Escape interpolated params when redirecting - fixes #5688

author: Andrew White <andyw@pixeltrix.co.uk> 2012-04-29 21:19:18 +0100
committer: Andrew White <andyw@pixeltrix.co.uk> 2012-04-29 21:19:18 +0100
commit: b608cdd64c95d0d16eb98d86562e22f3b01be9e3 (patch)
tree: deb575f47ca2115b705e4cca40ebbba7f516992a /actionpack/lib
parent: 0df261a4d1557ef0c38d44fb7aa096c203ffaac5 (diff)
download: rails-b608cdd64c95d0d16eb98d86562e22f3b01be9e3.tar.gz
rails-b608cdd64c95d0d16eb98d86562e22f3b01be9e3.tar.bz2
rails-b608cdd64c95d0d16eb98d86562e22f3b01be9e3.zip
1 files changed, 6 insertions, 1 deletions
diff --git a/actionpack/lib/action_dispatch/routing/redirection.rb b/actionpack/lib/action_dispatch/routing/redirection.rb
index 4d98f20826..75627018c7 100644
--- a/actionpack/lib/action_dispatch/routing/redirection.rb
+++ b/actionpack/lib/action_dispatch/routing/redirection.rb
@@ -93,7 +93,7 @@ module ActionDispatch
         path = args.shift
 
         block = lambda { |params, request|
-          (params.empty? || !path.match(/%\{\w*\}/)) ? path : (path % params)
+          (params.empty? || !path.match(/%\{\w*\}/)) ? path : (path % escape(params))
         } if String === path
 
         block = path if path.respond_to? :call
@@ -110,6 +110,11 @@ module ActionDispatch
 
         Redirect.new status, block
       end
+
+      private
+        def escape(params)
+          Hash[params.map{ |k,v| [k, Rack::Utils.escape(v)] }]
+        end
     end
   end
 end
author	Andrew White <andyw@pixeltrix.co.uk>	2012-04-29 21:19:18 +0100
committer	Andrew White <andyw@pixeltrix.co.uk>	2012-04-29 21:19:18 +0100
commit	b608cdd64c95d0d16eb98d86562e22f3b01be9e3 (patch)
tree	deb575f47ca2115b705e4cca40ebbba7f516992a /actionpack/lib
parent	0df261a4d1557ef0c38d44fb7aa096c203ffaac5 (diff)
download	rails-b608cdd64c95d0d16eb98d86562e22f3b01be9e3.tar.gz rails-b608cdd64c95d0d16eb98d86562e22f3b01be9e3.tar.bz2 rails-b608cdd64c95d0d16eb98d86562e22f3b01be9e3.zip