Do not mark strip_tags result as html_safe

Thanks to Marek Labos & Nethemba CVE-2012-3465
author: Santiago Pastorino <santiago@wyeworks.com> 2012-08-08 14:33:39 -0700
committer: Santiago Pastorino <santiago@wyeworks.com> 2012-08-09 16:06:17 -0300
commit: e91e4e8bbee12ce1496bf384c04da6be296b687a (patch)
tree: 1ee0549ee6fe5d3c745d793bd9fc2407974e4975 /actionpack/lib/action_view/helpers
parent: 6d0526db91afb0675c2ad3d871529d1536303c64 (diff)
download: rails-e91e4e8bbee12ce1496bf384c04da6be296b687a.tar.gz
rails-e91e4e8bbee12ce1496bf384c04da6be296b687a.tar.bz2
rails-e91e4e8bbee12ce1496bf384c04da6be296b687a.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/actionpack/lib/action_view/helpers/sanitize_helper.rb b/actionpack/lib/action_view/helpers/sanitize_helper.rb
index 7768c8c151..0f6a5ed405 100644
--- a/actionpack/lib/action_view/helpers/sanitize_helper.rb
+++ b/actionpack/lib/action_view/helpers/sanitize_helper.rb
@@ -80,7 +80,7 @@ module ActionView
       #   strip_tags("<div id='top-bar'>Welcome to my website!</div>")
       #   # => Welcome to my website!
       def strip_tags(html)
-        self.class.full_sanitizer.sanitize(html).try(:html_safe)
+        self.class.full_sanitizer.sanitize(html)
       end
 
       # Strips all link tags from +text+ leaving just the link text.
author	Santiago Pastorino <santiago@wyeworks.com>	2012-08-08 14:33:39 -0700
committer	Santiago Pastorino <santiago@wyeworks.com>	2012-08-09 16:06:17 -0300
commit	e91e4e8bbee12ce1496bf384c04da6be296b687a (patch)
tree	1ee0549ee6fe5d3c745d793bd9fc2407974e4975 /actionpack/lib/action_view/helpers
parent	6d0526db91afb0675c2ad3d871529d1536303c64 (diff)
download	rails-e91e4e8bbee12ce1496bf384c04da6be296b687a.tar.gz rails-e91e4e8bbee12ce1496bf384c04da6be296b687a.tar.bz2 rails-e91e4e8bbee12ce1496bf384c04da6be296b687a.zip