Do not mark strip_tags result as html_safe

Thanks to Marek Labos & Nethemba CVE-2012-3465
author: Santiago Pastorino <santiago@wyeworks.com> 2012-08-08 14:33:39 -0700
committer: Santiago Pastorino <santiago@wyeworks.com> 2012-08-09 18:51:05 -0300
commit: d8cf713afabbd0c3cf8d6674b2d1a7f7c2a0e98c (patch)
tree: 5ddcad9850bee32527fc384ff98dd939e76c599a /actionpack/test
parent: c63d17c2be04882cc0c7aed5cf2b5ba2f1ef313d (diff)
download: rails-d8cf713afabbd0c3cf8d6674b2d1a7f7c2a0e98c.tar.gz
rails-d8cf713afabbd0c3cf8d6674b2d1a7f7c2a0e98c.tar.bz2
rails-d8cf713afabbd0c3cf8d6674b2d1a7f7c2a0e98c.zip
1 files changed, 2 insertions, 2 deletions
diff --git a/actionpack/test/template/sanitize_helper_test.rb b/actionpack/test/template/sanitize_helper_test.rb
index 4182af590e..7626cdf386 100644
--- a/actionpack/test/template/sanitize_helper_test.rb
+++ b/actionpack/test/template/sanitize_helper_test.rb
@@ -40,9 +40,9 @@ class SanitizeHelperTest < ActionView::TestCase
     [nil, '', '   '].each do |blank|
       stripped = strip_tags(blank)
       assert_equal blank, stripped
-      assert stripped.html_safe? unless blank.nil?
     end
-    assert strip_tags("<script>").html_safe?
+    assert_equal "", strip_tags("<script>")
+    assert_equal "something &lt;img onerror=alert(1337)", ERB::Util.html_escape(strip_tags("something <img onerror=alert(1337)"))
   end
 
   def test_sanitize_is_marked_safe
author	Santiago Pastorino <santiago@wyeworks.com>	2012-08-08 14:33:39 -0700
committer	Santiago Pastorino <santiago@wyeworks.com>	2012-08-09 18:51:05 -0300
commit	d8cf713afabbd0c3cf8d6674b2d1a7f7c2a0e98c (patch)
tree	5ddcad9850bee32527fc384ff98dd939e76c599a /actionpack/test
parent	c63d17c2be04882cc0c7aed5cf2b5ba2f1ef313d (diff)
download	rails-d8cf713afabbd0c3cf8d6674b2d1a7f7c2a0e98c.tar.gz rails-d8cf713afabbd0c3cf8d6674b2d1a7f7c2a0e98c.tar.bz2 rails-d8cf713afabbd0c3cf8d6674b2d1a7f7c2a0e98c.zip