Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

content_tag HTML attributes beginning with @ are escaped to _ #45014

Closed
Lordnibbler opened this issue May 4, 2022 · 4 comments
Closed

content_tag HTML attributes beginning with @ are escaped to _ #45014

Lordnibbler opened this issue May 4, 2022 · 4 comments

Comments

@Lordnibbler
Copy link

Steps to reproduce

# rails 7.0.2.4
content_tag(:div, "test", "@click": "triggerNav()")
# => "<div _click=\"triggerNav()\">test</div>"

# rails <=7.0.2.3
content_tag(:div, "test", "@click": "triggerNav()")
# => "<div @click=\"triggerNav()\">test</div>"

Expected behavior

content_tag should output HTML attributes beginning with @ symbol into the HTML.

Actual behavior

CVE 27777 caused a change in behavior in content_tag and related HTML helper functions. Providing HTML attributes which begin with a @ symbol (as used in alpine.js and other libraries) now are escaped to _, rendering these helper functions unusable.

649516c
https://discuss.rubyonrails.org/t/cve-2022-27777-possible-xss-vulnerability-in-action-view-tag-helpers/80534

System configuration

Rails version: 7.0.2.4
Ruby version: 3.1.0
@KostasKostogloy
Copy link

@Lordnibbler I just faced the same issue (also using alpinejs). Fortunately alpinejs @click is an alias of x-on:click, you can replace its usage till this is resolved.

eileencodes added a commit that referenced this issue May 5, 2022
@eileencodes
Fix tag helper regression
944bcb5 
Vue.js, alpinejs, and potentially other JS libraries support tags
starting with `@` symbols. This was broken by the recent security release in
649516c

I've only added `@` to the list even though there are potentially other
safe characters. We can add more if necessary (and if safe).

Fixes:
* #45014
* #44972
@eileencodes eileencodes mentioned this issue May 5, 2022
Merged
@eileencodes
Copy link
Member

I fixed this in #45027 and backported it to all the versions of Rails. I'll do a release tomorrow or early next week.

@eileencodes
Copy link
Member

Closing as the release went out this morning. Hope that fixes the issue for you!

@rylanb
Copy link

rylanb commented May 19, 2022

Note for anyone following along behind me:
https://vuejs.org/guide/components/slots.html#named-slots

v-slot:default can be short-handed to #default. I'm seeing that render out as _default instead of #default in this 6.0.5 update.

Fix is to change to long-hand version for now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@Lordnibbler @rylanb @eileencodes @KostasKostogloy