activesupport/test/core_ext/string_ext_test.rb · v5.2.8.1 · Rails relative code / rails-deleted-2

Apr 12, 2022

Fix and add protections for XSS in names. · 1278c0f0

eileencodes authored Apr 12, 2022

Add the method ERB::Util.xml_name_escape to escape dangerous characters
in names of tags and names of attributes, following the specification of
XML.

Use that method in the tag helpers of ActionView::Helpers. Add a deprecation
warning to the option :escape_attributes mentioning the new behavior and the
transition to :escape, to simplify by applying the option to the whole tag.

[CVE-2022-27777]

1278c0f0

Fix and add protections for XSS in names.

eileencodes authored Apr 12, 2022

Add the method ERB::Util.xml_name_escape to escape dangerous characters
in names of tags and names of attributes, following the specification of
XML.

Use that method in the tag helpers of ActionView::Helpers. Add a deprecation
warning to the option :escape_attributes mentioning the new behavior and the
transition to :escape, to simplify by applying the option to the whole tag.

[CVE-2022-27777]