Escape the unit value provided to number_to_currency

Previously the unit values were trusted leading to potential XSS vulnerabilities. Fixes: CVE-2013-6415
author: Michael Koziarski <michael@koziarski.com> 2013-12-02 10:12:47 +1300
committer: Aaron Patterson <aaron.patterson@gmail.com> 2013-12-02 16:41:14 -0800
commit: b31a7a6f1ec3c74f75b4cd12386b08295287418d (patch)
tree: b76118ab77470679d0e4d4df43f7a3957c001b6b /actionview/lib/action_view/helpers
parent: 2e3c3a87d81e16a2fed442c1cf31360f75737a83 (diff)
download: rails-b31a7a6f1ec3c74f75b4cd12386b08295287418d.tar.gz
rails-b31a7a6f1ec3c74f75b4cd12386b08295287418d.tar.bz2
rails-b31a7a6f1ec3c74f75b4cd12386b08295287418d.zip
1 files changed, 1 insertions, 0 deletions
diff --git a/actionview/lib/action_view/helpers/number_helper.rb b/actionview/lib/action_view/helpers/number_helper.rb
index 9adc2c1a8f..13387078a4 100644
--- a/actionview/lib/action_view/helpers/number_helper.rb
+++ b/actionview/lib/action_view/helpers/number_helper.rb
@@ -394,6 +394,7 @@ module ActionView
       def escape_unsafe_delimiters_and_separators(options)
         options[:separator] = ERB::Util.html_escape(options[:separator]) if options[:separator] && !options[:separator].html_safe?
         options[:delimiter] = ERB::Util.html_escape(options[:delimiter]) if options[:delimiter] && !options[:delimiter].html_safe?
+        options[:unit]      = ERB::Util.html_escape(options[:unit]) if options[:unit] && !options[:unit].html_safe?
         options
       end
author	Michael Koziarski <michael@koziarski.com>	2013-12-02 10:12:47 +1300
committer	Aaron Patterson <aaron.patterson@gmail.com>	2013-12-02 16:41:14 -0800
commit	b31a7a6f1ec3c74f75b4cd12386b08295287418d (patch)
tree	b76118ab77470679d0e4d4df43f7a3957c001b6b /actionview/lib/action_view/helpers
parent	2e3c3a87d81e16a2fed442c1cf31360f75737a83 (diff)
download	rails-b31a7a6f1ec3c74f75b4cd12386b08295287418d.tar.gz rails-b31a7a6f1ec3c74f75b4cd12386b08295287418d.tar.bz2 rails-b31a7a6f1ec3c74f75b4cd12386b08295287418d.zip