diff --git a/SOURCES/rubygem-actionview-4.2.7.1-CVE-2016-6316-attribute-xss-tests.patch b/SOURCES/rubygem-actionview-4.2.7.1-CVE-2016-6316-attribute-xss-tests.patch
new file mode 100644
index 0000000..1567276
--- /dev/null
+++ b/SOURCES/rubygem-actionview-4.2.7.1-CVE-2016-6316-attribute-xss-tests.patch
@@ -0,0 +1,21 @@
+diff --git a/actionview/test/template/tag_helper_test.rb b/actionview/test/template/tag_helper_test.rb
+index ce89d57..8332dd0 100644
+--- a/actionview/test/template/tag_helper_test.rb
++++ b/actionview/test/template/tag_helper_test.rb
+@@ -115,6 +115,16 @@ def test_tag_honors_html_safe_with_escaped_array_class
+ end
+ end
+
++ def test_tag_does_not_honor_html_safe_double_quotes_as_attributes
++ assert_dom_equal 'content
',
++ content_tag('p', "content", title: '"'.html_safe)
++ end
++
++ def test_data_tag_does_not_honor_html_safe_double_quotes_as_attributes
++ assert_dom_equal 'content
',
++ content_tag('p', "content", data: { title: '"'.html_safe })
++ end
++
+ def test_skip_invalid_escaped_attributes
+ ['&1;', '�dfa3;', '& #123;'].each do |escaped|
+ assert_equal %(), tag('a', :href => escaped)
diff --git a/SOURCES/rubygem-actionview-4.2.7.1-CVE-2016-6316-attribute-xss.patch b/SOURCES/rubygem-actionview-4.2.7.1-CVE-2016-6316-attribute-xss.patch
new file mode 100644
index 0000000..c6741d4
--- /dev/null
+++ b/SOURCES/rubygem-actionview-4.2.7.1-CVE-2016-6316-attribute-xss.patch
@@ -0,0 +1,13 @@
+diff --git a/actionview/lib/action_view/helpers/tag_helper.rb b/actionview/lib/action_view/helpers/tag_helper.rb
+index b203857..f09595d 100644
+--- a/actionview/lib/action_view/helpers/tag_helper.rb
++++ b/actionview/lib/action_view/helpers/tag_helper.rb
+@@ -169,7 +169,7 @@ def tag_option(key, value, escape)
+ def tag_option(key, value, escape)
+ value = value.join(" ") if value.is_a?(Array)
+ value = ERB::Util.h(value) if escape
+- %(#{key}="#{value}")
++ %(#{key}="#{value.gsub(/"/, '"'.freeze)}")
+ end
+ end
+ end
diff --git a/SOURCES/rubygem-actionview-4.2.7.1-CVE-2016-6316-ensure-values-tests.patch b/SOURCES/rubygem-actionview-4.2.7.1-CVE-2016-6316-ensure-values-tests.patch
new file mode 100644
index 0000000..56bde8d
--- /dev/null
+++ b/SOURCES/rubygem-actionview-4.2.7.1-CVE-2016-6316-ensure-values-tests.patch
@@ -0,0 +1,19 @@
+diff --git a/actionview/test/template/tag_helper_test.rb b/actionview/test/template/tag_helper_test.rb
+index 8332dd0..da48d7c 100644
+--- a/actionview/test/template/tag_helper_test.rb
++++ b/actionview/test/template/tag_helper_test.rb
+@@ -29,6 +29,14 @@ def test_tag_options_accepts_blank_option
+ assert_equal "", tag("p", :included => '')
+ end
+
++ def test_tag_options_accepts_symbol_option_when_not_escaping
++ assert_equal "", tag("p", { value: :symbol }, false, false)
++ end
++
++ def test_tag_options_accepts_integer_option_when_not_escaping
++ assert_equal "", tag("p", { value: 42 }, false, false)
++ end
++
+ def test_tag_options_converts_boolean_option
+ assert_dom_equal '',
+ tag("p", :disabled => true, :itemscope => true, :multiple => true, :readonly => true, :allowfullscreen => true, :seamless => true, :typemustmatch => true, :sortable => true, :default => true, :inert => true, :truespeed => true)
diff --git a/SOURCES/rubygem-actionview-4.2.7.1-CVE-2016-6316-ensure-values.patch b/SOURCES/rubygem-actionview-4.2.7.1-CVE-2016-6316-ensure-values.patch
new file mode 100644
index 0000000..4a09ed9
--- /dev/null
+++ b/SOURCES/rubygem-actionview-4.2.7.1-CVE-2016-6316-ensure-values.patch
@@ -0,0 +1,13 @@
+diff --git a/actionview/lib/action_view/helpers/tag_helper.rb b/actionview/lib/action_view/helpers/tag_helper.rb
+index f09595d..ac60cfd 100644
+--- a/actionview/lib/action_view/helpers/tag_helper.rb
++++ b/actionview/lib/action_view/helpers/tag_helper.rb
+@@ -168,7 +168,7 @@ def tag_option(key, value, escape)
+
+ def tag_option(key, value, escape)
+ value = value.join(" ") if value.is_a?(Array)
+- value = ERB::Util.h(value) if escape
++ value = escape ? ERB::Util.h(value) : value.to_s
+ %(#{key}="#{value.gsub(/"/, '"'.freeze)}")
+ end
+ end
diff --git a/SPECS/rubygem-actionview.spec b/SPECS/rubygem-actionview.spec
index be898dd..dfe282f 100644
--- a/SPECS/rubygem-actionview.spec
+++ b/SPECS/rubygem-actionview.spec
@@ -6,7 +6,7 @@
Name: %{?scl_prefix}rubygem-%{gem_name}
Version: 4.1.5
-Release: 5%{?dist}
+Release: 6%{?dist}
Summary: Rendering framework putting the V in MVC (part of Rails)
Group: Development/Languages
License: MIT
@@ -33,6 +33,13 @@ Patch3: rubygem-actionview-4.1.14.2-CVE-2016-2097-render_data_leak_2-tests.patch
Patch4: rubygem-actionview-4.1.14.2-secure_inline_with_params.patch
Patch5: rubygem-actionview-4.1.14.2-secure_inline_with_params-tests.patch
+# Fix CVE-2016-6316 cross-site scripting flaw in Action View
+# https://bugzilla.redhat.com/show_bug.cgi?id=1365008
+Patch6: rubygem-actionview-4.2.7.1-CVE-2016-6316-attribute-xss.patch
+Patch7: rubygem-actionview-4.2.7.1-CVE-2016-6316-attribute-xss-tests.patch
+Patch8: rubygem-actionview-4.2.7.1-CVE-2016-6316-ensure-values.patch
+Patch9: rubygem-actionview-4.2.7.1-CVE-2016-6316-ensure-values-tests.patch
+
Requires: %{?scl_prefix_ruby}ruby(release)
Requires: %{?scl_prefix_ruby}ruby(rubygems)
Requires: %{?scl_prefix}rubygem(builder) >= 3.1
@@ -75,6 +82,8 @@ pushd .%{gem_instdir}
%patch0 -p2
%patch2 -p2
%patch4 -p2
+%patch6 -p2
+%patch8 -p2
popd
%build
@@ -94,6 +103,8 @@ tar xzvf %{SOURCE1} -C .
patch -F 0 -p2 < %{PATCH1}
patch -p2 < %{PATCH3}
patch -p2 < %{PATCH5}
+patch -F 0 -p2 < %{PATCH7}
+patch -F 0 -p2 < %{PATCH9}
# This requires rails git structure and only requires bundler in the end
sed -i "s|require File.expand_path('../../../load_paths', __FILE__)||" ./test/abstract_unit.rb
@@ -123,6 +134,10 @@ popd
%doc %{gem_instdir}/CHANGELOG.md
%changelog
+* Thu Aug 25 2016 Pavel Valena - 4.1.5-6
+- Fix CVE-2016-6316 cross-site scripting flaw in Action View
+ Resolves: rhbz#1365008
+
* Mon Mar 07 2016 Vít Ondruch - 4.1.5-5
- Fix directory traversal and information leak.
Resolves: CVE-2016-2097