aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAndrew White <andrew.white@unboxedconsulting.com>2016-02-16 05:24:59 +0000
committerAndrew White <andrew.white@unboxedconsulting.com>2016-02-16 05:24:59 +0000
commitc032e633bd84a3569a20f0697263bf07f75441b8 (patch)
tree47c3fa1a5597a8484eea5539aa8976ba64f39923
parent156c2cb571af8c2049e61c50232084a9351f428b (diff)
parent65e36d31819d46ea5934fa8c7222dcec04490423 (diff)
downloadrails-c032e633bd84a3569a20f0697263bf07f75441b8.tar.gz
rails-c032e633bd84a3569a20f0697263bf07f75441b8.tar.bz2
rails-c032e633bd84a3569a20f0697263bf07f75441b8.zip
Merge branch 'should-escape-cookie' of https://github.com/ma2gedev/rails into ma2gedev-should-escape-cookie
-rw-r--r--actionpack/lib/action_dispatch/middleware/cookies.rb2
-rw-r--r--actionpack/test/controller/test_case_test.rb7
2 files changed, 8 insertions, 1 deletions
diff --git a/actionpack/lib/action_dispatch/middleware/cookies.rb b/actionpack/lib/action_dispatch/middleware/cookies.rb
index 3477aa8b29..601b55cb8f 100644
--- a/actionpack/lib/action_dispatch/middleware/cookies.rb
+++ b/actionpack/lib/action_dispatch/middleware/cookies.rb
@@ -337,7 +337,7 @@ module ActionDispatch
end
def to_header
- @cookies.map { |k,v| "#{k}=#{v}" }.join ';'
+ @cookies.map { |k,v| "#{::Rack::Utils.escape(k)}=#{::Rack::Utils.escape(v)}" }.join ';'
end
def handle_options(options) #:nodoc:
diff --git a/actionpack/test/controller/test_case_test.rb b/actionpack/test/controller/test_case_test.rb
index b9caddcdb7..a054477282 100644
--- a/actionpack/test/controller/test_case_test.rb
+++ b/actionpack/test/controller/test_case_test.rb
@@ -137,6 +137,11 @@ XML
head :created, location: 'created resource'
end
+ def read_cookie
+ cookies["foo"]
+ render plain: 'ok'
+ end
+
def delete_cookie
cookies.delete("foo")
render plain: 'ok'
@@ -825,8 +830,10 @@ XML
def test_should_have_knowledge_of_client_side_cookie_state_even_if_they_are_not_set
cookies['foo'] = 'bar'
+ cookies['escape'] = '+'
get :no_op
assert_equal 'bar', cookies['foo']
+ assert_equal '+', cookies['escape']
end
def test_should_detect_if_cookie_is_deleted