Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix tag helper regression #45027

Merged
merged 1 commit into from May 5, 2022
Merged

Fix tag helper regression #45027

merged 1 commit into from May 5, 2022

Conversation

eileencodes
Copy link
Member

Vue.js, alpinejs, and potentially other JS libraries support tags
starting with @ symbols. This was broken by the recent security release in
649516c

I've only added @ to the list even though there are potentially other
safe characters. We can add more if necessary (and if safe).

Fixes:

cc/ @tenderlove

@eileencodes
Fix tag helper regression
944bcb5 
Vue.js, alpinejs, and potentially other JS libraries support tags
starting with `@` symbols. This was broken by the recent security release in
649516c

I've only added `@` to the list even though there are potentially other
safe characters. We can add more if necessary (and if safe).

Fixes:
* #45014
* #44972
@eileencodes eileencodes merged commit 480edd4 into main May 5, 2022
@eileencodes eileencodes deleted the fix-tag-helper-regression branch May 5, 2022 18:46
eileencodes added a commit that referenced this pull request May 5, 2022
@eileencodes
Merge pull request #45027 from rails/fix-tag-helper-regression
082e929 
Fix tag helper regression
eileencodes added a commit that referenced this pull request May 5, 2022
@eileencodes
Merge pull request #45027 from rails/fix-tag-helper-regression
7c2da9e 
Fix tag helper regression
eileencodes added a commit that referenced this pull request May 5, 2022
@eileencodes
Merge pull request #45027 from rails/fix-tag-helper-regression
1b5df89 
Fix tag helper regression
eileencodes added a commit that referenced this pull request May 5, 2022
@eileencodes
Merge pull request #45027 from rails/fix-tag-helper-regression
a1b8a9b 
Fix tag helper regression
This was referenced May 5, 2022
Closed
Closed
@giladshanan giladshanan mentioned this pull request May 11, 2022
Closed
@amartinfraguas amartinfraguas mentioned this pull request Jun 1, 2022
Open
@amartinfraguas
Copy link
Contributor

Hi, @eileencodes , @tenderlove , I am the author of the initial security patch. Sorry for the mess... I have just created a pull request to fix the issue completely, could you please review it? #45236

amartinfraguas added a commit to amartinfraguas/rails that referenced this pull request Jun 16, 2022
@amartinfraguas
Fix regression in XSS filtering of HTML characters
c19c9dc 
A previous fix for protections for XSS in `ActionView::Helpers` and
`ERB::Util` introduced a regression by not filtering HTML characters
properly. This is a complete fix for that regression, related to rails#45027.

We would need to support XHTML, HTML4 and HTML5. But since XHTML and
HTML4 have had a note for future deprecation in the documentation for
more than 5 years, simplify the filtering by removing support for XHTML
and HTML4.
@miquelbarba miquelbarba mentioned this pull request Aug 17, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tenderlove tenderlove tenderlove approved these changes

Assignees
No one assigned
Labels
actionview activesupport
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@eileencodes @amartinfraguas @tenderlove