aboutsummaryrefslogtreecommitdiffstats
path: root/activesupport
diff options
context:
space:
mode:
authorAaron Patterson <aaron.patterson@gmail.com>2011-08-16 15:18:53 -0700
committerAaron Patterson <aaron.patterson@gmail.com>2011-08-16 15:24:58 -0700
commitbfc432574d0b141fd7fe759edfe9b6771dd306bd (patch)
tree17ebd530a798128910f56c0b9dddd2202726ed8b /activesupport
parent586a944ddd4d03e66dea1093306147594748037a (diff)
downloadrails-bfc432574d0b141fd7fe759edfe9b6771dd306bd.tar.gz
rails-bfc432574d0b141fd7fe759edfe9b6771dd306bd.tar.bz2
rails-bfc432574d0b141fd7fe759edfe9b6771dd306bd.zip
properly escape html to avoid invalid utf8 causing XSS attacks
Diffstat (limited to 'activesupport')
-rw-r--r--activesupport/lib/active_support/core_ext/string/output_safety.rb2
-rw-r--r--activesupport/test/core_ext/string_ext_test.rb7
2 files changed, 8 insertions, 1 deletions
diff --git a/activesupport/lib/active_support/core_ext/string/output_safety.rb b/activesupport/lib/active_support/core_ext/string/output_safety.rb
index 6d6c4912bb..f111c8e5a3 100644
--- a/activesupport/lib/active_support/core_ext/string/output_safety.rb
+++ b/activesupport/lib/active_support/core_ext/string/output_safety.rb
@@ -20,7 +20,7 @@ class ERB
if s.html_safe?
s
else
- s.gsub(/[&"><]/) { |special| HTML_ESCAPE[special] }.html_safe
+ s.to_s.gsub(/&/, "&amp;").gsub(/\"/, "&quot;").gsub(/>/, "&gt;").gsub(/</, "&lt;").html_safe
end
end
diff --git a/activesupport/test/core_ext/string_ext_test.rb b/activesupport/test/core_ext/string_ext_test.rb
index a4bba056df..81a284dded 100644
--- a/activesupport/test/core_ext/string_ext_test.rb
+++ b/activesupport/test/core_ext/string_ext_test.rb
@@ -7,10 +7,17 @@ require 'active_support/inflector'
require 'active_support/core_ext/string'
require 'active_support/time'
require 'active_support/core_ext/string/strip'
+require 'active_support/core_ext/string/output_safety'
class StringInflectionsTest < Test::Unit::TestCase
include InflectorTestCases
+ def test_erb_escape
+ string = [192, 60].pack('CC')
+ expected = 192.chr + "&lt;"
+ assert_equal expected, ERB::Util.html_escape(string)
+ end
+
def test_strip_heredoc_on_an_empty_string
assert_equal '', ''.strip_heredoc
end