aboutsummaryrefslogtreecommitdiffstats
path: root/actionview
diff options
context:
space:
mode:
authorMichael Koziarski <michael@koziarski.com>2013-12-02 10:12:47 +1300
committerAaron Patterson <aaron.patterson@gmail.com>2013-12-02 16:41:14 -0800
commitb31a7a6f1ec3c74f75b4cd12386b08295287418d (patch)
treeb76118ab77470679d0e4d4df43f7a3957c001b6b /actionview
parent2e3c3a87d81e16a2fed442c1cf31360f75737a83 (diff)
downloadrails-b31a7a6f1ec3c74f75b4cd12386b08295287418d.tar.gz
rails-b31a7a6f1ec3c74f75b4cd12386b08295287418d.tar.bz2
rails-b31a7a6f1ec3c74f75b4cd12386b08295287418d.zip
Escape the unit value provided to number_to_currency
Previously the unit values were trusted leading to potential XSS vulnerabilities. Fixes: CVE-2013-6415
Diffstat (limited to 'actionview')
-rw-r--r--actionview/lib/action_view/helpers/number_helper.rb1
-rw-r--r--actionview/test/template/number_helper_test.rb3
2 files changed, 3 insertions, 1 deletions
diff --git a/actionview/lib/action_view/helpers/number_helper.rb b/actionview/lib/action_view/helpers/number_helper.rb
index 9adc2c1a8f..13387078a4 100644
--- a/actionview/lib/action_view/helpers/number_helper.rb
+++ b/actionview/lib/action_view/helpers/number_helper.rb
@@ -394,6 +394,7 @@ module ActionView
def escape_unsafe_delimiters_and_separators(options)
options[:separator] = ERB::Util.html_escape(options[:separator]) if options[:separator] && !options[:separator].html_safe?
options[:delimiter] = ERB::Util.html_escape(options[:delimiter]) if options[:delimiter] && !options[:delimiter].html_safe?
+ options[:unit] = ERB::Util.html_escape(options[:unit]) if options[:unit] && !options[:unit].html_safe?
options
end
diff --git a/actionview/test/template/number_helper_test.rb b/actionview/test/template/number_helper_test.rb
index 6e640889d2..be336ea3fb 100644
--- a/actionview/test/template/number_helper_test.rb
+++ b/actionview/test/template/number_helper_test.rb
@@ -14,7 +14,8 @@ class NumberHelperTest < ActionView::TestCase
assert_equal nil, number_to_currency(nil)
assert_equal "$1,234,567,890.50", number_to_currency(1234567890.50)
assert_equal "$1,234,567,892", number_to_currency(1234567891.50, precision: 0)
- assert_equal "1,234,567,890.50 - K&#269;", number_to_currency("-1234567890.50", unit: "K&#269;", format: "%n %u", negative_format: "%n - %u")
+ assert_equal "1,234,567,890.50 - K&#269;", number_to_currency("-1234567890.50", unit: raw("K&#269;"), format: "%n %u", negative_format: "%n - %u")
+ assert_equal "&amp;pound;1,234,567,890.50", number_to_currency("1234567890.50", unit: "&pound;")
end
def test_number_to_percentage