diff options
| author | Rafael Mendonça França <rafaelmfranca@gmail.com> | 2014-02-11 23:36:10 -0200 |
|---|---|---|
| committer | Rafael Mendonça França <rafaelmfranca@gmail.com> | 2014-02-18 15:38:50 -0300 |
| commit | 08d0a11a3f62718d601d39e617c834759cf59bbb (patch) | |
| tree | 947e6e8afb68c7e0cdeb51d90b34023972aa1856 /actionview/lib/action_view | |
| parent | f706d5f945c5751072bb90d080aff154e6858435 (diff) | |
| download | rails-08d0a11a3f62718d601d39e617c834759cf59bbb.tar.gz rails-08d0a11a3f62718d601d39e617c834759cf59bbb.tar.bz2 rails-08d0a11a3f62718d601d39e617c834759cf59bbb.zip | |
Escape format, negative_format and units options of number helpers
Previously the values of these options were trusted leading to
potential XSS vulnerabilities.
Fixes: CVE-2014-0081
Diffstat (limited to 'actionview/lib/action_view')
| -rw-r--r-- | actionview/lib/action_view/helpers/number_helper.rb | 19 |
1 files changed, 14 insertions, 5 deletions
diff --git a/actionview/lib/action_view/helpers/number_helper.rb b/actionview/lib/action_view/helpers/number_helper.rb index ad825cd1f1..7157a95146 100644 --- a/actionview/lib/action_view/helpers/number_helper.rb +++ b/actionview/lib/action_view/helpers/number_helper.rb @@ -384,20 +384,29 @@ module ActionView def delegate_number_helper_method(method, number, options) return unless number - options = escape_unsafe_delimiters_and_separators(options.symbolize_keys) + options = escape_unsafe_options(options.symbolize_keys) wrap_with_output_safety_handling(number, options.delete(:raise)) { ActiveSupport::NumberHelper.public_send(method, number, options) } end - def escape_unsafe_delimiters_and_separators(options) - options[:separator] = ERB::Util.html_escape(options[:separator]) if options[:separator] && !options[:separator].html_safe? - options[:delimiter] = ERB::Util.html_escape(options[:delimiter]) if options[:delimiter] && !options[:delimiter].html_safe? - options[:unit] = ERB::Util.html_escape(options[:unit]) if options[:unit] && !options[:unit].html_safe? + def escape_unsafe_options(options) + options[:format] = ERB::Util.html_escape(options[:format]) if options[:format] + options[:negative_format] = ERB::Util.html_escape(options[:negative_format]) if options[:negative_format] + options[:separator] = ERB::Util.html_escape(options[:separator]) if options[:separator] + options[:delimiter] = ERB::Util.html_escape(options[:delimiter]) if options[:delimiter] + options[:unit] = ERB::Util.html_escape(options[:unit]) if options[:unit] && !options[:unit].html_safe? + options[:units] = escape_units(options[:units]) if options[:units] && Hash === options[:units] options end + def escape_units(units) + Hash[units.map do |k, v| + [k, ERB::Util.html_escape(v)] + end] + end + def wrap_with_output_safety_handling(number, raise_on_invalid, &block) valid_float = valid_float?(number) raise InvalidNumberError, number if raise_on_invalid && !valid_float |