# frozen_string_literal: true

# This is a fix for CVE-2020-5267 which isn't patched in Rails4 since it's out
# of lifetime support now

# TODO: remove this once we are Rails 5+

ActionView::Helpers::JavaScriptHelper::JS_ESCAPE_MAP.merge!(
  { "`": "\\`", "$": "\\$" }
)

module ActionView::Helpers::JavaScriptHelper

  alias :old_ej :escape_javascript
  alias :old_j :j

  # Monkey patch Rails' :escape_javascript method used in a few of our views
  def escape_javascript(javascript)
    javascript = javascript.to_s
    if javascript.empty?
      result = ""
    else
      result = javascript.gsub(/(\\|<\/|\r\n|\342\200\250|\342\200\251|[\n\r"']|[`]|[$])/u, JS_ESCAPE_MAP)
    end
    javascript.html_safe? ? result.html_safe : result
  end

  alias :j :escape_javascript

end