diff options
| author | Michael Koziarski <michael@koziarski.com> | 2013-12-02 10:12:47 +1300 |
|---|---|---|
| committer | Aaron Patterson <aaron.patterson@gmail.com> | 2013-12-02 16:41:14 -0800 |
| commit | b31a7a6f1ec3c74f75b4cd12386b08295287418d (patch) | |
| tree | b76118ab77470679d0e4d4df43f7a3957c001b6b /actionview/lib | |
| parent | 2e3c3a87d81e16a2fed442c1cf31360f75737a83 (diff) | |
| download | rails-b31a7a6f1ec3c74f75b4cd12386b08295287418d.tar.gz rails-b31a7a6f1ec3c74f75b4cd12386b08295287418d.tar.bz2 rails-b31a7a6f1ec3c74f75b4cd12386b08295287418d.zip | |
Escape the unit value provided to number_to_currency
Previously the unit values were trusted leading to potential XSS vulnerabilities.
Fixes: CVE-2013-6415
Diffstat (limited to 'actionview/lib')
| -rw-r--r-- | actionview/lib/action_view/helpers/number_helper.rb | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/actionview/lib/action_view/helpers/number_helper.rb b/actionview/lib/action_view/helpers/number_helper.rb index 9adc2c1a8f..13387078a4 100644 --- a/actionview/lib/action_view/helpers/number_helper.rb +++ b/actionview/lib/action_view/helpers/number_helper.rb @@ -394,6 +394,7 @@ module ActionView def escape_unsafe_delimiters_and_separators(options) options[:separator] = ERB::Util.html_escape(options[:separator]) if options[:separator] && !options[:separator].html_safe? options[:delimiter] = ERB::Util.html_escape(options[:delimiter]) if options[:delimiter] && !options[:delimiter].html_safe? + options[:unit] = ERB::Util.html_escape(options[:unit]) if options[:unit] && !options[:unit].html_safe? options end |