diff options
author | Santiago Pastorino <santiago@wyeworks.com> | 2012-08-08 14:33:39 -0700 |
---|---|---|
committer | Santiago Pastorino <santiago@wyeworks.com> | 2012-08-09 18:51:05 -0300 |
commit | d8cf713afabbd0c3cf8d6674b2d1a7f7c2a0e98c (patch) | |
tree | 5ddcad9850bee32527fc384ff98dd939e76c599a | |
parent | c63d17c2be04882cc0c7aed5cf2b5ba2f1ef313d (diff) | |
download | rails-d8cf713afabbd0c3cf8d6674b2d1a7f7c2a0e98c.tar.gz rails-d8cf713afabbd0c3cf8d6674b2d1a7f7c2a0e98c.tar.bz2 rails-d8cf713afabbd0c3cf8d6674b2d1a7f7c2a0e98c.zip |
Do not mark strip_tags result as html_safe
Thanks to Marek Labos & Nethemba
CVE-2012-3465
-rw-r--r-- | actionpack/lib/action_view/helpers/sanitize_helper.rb | 2 | ||||
-rw-r--r-- | actionpack/test/template/sanitize_helper_test.rb | 4 |
2 files changed, 3 insertions, 3 deletions
diff --git a/actionpack/lib/action_view/helpers/sanitize_helper.rb b/actionpack/lib/action_view/helpers/sanitize_helper.rb index a727b910e5..aaf0e0344a 100644 --- a/actionpack/lib/action_view/helpers/sanitize_helper.rb +++ b/actionpack/lib/action_view/helpers/sanitize_helper.rb @@ -78,7 +78,7 @@ module ActionView # strip_tags("<div id='top-bar'>Welcome to my website!</div>") # # => Welcome to my website! def strip_tags(html) - self.class.full_sanitizer.sanitize(html).try(:html_safe) + self.class.full_sanitizer.sanitize(html) end # Strips all link tags from +text+ leaving just the link text. diff --git a/actionpack/test/template/sanitize_helper_test.rb b/actionpack/test/template/sanitize_helper_test.rb index 4182af590e..7626cdf386 100644 --- a/actionpack/test/template/sanitize_helper_test.rb +++ b/actionpack/test/template/sanitize_helper_test.rb @@ -40,9 +40,9 @@ class SanitizeHelperTest < ActionView::TestCase [nil, '', ' '].each do |blank| stripped = strip_tags(blank) assert_equal blank, stripped - assert stripped.html_safe? unless blank.nil? end - assert strip_tags("<script>").html_safe? + assert_equal "", strip_tags("<script>") + assert_equal "something <img onerror=alert(1337)", ERB::Util.html_escape(strip_tags("something <img onerror=alert(1337)")) end def test_sanitize_is_marked_safe |