Use ERB::Util.h over CGI.escapeHTML as the former is safety aware and the latter isn't

author: Michael Koziarski <michael@koziarski.com> 2009-10-15 09:58:17 +1300
committer: Michael Koziarski <michael@koziarski.com> 2009-10-15 09:58:17 +1300
commit: 5d5e34fa52183566968cb22f7c49544a7361a130 (patch)
tree: b72331ecdb883cb1e82f4674e7ae563bfad31d61 /actionpack/lib/action_controller/metal
parent: 1b3195b63ca44f0a70b61b75fcf4991cb2fbb944 (diff)
download: rails-5d5e34fa52183566968cb22f7c49544a7361a130.tar.gz
rails-5d5e34fa52183566968cb22f7c49544a7361a130.tar.bz2
rails-5d5e34fa52183566968cb22f7c49544a7361a130.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/actionpack/lib/action_controller/metal/redirector.rb b/actionpack/lib/action_controller/metal/redirector.rb
index f79fd54acd..b55f5e7bfc 100644
--- a/actionpack/lib/action_controller/metal/redirector.rb
+++ b/actionpack/lib/action_controller/metal/redirector.rb
@@ -16,7 +16,7 @@ module ActionController
       logger.info("Redirected to #{url}") if logger && logger.info?
       self.status = status
       self.location = url.gsub(/[\r\n]/, '')
-      self.response_body = "<html><body>You are being <a href=\"#{CGI.escapeHTML(url)}\">redirected</a>.</body></html>"
+      self.response_body = "<html><body>You are being <a href=\"#{ERB::Util.h(url)}\">redirected</a>.</body></html>"
     end
   end
 end
author	Michael Koziarski <michael@koziarski.com>	2009-10-15 09:58:17 +1300
committer	Michael Koziarski <michael@koziarski.com>	2009-10-15 09:58:17 +1300
commit	5d5e34fa52183566968cb22f7c49544a7361a130 (patch)
tree	b72331ecdb883cb1e82f4674e7ae563bfad31d61 /actionpack/lib/action_controller/metal
parent	1b3195b63ca44f0a70b61b75fcf4991cb2fbb944 (diff)
download	rails-5d5e34fa52183566968cb22f7c49544a7361a130.tar.gz rails-5d5e34fa52183566968cb22f7c49544a7361a130.tar.bz2 rails-5d5e34fa52183566968cb22f7c49544a7361a130.zip