diff options
author | Michael Koziarski <michael@koziarski.com> | 2010-12-07 16:27:55 +1300 |
---|---|---|
committer | Aaron Patterson <aaron.patterson@gmail.com> | 2011-02-08 13:56:08 -0800 |
commit | 3ddd7f7ec9b156e4b7de4c23d448c2db98f30504 (patch) | |
tree | e3b492fcf19d1a7610cb7424f9c159807e646e87 /actionpack/lib/action_view | |
parent | 8ce57652b224c01d474ef20b27ea3c3838534467 (diff) | |
download | rails-3ddd7f7ec9b156e4b7de4c23d448c2db98f30504.tar.gz rails-3ddd7f7ec9b156e4b7de4c23d448c2db98f30504.tar.bz2 rails-3ddd7f7ec9b156e4b7de4c23d448c2db98f30504.zip |
Be sure to javascript_escape the email address to prevent apostrophes inadvertently causing javascript errors.
This fixes CVE-2011-0446
Diffstat (limited to 'actionpack/lib/action_view')
-rw-r--r-- | actionpack/lib/action_view/helpers/url_helper.rb | 11 |
1 files changed, 6 insertions, 5 deletions
diff --git a/actionpack/lib/action_view/helpers/url_helper.rb b/actionpack/lib/action_view/helpers/url_helper.rb index cfa88c91e3..2cd2dca711 100644 --- a/actionpack/lib/action_view/helpers/url_helper.rb +++ b/actionpack/lib/action_view/helpers/url_helper.rb @@ -497,13 +497,14 @@ module ActionView email_address_obfuscated = email_address.dup email_address_obfuscated.gsub!(/@/, html_options.delete("replace_at")) if html_options.key?("replace_at") email_address_obfuscated.gsub!(/\./, html_options.delete("replace_dot")) if html_options.key?("replace_dot") - case encode when "javascript" - string = - "document.write('#{content_tag("a", name || email_address_obfuscated.html_safe, html_options.merge("href" => "mailto:#{email_address}#{extras}".html_safe))}');".unpack('C*').map { |c| - sprintf("%%%x", c) - }.join + string = '' + html = content_tag("a", name || email_address_obfuscated.html_safe, html_options.merge("href" => "mailto:#{email_address}#{extras}".html_safe)) + html = escape_javascript(html) + "document.write('#{html}');".each_byte do |c| + string << sprintf("%%%x", c) + end "<script type=\"#{Mime::JS}\">eval(decodeURIComponent('#{string}'))</script>".html_safe when "hex" email_address_encoded = email_address_obfuscated.unpack('C*').map {|c| |