1.1.5 → 1.1.6) · Repo · Changelog
Release Notes
1.1.6 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ crass (indirect, 1.0.5 → 1.0.6) · Repo · Changelog
Release Notes
1.0.6
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 4 commits:
Release 1.0.6
Limit number values to a sensible range
Update history
Add project metadata to the gemspec
↗️ i18n (indirect, 1.7.0 → 1.8.2) · Repo · Changelog
Release Notes
1.8.2
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 42 commits:
Bump to 1.8.2
Fix regression introduced by b7f69f78
Add pry to Gemfile
Expand post-install message to clarify for new apps
Bump to 1.8.1
Merge pull request #508 from ruby-i18n/revert-499-chain-fallback-backends
Revert "Chain fallback backends"
Bump to 1.8.0
Merge pull request #499 from vipera/chain-fallback-backends
Bump to 1.7.1
Merge pull request #503 from CrAsH1101/preserve-count-option
Add test for preserving count option
Merge pull request #505 from peterberkenbosch/update-readme-with-gh-workflow-badge
Replace TravisCI badge with GH Actions badge
Merge pull request #504 from ruby-i18n/bump-ruby-rails
:wave: Travis CI :cry:
Ignore Ruby 2.3.8 + Rails 6.0.x
Correct Rails version number
Correct more ruby versions
Use actions/checkout@v2
Ignore Rails 6.0.0 + Ruby 2.4
Specify exact versions for eregon/use-ruby-action
Use eregon/use-ruby-action for Ruby 2.7, 2.3 + JRuby support
Undo required_ruby_version bump
Add missing Gemfile
Fail slowly
Bump Ruby + Rails versions
Merge pull request #501 from alchimere/add-user-friendly-comment-on-translate-kwargs
Add comment on kwargs to avoid new people open issues like #500
Preserve count option
I18n::Backend::Chain#translations fallback merge
Use activesupport implementation of Hash#deep_merge!
Merge pull request #495 from ghiculescu/pluralization_fallback_test
Add tests for existing behavior
Merge pull request #480 from Tietew/exclude-count-on-retrieve-link
Add JRuby to build pipeline
Add Ruby 2.3 to Ruby pipeline
One i in gemfile
Exclude Ruby 2.4.x + Rails master Gemfile build
Update ruby.yml
Update ruby.yml
Exclude :count option on retrieve link
↗️ loofah (indirect, 2.3.1 → 2.4.0) · Repo · Changelog
Release Notes
2.4.0
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 11 commits:
version bump to v2.4.0
ci: don't turn on frozen strings until after bundle install
update CHANGELOG
add magic comment for frozen string literals to all files
add rubocop as dev dep and configure security and frozen string cops
test suite should check compatibility with frozen string literals
Merge pull request #175 from bchaney/allow-css-max-width
Merge pull request #177 from flavorjones/176-allow-rem-css-sizes
css sanitizer allows "rem" sizes
Allow CSS property: max-width
ci: update concourse, add ruby 2.7 jobs
↗️ mimemagic (indirect, 0.3.3 → 0.3.4) · Repo · Changelog
Release Notes
0.3.4 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 16 commits:
v0.3.4
Merge pull request #81 from jcoyne/patch-1
Remove rubyforge_project
Merge pull request #79 from mathieumahe/frozen_string_literal
Add frozen_string_literal
Merge pull request #64 from atambo/openxml
Merge pull request #73 from olleolleolle/patch-1
CI: rbx-3 in allow_failures, comment on Bundler
Merge pull request #72 from olleolleolle/patch-3
Merge pull request #71 from olleolleolle/patch-2
Merge pull request #70 from olleolleolle/patch-1
Travis: Use Bundler < 2
README: Use GitHub Markdown code fences
README: Use SVG badges
Merge pull request #68 from viraptor/metadata-uris
Add metadata uris
↗️ minitest (indirect, 5.13.0 → 5.14.0) · Repo · Changelog
Release Notes
5.14.0 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 8 commits:
prepped for release
Closed temporary IOs when exiting capture_subprocess_io. (doudou)
- Added example for value wrapper with block to Expectations module. (stomar)
Added minitest_log to known modules (BurdetteLamar)
+ Block-assertions (eg assert_output) now error if raised inside the block. (casperisfine)
- Fixed use of must/wont_be_within_delta on Expectation instance. (stomar)
+ Changed assert_raises to only catch Assertion since that covers Skip and friends.
- Renamed UnexpectedError#exception to #error to avoid problems with reraising. (casperisfine)
↗️ nokogiri (indirect, 1.10.5 → 1.10.9) · Repo · Changelog
Release Notes
1.10.9
1.10.8
1.10.7
1.10.6
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 19 commits:
version bump to v1.10.9
update CHANGELOG
Change return type to RubyArray
update CHANGELOG for #1985
Work around a bug in libxml2
version bump to v1.10.8
update CHANGELOG for v1.10.8
remove patches from the hoe Manifest
update to use rake-compiler ~1.1.0
backport libxml2 patch for CVE-2020-7595
version bump to v1.10.7
update CHANGELOG
Fix the patch from #1953 to work with both `git` and `patch`
Fix typo in generated metadata
add gem metadata
version bump to v1.10.6
update CHANGELOG
Add a patch to fix libxml2.la's path
add security note to CHANGELOG
↗️ rack (indirect, 2.1.1 → 2.2.2) · Repo · Changelog
Release Notes
2.2.2 (from changelog)
2.2.1 (from changelog)
2.2.0 (from changelog)
2.1.2 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ railties (indirect, 5.2.3 → 5.2.4.2) · Repo · Changelog
Release Notes
5.2.4.1
5.2.4
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ rake (indirect, 13.0.0 → 13.0.1) · Repo · Changelog
Release Notes
13.0.1 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 10 commits:
Bump version to 13.0.1
Fixed build failure of the latest GitHub Actions
Merge pull request #271 from thorsteneckel/bugfix-reenable_invocation_exception
Merge pull request #327 from mjbellantoni/mjb-order-only-arg-fix
Merge pull request #329 from jeremyevans/skip-taint-test-on-2.7
Skip a taint test on Ruby 2.7
Merge pull request #328 from orien/gem-metadata
Add project metadata to the gemspec
Update comments to reflect the current state
Fix an incorrectly resolved arg pattern
↗️ thor (indirect, 0.20.3 → 1.0.1) · Repo · Changelog
Release Notes
1.0.1 (from changelog)
1.0.0 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ tzinfo (indirect, 1.2.5 → 1.2.6) · Repo · Changelog
Release Notes
1.2.6
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 27 commits:
Update copyright years.
Preparing v1.2.6.
Replace expired gem signing certificate.
Fix a comment.
Ruby Enterprise Edition requires older versions of RubyGems and Bundler.
Fix block not being called by RubyCoreSupport.open_file on JRuby 9.2.
Revert "Try and fix an incorrect rake version being picked with JRuby 1.7."
Try and fix an incorrect rake version being picked with JRuby 1.7.
Convert to UNIX line endings.
Simplify minitest version constraint.
Update to Ruby v2.7.0-rc2.
Run CI tests on Windows with AppVeyor.
Enable verbose test output.
Update Travis CI Ruby versions.
Prevent bundler from attempting to use version minitest v5.12.0.
Allow newer versions of Rake that fix warnings with Ruby 2.7.
Eliminate a warning when calling File.open with keyword arguments.
Suppress deprecation warnings due to Object#untaint on Ruby 2.7.
Fix test failures on Ruby 1.8.7 caused by DateTime issues.
Remove the unused REQUIRE_PATH constant from RubyDataSource.
Fix SecurityErrors when loading data in safe mode.
Test that RUBY_ENGINE is defined.
Skip tests that fail due to Ruby bug 14060 on Ruby 2.4.4.
Update to the latest Ruby, JRuby and Rubinius releases.
Fix a documentation typo.
Return the correct seconds since the epoch value for strftime with %s.
Restrictions on timezones only apply to older (pre-1.9) Ruby releases.
Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with
@depfu rebase
.All Depfu comment commands