diff options
| author | Santiago Pastorino <santiago@wyeworks.com> | 2012-07-31 22:25:54 -0300 |
|---|---|---|
| committer | Santiago Pastorino <santiago@wyeworks.com> | 2012-08-02 17:14:30 -0300 |
| commit | 28f2c6f4037081da0a82104a3f473165ed4ed2ce (patch) | |
| tree | a511eac32c29cf7f9612b6691ac15ac558c5bd77 /activesupport | |
| parent | 9c1b1bd42ce00d43b7894daaf096eff9ee55aef1 (diff) | |
| download | rails-28f2c6f4037081da0a82104a3f473165ed4ed2ce.tar.gz rails-28f2c6f4037081da0a82104a3f473165ed4ed2ce.tar.bz2 rails-28f2c6f4037081da0a82104a3f473165ed4ed2ce.zip | |
html_escape should escape single quotes
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
Closes #7215
Conflicts:
actionpack/test/template/erb_util_test.rb
actionpack/test/template/form_tag_helper_test.rb
actionpack/test/template/text_helper_test.rb
actionpack/test/template/url_helper_test.rb
activesupport/lib/active_support/core_ext/string/output_safety.rb
Diffstat (limited to 'activesupport')
| -rw-r--r-- | activesupport/lib/active_support/core_ext/string/output_safety.rb | 44 | ||||
| -rw-r--r-- | activesupport/test/core_ext/string_ext_test.rb | 4 |
2 files changed, 18 insertions, 30 deletions
diff --git a/activesupport/lib/active_support/core_ext/string/output_safety.rb b/activesupport/lib/active_support/core_ext/string/output_safety.rb index f5622224d2..c0bd821ea5 100644 --- a/activesupport/lib/active_support/core_ext/string/output_safety.rb +++ b/activesupport/lib/active_support/core_ext/string/output_safety.rb @@ -3,36 +3,24 @@ require 'active_support/core_ext/kernel/singleton_class' class ERB module Util - HTML_ESCAPE = { '&' => '&', '>' => '>', '<' => '<', '"' => '"' } + HTML_ESCAPE = { '&' => '&', '>' => '>', '<' => '<', '"' => '"', "'" => ''' } JSON_ESCAPE = { '&' => '\u0026', '>' => '\u003E', '<' => '\u003C' } - # Detect whether 1.9 can transcode with XML escaping. - if '"><&""' == ('><&"'.encode('utf-8', :xml => :attr) rescue false) - # A utility method for escaping HTML tag characters. - # This method is also aliased as <tt>h</tt>. - # - # In your ERB templates, use this method to escape any unsafe content. For example: - # <%=h @person.name %> - # - # ==== Example: - # puts html_escape("is a > 0 & a < 10?") - # # => is a > 0 & a < 10? - def html_escape(s) - s = s.to_s - if s.html_safe? - s - else - s.encode(s.encoding, :xml => :attr)[1...-1].html_safe - end - end - else - def html_escape(s) #:nodoc: - s = s.to_s - if s.html_safe? - s - else - s.gsub(/[&"><]/n) { |special| HTML_ESCAPE[special] }.html_safe - end + # A utility method for escaping HTML tag characters. + # This method is also aliased as <tt>h</tt>. + # + # In your ERB templates, use this method to escape any unsafe content. For example: + # <%=h @person.name %> + # + # ==== Example: + # puts html_escape("is a > 0 & a < 10?") + # # => is a > 0 & a < 10? + def html_escape(s) + s = s.to_s + if s.html_safe? + s + else + s.gsub(/[&"'><]/, HTML_ESCAPE).html_safe end end diff --git a/activesupport/test/core_ext/string_ext_test.rb b/activesupport/test/core_ext/string_ext_test.rb index 47b9f68ed0..a8eca53ea7 100644 --- a/activesupport/test/core_ext/string_ext_test.rb +++ b/activesupport/test/core_ext/string_ext_test.rb @@ -493,8 +493,8 @@ class OutputSafetyTest < ActiveSupport::TestCase end test "ERB::Util.html_escape should escape unsafe characters" do - string = '<>&"' - expected = '<>&"' + string = '<>&"\'' + expected = '<>&"'' assert_equal expected, ERB::Util.html_escape(string) end |