There is a possible XSS vulnerability in ActionView's JavaScript literal
escape helpers. Views that use the j or escape_javascript methods
may be susceptible to XSS attacks.
Versions Affected: All.
Not affected: None.
Fixed Versions: 6.0.2.2, 5.2.4.2
Impact
There is a possible XSS vulnerability in the j and escape_javascript
methods in ActionView. These methods are used for escaping JavaScript string
literals. Impacted code will look something like this:
<script>let a =`<%= j unknown_input %>`</script>
or
<script>let a =`<%= escape_javascript unknown_input %>`</script>
Releases
The 6.0.2.2 and 5.2.4.2 releases are available at the normal locations.
Workarounds
For those that can't upgrade, the following monkey patch may be used:
ActionView::Helpers::JavaScriptHelper::JS_ESCAPE_MAP.merge!(
{
"`" => "\\`",
"$" => "\\$"
}
)
moduleActionView::Helpers::JavaScriptHelperalias:old_ej:escape_javascriptalias:old_j:jdefescape_javascript(javascript)
javascript = javascript.to_s
if javascript.empty?
result =""else
result = javascript.gsub(/(\\|<\/|\r\n|\342\200\250|\342\200\251|[\n\r"']|[`]|[$])/u, JS_ESCAPE_MAP)
end
javascript.html_safe? ? result.html_safe : result
endalias:j:escape_javascriptend
🚨 We recommend to merge and deploy this update as soon as possible! 🚨
Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.
Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.
All Depfu comment commands
@depfu rebase
Rebases against your default branch and redoes this update
@depfu recreate
Recreates this PR, overwriting any edits that you've made to it
@depfu merge
Merges this PR once your tests are passing and conflicts are resolved
@depfu close
Closes this PR and deletes the branch
@depfu reopen
Restores the branch and reopens this PR (if it's closed)
@depfu pause
Ignores all future updates for this dependency and closes this PR
@depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR
@depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)
depfu[bot]
commented
4 years ago
🚨 Your version of actionview has known security vulnerabilities 🚨
Advisory: CVE-2020-5267 Disclosed: March 19, 2020 URL: https://groups.google.com/forum/#!topic/rubyonrails-security/55reWMM_Pg8
Possible XSS vulnerability in ActionView
🚨 We recommend to merge and deploy this update as soon as possible! 🚨
Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.
What changed?
✳️ rails (5.2.3 → 5.2.4.2) · Repo
Release Notes
5.2.4.1
5.2.4
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ actioncable (indirect, 5.2.3 → 5.2.4.2) · Repo · Changelog
Release Notes
5.2.4.1
5.2.4
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ actionmailer (indirect, 5.2.3 → 5.2.4.2) · Repo · Changelog
Release Notes
5.2.4.1
5.2.4
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ actionpack (indirect, 5.2.3 → 5.2.4.2) · Repo · Changelog
Release Notes
5.2.4.1
5.2.4
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ actionview (indirect, 5.2.3 → 5.2.4.2) · Repo · Changelog
Release Notes
5.2.4.1
5.2.4
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ activejob (indirect, 5.2.3 → 5.2.4.2) · Repo · Changelog
Release Notes
5.2.4.1
5.2.4
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ activemodel (indirect, 5.2.3 → 5.2.4.2) · Repo · Changelog
Release Notes
5.2.4.1
5.2.4
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ activerecord (indirect, 5.2.3 → 5.2.4.2) · Repo · Changelog
Release Notes
5.2.4.1
5.2.4
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ activestorage (indirect, 5.2.3 → 5.2.4.2) · Repo · Changelog
↗️ activesupport (indirect, 5.2.3 → 5.2.4.2) · Repo · Changelog
Release Notes
5.2.4.1
5.2.4
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ builder (indirect, 3.2.3 → 3.2.4) · Repo · Changelog
↗️ concurrent-ruby (indirect, 1.1.5 → 1.1.6) · Repo · Changelog
Release Notes
1.1.6 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ crass (indirect, 1.0.5 → 1.0.6) · Repo · Changelog
Release Notes
1.0.6
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 4 commits:
Release 1.0.6Limit number values to a sensible rangeUpdate historyAdd project metadata to the gemspec↗️ i18n (indirect, 1.7.0 → 1.8.2) · Repo · Changelog
Release Notes
1.8.2
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 42 commits:
Bump to 1.8.2Fix regression introduced by b7f69f78Add pry to GemfileExpand post-install message to clarify for new appsBump to 1.8.1Merge pull request #508 from ruby-i18n/revert-499-chain-fallback-backendsRevert "Chain fallback backends"Bump to 1.8.0Merge pull request #499 from vipera/chain-fallback-backendsBump to 1.7.1Merge pull request #503 from CrAsH1101/preserve-count-optionAdd test for preserving count optionMerge pull request #505 from peterberkenbosch/update-readme-with-gh-workflow-badgeReplace TravisCI badge with GH Actions badgeMerge pull request #504 from ruby-i18n/bump-ruby-rails:wave: Travis CI :cry:Ignore Ruby 2.3.8 + Rails 6.0.xCorrect Rails version numberCorrect more ruby versionsUse actions/checkout@v2Ignore Rails 6.0.0 + Ruby 2.4Specify exact versions for eregon/use-ruby-actionUse eregon/use-ruby-action for Ruby 2.7, 2.3 + JRuby supportUndo required_ruby_version bumpAdd missing GemfileFail slowlyBump Ruby + Rails versionsMerge pull request #501 from alchimere/add-user-friendly-comment-on-translate-kwargsAdd comment on kwargs to avoid new people open issues like #500Preserve count optionI18n::Backend::Chain#translations fallback mergeUse activesupport implementation of Hash#deep_merge!Merge pull request #495 from ghiculescu/pluralization_fallback_testAdd tests for existing behaviorMerge pull request #480 from Tietew/exclude-count-on-retrieve-linkAdd JRuby to build pipelineAdd Ruby 2.3 to Ruby pipelineOne i in gemfileExclude Ruby 2.4.x + Rails master Gemfile buildUpdate ruby.ymlUpdate ruby.ymlExclude :count option on retrieve link↗️ loofah (indirect, 2.3.1 → 2.4.0) · Repo · Changelog
Release Notes
2.4.0
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 11 commits:
version bump to v2.4.0ci: don't turn on frozen strings until after bundle installupdate CHANGELOGadd magic comment for frozen string literals to all filesadd rubocop as dev dep and configure security and frozen string copstest suite should check compatibility with frozen string literalsMerge pull request #175 from bchaney/allow-css-max-widthMerge pull request #177 from flavorjones/176-allow-rem-css-sizescss sanitizer allows "rem" sizesAllow CSS property: max-widthci: update concourse, add ruby 2.7 jobs↗️ mimemagic (indirect, 0.3.3 → 0.3.4) · Repo · Changelog
Release Notes
0.3.4 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 16 commits:
v0.3.4Merge pull request #81 from jcoyne/patch-1Remove rubyforge_projectMerge pull request #79 from mathieumahe/frozen_string_literalAdd frozen_string_literalMerge pull request #64 from atambo/openxmlMerge pull request #73 from olleolleolle/patch-1CI: rbx-3 in allow_failures, comment on BundlerMerge pull request #72 from olleolleolle/patch-3Merge pull request #71 from olleolleolle/patch-2Merge pull request #70 from olleolleolle/patch-1Travis: Use Bundler < 2README: Use GitHub Markdown code fencesREADME: Use SVG badgesMerge pull request #68 from viraptor/metadata-urisAdd metadata uris↗️ minitest (indirect, 5.13.0 → 5.14.0) · Repo · Changelog
Release Notes
5.14.0 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 8 commits:
prepped for releaseClosed temporary IOs when exiting capture_subprocess_io. (doudou)- Added example for value wrapper with block to Expectations module. (stomar)Added minitest_log to known modules (BurdetteLamar)+ Block-assertions (eg assert_output) now error if raised inside the block. (casperisfine)- Fixed use of must/wont_be_within_delta on Expectation instance. (stomar)+ Changed assert_raises to only catch Assertion since that covers Skip and friends.- Renamed UnexpectedError#exception to #error to avoid problems with reraising. (casperisfine)↗️ nokogiri (indirect, 1.10.5 → 1.10.9) · Repo · Changelog
Release Notes
1.10.9
1.10.8
1.10.7
1.10.6
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 19 commits:
version bump to v1.10.9update CHANGELOGChange return type to RubyArrayupdate CHANGELOG for #1985Work around a bug in libxml2version bump to v1.10.8update CHANGELOG for v1.10.8remove patches from the hoe Manifestupdate to use rake-compiler ~1.1.0backport libxml2 patch for CVE-2020-7595version bump to v1.10.7update CHANGELOGFix the patch from #1953 to work with both `git` and `patch`Fix typo in generated metadataadd gem metadataversion bump to v1.10.6update CHANGELOGAdd a patch to fix libxml2.la's pathadd security note to CHANGELOG↗️ rack (indirect, 2.1.1 → 2.2.2) · Repo · Changelog
Release Notes
2.2.2 (from changelog)
2.2.1 (from changelog)
2.2.0 (from changelog)
2.1.2 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ railties (indirect, 5.2.3 → 5.2.4.2) · Repo · Changelog
Release Notes
5.2.4.1
5.2.4
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ rake (indirect, 13.0.0 → 13.0.1) · Repo · Changelog
Release Notes
13.0.1 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 10 commits:
Bump version to 13.0.1Fixed build failure of the latest GitHub ActionsMerge pull request #271 from thorsteneckel/bugfix-reenable_invocation_exceptionMerge pull request #327 from mjbellantoni/mjb-order-only-arg-fixMerge pull request #329 from jeremyevans/skip-taint-test-on-2.7Skip a taint test on Ruby 2.7Merge pull request #328 from orien/gem-metadataAdd project metadata to the gemspecUpdate comments to reflect the current stateFix an incorrectly resolved arg pattern↗️ thor (indirect, 0.20.3 → 1.0.1) · Repo · Changelog
Release Notes
1.0.1 (from changelog)
1.0.0 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ tzinfo (indirect, 1.2.5 → 1.2.6) · Repo · Changelog
Release Notes
1.2.6
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 27 commits:
Update copyright years.Preparing v1.2.6.Replace expired gem signing certificate.Fix a comment.Ruby Enterprise Edition requires older versions of RubyGems and Bundler.Fix block not being called by RubyCoreSupport.open_file on JRuby 9.2.Revert "Try and fix an incorrect rake version being picked with JRuby 1.7."Try and fix an incorrect rake version being picked with JRuby 1.7.Convert to UNIX line endings.Simplify minitest version constraint.Update to Ruby v2.7.0-rc2.Run CI tests on Windows with AppVeyor.Enable verbose test output.Update Travis CI Ruby versions.Prevent bundler from attempting to use version minitest v5.12.0.Allow newer versions of Rake that fix warnings with Ruby 2.7.Eliminate a warning when calling File.open with keyword arguments.Suppress deprecation warnings due to Object#untaint on Ruby 2.7.Fix test failures on Ruby 1.8.7 caused by DateTime issues.Remove the unused REQUIRE_PATH constant from RubyDataSource.Fix SecurityErrors when loading data in safe mode.Test that RUBY_ENGINE is defined.Skip tests that fail due to Ruby bug 14060 on Ruby 2.4.4.Update to the latest Ruby, JRuby and Rubinius releases.Fix a documentation typo.Return the correct seconds since the epoch value for strftime with %s.Restrictions on timezones only apply to older (pre-1.9) Ruby releases.Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with
@depfu rebase.All Depfu comment commands