New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
content_tag HTML attributes beginning with @
are escaped to _
#45014
Comments
@Lordnibbler I just faced the same issue (also using alpinejs). Fortunately alpinejs |
Vue.js, alpinejs, and potentially other JS libraries support tags starting with `@` symbols. This was broken by the recent security release in 649516c I've only added `@` to the list even though there are potentially other safe characters. We can add more if necessary (and if safe). Fixes: * #45014 * #44972
I fixed this in #45027 and backported it to all the versions of Rails. I'll do a release tomorrow or early next week. |
Closing as the release went out this morning. Hope that fixes the issue for you! |
Note for anyone following along behind me:
Fix is to change to long-hand version for now. |
Steps to reproduce
Expected behavior
content_tag
should output HTML attributes beginning with@
symbol into the HTML.Actual behavior
CVE 27777 caused a change in behavior in
content_tag
and related HTML helper functions. Providing HTML attributes which begin with a@
symbol (as used in alpine.js and other libraries) now are escaped to_
, rendering these helper functions unusable.649516c
https://discuss.rubyonrails.org/t/cve-2022-27777-possible-xss-vulnerability-in-action-view-tag-helpers/80534
System configuration
Rails version: 7.0.2.4
Ruby version: 3.1.0
The text was updated successfully, but these errors were encountered: