aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/lib/action_view
diff options
context:
space:
mode:
authorMichael Koziarski <michael@koziarski.com>2010-12-07 16:27:55 +1300
committerAaron Patterson <aaron.patterson@gmail.com>2011-02-08 13:56:08 -0800
commit3ddd7f7ec9b156e4b7de4c23d448c2db98f30504 (patch)
treee3b492fcf19d1a7610cb7424f9c159807e646e87 /actionpack/lib/action_view
parent8ce57652b224c01d474ef20b27ea3c3838534467 (diff)
downloadrails-3ddd7f7ec9b156e4b7de4c23d448c2db98f30504.tar.gz
rails-3ddd7f7ec9b156e4b7de4c23d448c2db98f30504.tar.bz2
rails-3ddd7f7ec9b156e4b7de4c23d448c2db98f30504.zip
Be sure to javascript_escape the email address to prevent apostrophes inadvertently causing javascript errors.
This fixes CVE-2011-0446
Diffstat (limited to 'actionpack/lib/action_view')
-rw-r--r--actionpack/lib/action_view/helpers/url_helper.rb11
1 files changed, 6 insertions, 5 deletions
diff --git a/actionpack/lib/action_view/helpers/url_helper.rb b/actionpack/lib/action_view/helpers/url_helper.rb
index cfa88c91e3..2cd2dca711 100644
--- a/actionpack/lib/action_view/helpers/url_helper.rb
+++ b/actionpack/lib/action_view/helpers/url_helper.rb
@@ -497,13 +497,14 @@ module ActionView
email_address_obfuscated = email_address.dup
email_address_obfuscated.gsub!(/@/, html_options.delete("replace_at")) if html_options.key?("replace_at")
email_address_obfuscated.gsub!(/\./, html_options.delete("replace_dot")) if html_options.key?("replace_dot")
-
case encode
when "javascript"
- string =
- "document.write('#{content_tag("a", name || email_address_obfuscated.html_safe, html_options.merge("href" => "mailto:#{email_address}#{extras}".html_safe))}');".unpack('C*').map { |c|
- sprintf("%%%x", c)
- }.join
+ string = ''
+ html = content_tag("a", name || email_address_obfuscated.html_safe, html_options.merge("href" => "mailto:#{email_address}#{extras}".html_safe))
+ html = escape_javascript(html)
+ "document.write('#{html}');".each_byte do |c|
+ string << sprintf("%%%x", c)
+ end
"<script type=\"#{Mime::JS}\">eval(decodeURIComponent('#{string}'))</script>".html_safe
when "hex"
email_address_encoded = email_address_obfuscated.unpack('C*').map {|c|