New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
JS: extract .erb files as html #11175
base: main
Are you sure you want to change the base?
Conversation
| @@ -104,7 +104,7 @@ private static int skipBOM(byte[] bytes, int length) { | |||
|
|
|||
| /** Information about supported file types. */ | |||
| public static enum FileType { | |||
| HTML(".htm", ".html", ".xhtm", ".xhtml", ".vue", ".hbs", ".ejs", ".njk") { | |||
| HTML(".htm", ".html", ".xhtm", ".xhtml", ".vue", ".hbs", ".ejs", ".njk", ".erb") { | |||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Perhaps restrict to .html.erb. While many erb files are html-like templates, they are also used for many other text formats.
| HTML(".htm", ".html", ".xhtm", ".xhtml", ".vue", ".hbs", ".ejs", ".njk", ".erb") { | |
| HTML(".htm", ".html", ".xhtm", ".xhtml", ".vue", ".hbs", ".ejs", ".njk", ".html.erb") { |
Yes. The parser already handles that various templating systems does various weird things. I will become problematic if |
CVE-2022-3704: TP/TN
In that CVE the security issue is entirely contained within some JS code, that sits inside a
<script>tag in an.erbfile.I figured that our HTML parser already handles HTML with various templating languages, so handling
.erbshouldn't be that different.And it wasn't, it just worked.
I tried to add an
.erbfile to the xss-through-dom test, but that wouldn't work, and I don't know why.That's why I put an
.erbtest in the trap-tests.Evaluations look fine.
4 new extracted files in our default.yml suite.
Evaluation on the nightly sources used by Ruby shows a bunch of new extracted files, and OK results.