diff options
author | Andrew White <andrew.white@unboxedconsulting.com> | 2016-02-16 05:24:59 +0000 |
---|---|---|
committer | Andrew White <andrew.white@unboxedconsulting.com> | 2016-02-16 05:24:59 +0000 |
commit | c032e633bd84a3569a20f0697263bf07f75441b8 (patch) | |
tree | 47c3fa1a5597a8484eea5539aa8976ba64f39923 | |
parent | 156c2cb571af8c2049e61c50232084a9351f428b (diff) | |
parent | 65e36d31819d46ea5934fa8c7222dcec04490423 (diff) | |
download | rails-c032e633bd84a3569a20f0697263bf07f75441b8.tar.gz rails-c032e633bd84a3569a20f0697263bf07f75441b8.tar.bz2 rails-c032e633bd84a3569a20f0697263bf07f75441b8.zip |
Merge branch 'should-escape-cookie' of https://github.com/ma2gedev/rails into ma2gedev-should-escape-cookie
-rw-r--r-- | actionpack/lib/action_dispatch/middleware/cookies.rb | 2 | ||||
-rw-r--r-- | actionpack/test/controller/test_case_test.rb | 7 |
2 files changed, 8 insertions, 1 deletions
diff --git a/actionpack/lib/action_dispatch/middleware/cookies.rb b/actionpack/lib/action_dispatch/middleware/cookies.rb index 3477aa8b29..601b55cb8f 100644 --- a/actionpack/lib/action_dispatch/middleware/cookies.rb +++ b/actionpack/lib/action_dispatch/middleware/cookies.rb @@ -337,7 +337,7 @@ module ActionDispatch end def to_header - @cookies.map { |k,v| "#{k}=#{v}" }.join ';' + @cookies.map { |k,v| "#{::Rack::Utils.escape(k)}=#{::Rack::Utils.escape(v)}" }.join ';' end def handle_options(options) #:nodoc: diff --git a/actionpack/test/controller/test_case_test.rb b/actionpack/test/controller/test_case_test.rb index b9caddcdb7..a054477282 100644 --- a/actionpack/test/controller/test_case_test.rb +++ b/actionpack/test/controller/test_case_test.rb @@ -137,6 +137,11 @@ XML head :created, location: 'created resource' end + def read_cookie + cookies["foo"] + render plain: 'ok' + end + def delete_cookie cookies.delete("foo") render plain: 'ok' @@ -825,8 +830,10 @@ XML def test_should_have_knowledge_of_client_side_cookie_state_even_if_they_are_not_set cookies['foo'] = 'bar' + cookies['escape'] = '+' get :no_op assert_equal 'bar', cookies['foo'] + assert_equal '+', cookies['escape'] end def test_should_detect_if_cookie_is_deleted |