diff options
| author | Rafael Mendonça França <rafaelmfranca@gmail.com> | 2014-02-11 23:29:27 -0200 |
|---|---|---|
| committer | Rafael Mendonça França <rafaelmfranca@gmail.com> | 2014-02-18 15:02:29 -0300 |
| commit | eaa2101b294ef546cc3fb35cc3f49c73849ac470 (patch) | |
| tree | 5605937efdb3e439df91f5a26d93466998c5f58d /actionpack/test | |
| parent | 64226302d82493d9bf67aa9e4fa52b4e0269ee3d (diff) | |
| download | rails-eaa2101b294ef546cc3fb35cc3f49c73849ac470.tar.gz rails-eaa2101b294ef546cc3fb35cc3f49c73849ac470.tar.bz2 rails-eaa2101b294ef546cc3fb35cc3f49c73849ac470.zip | |
Escape format, negative_format and units options of number helpers
Previously the values of these options were trusted leading to
potential XSS vulnerabilities.
Fixes: CVE-2014-0081
Diffstat (limited to 'actionpack/test')
| -rw-r--r-- | actionpack/test/template/number_helper_test.rb | 51 |
1 files changed, 51 insertions, 0 deletions
diff --git a/actionpack/test/template/number_helper_test.rb b/actionpack/test/template/number_helper_test.rb index 22da7e26e1..7f78b52b34 100644 --- a/actionpack/test/template/number_helper_test.rb +++ b/actionpack/test/template/number_helper_test.rb @@ -19,6 +19,27 @@ class NumberHelperTest < ActionView::TestCase gigabytes(number) * 1024 end + def test_number_helpers_escape_delimiter_and_separator + assert_equal "111<script></script>111<script></script>1111", number_to_phone(1111111111, :delimiter => "<script></script>") + + assert_equal "$1<script></script>01", number_to_currency(1.01, :separator => "<script></script>") + assert_equal "$1<script></script>000.00", number_to_currency(1000, :delimiter => "<script></script>") + + assert_equal "1<script></script>010%", number_to_percentage(1.01, :separator => "<script></script>") + assert_equal "1<script></script>000.000%", number_to_percentage(1000, :delimiter => "<script></script>") + + assert_equal "1<script></script>01", number_with_delimiter(1.01, :separator => "<script></script>") + assert_equal "1<script></script>000", number_with_delimiter(1000, :delimiter => "<script></script>") + + assert_equal "1<script></script>010", number_with_precision(1.01, :separator => "<script></script>") + assert_equal "1<script></script>000.000", number_with_precision(1000, :delimiter => "<script></script>") + + assert_equal "9<script></script>86 KB", number_to_human_size(10100, :separator => "<script></script>") + + assert_equal "1<script></script>01", number_to_human(1.01, :separator => "<script></script>") + assert_equal "100<script></script>000 Quadrillion", number_to_human(10**20, :delimiter => "<script></script>") + end + def test_number_to_phone assert_equal("555-1234", number_to_phone(5551234)) assert_equal("800-555-1212", number_to_phone(8005551212)) @@ -33,6 +54,8 @@ class NumberHelperTest < ActionView::TestCase assert_equal("+18005551212", number_to_phone(8005551212, :country_code => 1, :delimiter => '')) assert_equal("22-555-1212", number_to_phone(225551212)) assert_equal("+45-22-555-1212", number_to_phone(225551212, :country_code => 45)) + assert_equal "+<script></script>8005551212", number_to_phone(8005551212, :country_code => "<script></script>", :delimiter => "") + assert_equal "8005551212 x <script></script>", number_to_phone(8005551212, :extension => "<script></script>", :delimiter => "") end def test_number_to_currency @@ -48,6 +71,9 @@ class NumberHelperTest < ActionView::TestCase assert_equal("$1,234,567,890.50", number_to_currency("1234567890.50")) assert_equal("1,234,567,890.50 Kč", number_to_currency("1234567890.50", {:unit => raw("Kč"), :format => "%n %u"})) assert_equal("1,234,567,890.50 - Kč", number_to_currency("-1234567890.50", {:unit => raw("Kč"), :format => "%n %u", :negative_format => "%n - %u"})) + assert_equal "<b>1,234,567,890.50</b> $", number_to_currency("1234567890.50", :format => "<b>%n</b> %u") + assert_equal "<b>1,234,567,890.50</b> $", number_to_currency("-1234567890.50", :negative_format => "<b>%n</b> %u") + assert_equal "<b>1,234,567,890.50</b> $", number_to_currency("-1234567890.50", 'negative_format' => "<b>%n</b> %u") end def test_number_to_percentage @@ -252,6 +278,31 @@ class NumberHelperTest < ActionView::TestCase assert_equal '4.5 tens', number_to_human(45, :units => {:unit => "", :ten => ' tens '}) end + def test_number_to_human_escape_units + volume = { :unit => "<b>ml</b>", :thousand => "<b>lt</b>", :million => "<b>m3</b>", :trillion => "<b>km3</b>", :quadrillion => "<b>Pl</b>" } + assert_equal '123 <b>lt</b>', number_to_human(123456, :units => volume) + assert_equal '12 <b>ml</b>', number_to_human(12, :units => volume) + assert_equal '1.23 <b>m3</b>', number_to_human(1234567, :units => volume) + assert_equal '1.23 <b>km3</b>', number_to_human(1_234_567_000_000, :units => volume) + assert_equal '1.23 <b>Pl</b>', number_to_human(1_234_567_000_000_000, :units => volume) + + #Including fractionals + distance = { :mili => "<b>mm</b>", :centi => "<b>cm</b>", :deci => "<b>dm</b>", :unit => "<b>m</b>", + :ten => "<b>dam</b>", :hundred => "<b>hm</b>", :thousand => "<b>km</b>", + :micro => "<b>um</b>", :nano => "<b>nm</b>", :pico => "<b>pm</b>", :femto => "<b>fm</b>"} + assert_equal '1.23 <b>mm</b>', number_to_human(0.00123, :units => distance) + assert_equal '1.23 <b>cm</b>', number_to_human(0.0123, :units => distance) + assert_equal '1.23 <b>dm</b>', number_to_human(0.123, :units => distance) + assert_equal '1.23 <b>m</b>', number_to_human(1.23, :units => distance) + assert_equal '1.23 <b>dam</b>', number_to_human(12.3, :units => distance) + assert_equal '1.23 <b>hm</b>', number_to_human(123, :units => distance) + assert_equal '1.23 <b>km</b>', number_to_human(1230, :units => distance) + assert_equal '1.23 <b>um</b>', number_to_human(0.00000123, :units => distance) + assert_equal '1.23 <b>nm</b>', number_to_human(0.00000000123, :units => distance) + assert_equal '1.23 <b>pm</b>', number_to_human(0.00000000000123, :units => distance) + assert_equal '1.23 <b>fm</b>', number_to_human(0.00000000000000123, :units => distance) + end + def test_number_to_human_with_custom_units_that_are_missing_the_needed_key assert_equal '123', number_to_human(123, :units => {:thousand => 'k'}) assert_equal '123', number_to_human(123, :units => {}) |