activesupport/test/core_ext/string_ext_test.rb · v6.1.5.1 · Rails relative code / rails-deleted-2

Jan 05, 2022

Fix and add protections for XSS in names. · 123f42a5

Alvaro Martin Fraguas authored Jan 05, 2022

Add the method ERB::Util.xml_name_escape to escape dangerous characters
in names of tags and names of attributes, following the specification of
XML.

Use that method in the tag helpers of ActionView::Helpers. Add a deprecation
warning to the option :escape_attributes mentioning the new behavior and the
transition to :escape, to simplify by applying the option to the whole tag.

[CVE-2022-27777]

123f42a5

Fix and add protections for XSS in names.

Alvaro Martin Fraguas authored Jan 05, 2022

Add the method ERB::Util.xml_name_escape to escape dangerous characters
in names of tags and names of attributes, following the specification of
XML.

Use that method in the tag helpers of ActionView::Helpers. Add a deprecation
warning to the option :escape_attributes mentioning the new behavior and the
transition to :escape, to simplify by applying the option to the whole tag.

[CVE-2022-27777]