diff --git a/config/initializers/10-patches.rb b/config/initializers/10-patches.rb index c8030d74e0..239d7a57fe 100644 --- a/config/initializers/10-patches.rb +++ b/config/initializers/10-patches.rb @@ -15,6 +15,73 @@ require 'active_record' +# Backported fix for CVE-2012-3465 +# https://groups.google.com/d/msg/rubyonrails-security/FgVEtBajcTY/tYLS1JJTu38J +# TODO: Remove this once we are on Rails >= 3.2.8 +require 'action_view/helpers/sanitize_helper' +module ActionView::Helpers::SanitizeHelper + def strip_tags(html) + self.class.full_sanitizer.sanitize(html) + end +end + +# Backported fix for CVE-2012-3464 +# https://groups.google.com/d/msg/rubyonrails-security/kKGNeMrnmiY/r2yM7xy-G48J +# TODO: Remove this once we are on Rails >= 3.2.8 +require 'active_support/core_ext/string/output_safety' +class ERB + module Util + HTML_ESCAPE["'"] = ''' + + if RUBY_VERSION >= '1.9' + # A utility method for escaping HTML tag characters. + # This method is also aliased as h. + # + # In your ERB templates, use this method to escape any unsafe content. For example: + # <%=h @person.name %> + # + # ==== Example: + # puts html_escape("is a > 0 & a < 10?") + # # => is a > 0 & a < 10? + def html_escape(s) + s = s.to_s + if s.html_safe? + s + else + s.gsub(/[&"'><]/, HTML_ESCAPE).html_safe + end + end + else + def html_escape(s) #:nodoc: + s = s.to_s + if s.html_safe? + s + else + s.gsub(/[&"'><]/n) { |special| HTML_ESCAPE[special] }.html_safe + end + end + end + + # Aliasing twice issues a warning "discarding old...". Remove first to avoid it. + remove_method(:h) + alias h html_escape + + module_function :h + + singleton_class.send(:remove_method, :html_escape) + module_function :html_escape + end +end + + +require 'action_view/helpers/tag_helper' +module ActionView::Helpers::TagHelper + def escape_once(html) + ActiveSupport::Multibyte.clean(html.to_s).gsub(/[\"\'><]|&(?!([a-zA-Z]+|(#\d+));)/) { |special| ERB::Util::HTML_ESCAPE[special] } + end +end + + module ActiveRecord class Base include Redmine::I18n