diff options
author | Santiago Pastorino <santiago@wyeworks.com> | 2012-08-08 15:10:35 -0700 |
---|---|---|
committer | Santiago Pastorino <santiago@wyeworks.com> | 2012-08-09 15:48:17 -0300 |
commit | 6d0526db91afb0675c2ad3d871529d1536303c64 (patch) | |
tree | 81bff482a5ddd39587c738e6326c20e639eaa1d6 /actionpack | |
parent | 65b5e35e898ac09a50b61c671d98a3cf92453003 (diff) | |
download | rails-6d0526db91afb0675c2ad3d871529d1536303c64.tar.gz rails-6d0526db91afb0675c2ad3d871529d1536303c64.tar.bz2 rails-6d0526db91afb0675c2ad3d871529d1536303c64.zip |
escape select_tag :prompt values
CVE-2012-3463
Diffstat (limited to 'actionpack')
-rw-r--r-- | actionpack/CHANGELOG.md | 7 | ||||
-rw-r--r-- | actionpack/lib/action_view/helpers/form_tag_helper.rb | 4 | ||||
-rw-r--r-- | actionpack/test/template/form_tag_helper_test.rb | 6 |
3 files changed, 15 insertions, 2 deletions
diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md index c43ec62555..9c12e09392 100644 --- a/actionpack/CHANGELOG.md +++ b/actionpack/CHANGELOG.md @@ -1,5 +1,12 @@ ## Rails 3.2.8 ## +* When a "prompt" value is supplied to the `select_tag` helper, the "prompt" value is not escaped. + If untrusted data is not escaped, and is supplied as the prompt value, there is a potential for XSS attacks. + Vulnerable code will look something like this: + select_tag("name", options, :prompt => UNTRUSTED_INPUT) + + *Santiago Pastorino* + * Reverted the deprecation of `:confirm`. *Rafael Mendonça França* * Reverted the deprecation of `:disable_with`. *Rafael Mendonça França* diff --git a/actionpack/lib/action_view/helpers/form_tag_helper.rb b/actionpack/lib/action_view/helpers/form_tag_helper.rb index 066b98d4a2..9e0ec17836 100644 --- a/actionpack/lib/action_view/helpers/form_tag_helper.rb +++ b/actionpack/lib/action_view/helpers/form_tag_helper.rb @@ -122,11 +122,11 @@ module ActionView html_name = (options[:multiple] == true && !name.to_s.ends_with?("[]")) ? "#{name}[]" : name if options.delete(:include_blank) - option_tags = "<option value=\"\"></option>".html_safe + option_tags + option_tags = content_tag(:option, '', :value => '').safe_concat(option_tags) end if prompt = options.delete(:prompt) - option_tags = "<option value=\"\">#{prompt}</option>".html_safe + option_tags + option_tags = content_tag(:option, prompt, :value => '').safe_concat(option_tags) end content_tag :select, option_tags, { "name" => html_name, "id" => sanitize_to_id(name) }.update(options.stringify_keys) diff --git a/actionpack/test/template/form_tag_helper_test.rb b/actionpack/test/template/form_tag_helper_test.rb index 68dfceef07..6f0d0c3561 100644 --- a/actionpack/test/template/form_tag_helper_test.rb +++ b/actionpack/test/template/form_tag_helper_test.rb @@ -208,6 +208,12 @@ class FormTagHelperTest < ActionView::TestCase assert_dom_equal expected, actual end + def test_select_tag_escapes_prompt + actual = select_tag "places", "<option>Home</option><option>Work</option><option>Pub</option>".html_safe, :prompt => "<script>alert(1337)</script>" + expected = %(<select id="places" name="places"><option value=""><script>alert(1337)</script></option><option>Home</option><option>Work</option><option>Pub</option></select>) + assert_dom_equal expected, actual + end + def test_select_tag_with_prompt_and_include_blank actual = select_tag "places", "<option>Home</option><option>Work</option><option>Pub</option>".html_safe, :prompt => "string", :include_blank => true expected = %(<select name="places" id="places"><option value="">string</option><option value=""></option><option>Home</option><option>Work</option><option>Pub</option></select>) |