diff options
| author | Rafael Mendonça França <rafaelmfranca@gmail.com> | 2014-02-11 23:29:27 -0200 |
|---|---|---|
| committer | Rafael Mendonça França <rafaelmfranca@gmail.com> | 2014-02-18 15:02:29 -0300 |
| commit | eaa2101b294ef546cc3fb35cc3f49c73849ac470 (patch) | |
| tree | 5605937efdb3e439df91f5a26d93466998c5f58d /actionpack/lib/action_view | |
| parent | 64226302d82493d9bf67aa9e4fa52b4e0269ee3d (diff) | |
| download | rails-eaa2101b294ef546cc3fb35cc3f49c73849ac470.tar.gz rails-eaa2101b294ef546cc3fb35cc3f49c73849ac470.tar.bz2 rails-eaa2101b294ef546cc3fb35cc3f49c73849ac470.zip | |
Escape format, negative_format and units options of number helpers
Previously the values of these options were trusted leading to
potential XSS vulnerabilities.
Fixes: CVE-2014-0081
Diffstat (limited to 'actionpack/lib/action_view')
| -rw-r--r-- | actionpack/lib/action_view/helpers/number_helper.rb | 14 |
1 files changed, 13 insertions, 1 deletions
diff --git a/actionpack/lib/action_view/helpers/number_helper.rb b/actionpack/lib/action_view/helpers/number_helper.rb index eee9e59a24..91f60434b1 100644 --- a/actionpack/lib/action_view/helpers/number_helper.rb +++ b/actionpack/lib/action_view/helpers/number_helper.rb @@ -138,12 +138,18 @@ module ActionView options.symbolize_keys! + options[:delimiter] = ERB::Util.html_escape(options[:delimiter]) if options[:delimiter] + options[:separator] = ERB::Util.html_escape(options[:separator]) if options[:separator] + options[:format] = ERB::Util.html_escape(options[:format]) if options[:format] + options[:negative_format] = ERB::Util.html_escape(options[:negative_format]) if options[:negative_format] + defaults = I18n.translate(:'number.format', :locale => options[:locale], :default => {}) currency = I18n.translate(:'number.currency.format', :locale => options[:locale], :default => {}) currency[:negative_format] ||= "-" + currency[:format] if currency[:format] defaults = DEFAULT_CURRENCY_VALUES.merge(defaults).merge!(currency) defaults[:negative_format] = "-" + options[:format] if options[:format] + options = defaults.merge!(options) unit = options.delete(:unit) @@ -206,6 +212,9 @@ module ActionView options.symbolize_keys! + options[:delimiter] = ERB::Util.html_escape(options[:delimiter]) if options[:delimiter] + options[:separator] = ERB::Util.html_escape(options[:separator]) if options[:separator] + defaults = I18n.translate(:'number.format', :locale => options[:locale], :default => {}) percentage = I18n.translate(:'number.percentage.format', :locale => options[:locale], :default => {}) defaults = defaults.merge(percentage) @@ -255,6 +264,9 @@ module ActionView def number_with_delimiter(number, options = {}) options.symbolize_keys! + options[:delimiter] = ERB::Util.html_escape(options[:delimiter]) if options[:delimiter] + options[:separator] = ERB::Util.html_escape(options[:separator]) if options[:separator] + begin Float(number) rescue ArgumentError, TypeError @@ -578,7 +590,7 @@ module ActionView units = options.delete :units unit_exponents = case units when Hash - units + units = Hash[units.map { |k, v| [k, ERB::Util.html_escape(v)] }] when String, Symbol I18n.translate(:"#{units}", :locale => options[:locale], :raise => true) when nil |