diff options
| author | Jon Jensen <jenseng@gmail.com> | 2011-12-02 12:55:33 -0700 |
|---|---|---|
| committer | José Valim <jose.valim@gmail.com> | 2011-12-03 10:36:52 +0100 |
| commit | 0e17cf17ebeb70490d7c7cd25c6bf8f9401e44b3 (patch) | |
| tree | b1cf0dc4056526df4db2ebfdb8e3fc735ac3939a /activesupport | |
| parent | 9ac6310bd988f19b02e375f1f9594df4d469f624 (diff) | |
| download | rails-0e17cf17ebeb70490d7c7cd25c6bf8f9401e44b3.tar.gz rails-0e17cf17ebeb70490d7c7cd25c6bf8f9401e44b3.tar.bz2 rails-0e17cf17ebeb70490d7c7cd25c6bf8f9401e44b3.zip | |
Restore performance of ERB::Util.html_escape
Revert html_escape to do a single gsub again, but add the "n" flag (no
language, i.e. not multi-byte) to protect against XSS via invalid utf8
Signed-off-by: José Valim <jose.valim@gmail.com>
Diffstat (limited to 'activesupport')
| -rw-r--r-- | activesupport/lib/active_support/core_ext/string/output_safety.rb | 2 | ||||
| -rw-r--r-- | activesupport/test/core_ext/string_ext_test.rb | 23 |
2 files changed, 18 insertions, 7 deletions
diff --git a/activesupport/lib/active_support/core_ext/string/output_safety.rb b/activesupport/lib/active_support/core_ext/string/output_safety.rb index 5d7f74bb65..7b359a039b 100644 --- a/activesupport/lib/active_support/core_ext/string/output_safety.rb +++ b/activesupport/lib/active_support/core_ext/string/output_safety.rb @@ -20,7 +20,7 @@ class ERB if s.html_safe? s else - s.gsub(/&/, "&").gsub(/\"/, """).gsub(/>/, ">").gsub(/</, "<").html_safe + s.gsub(/[&"><]/n) { |special| HTML_ESCAPE[special] }.html_safe end end diff --git a/activesupport/test/core_ext/string_ext_test.rb b/activesupport/test/core_ext/string_ext_test.rb index ade09efc56..47b9f68ed0 100644 --- a/activesupport/test/core_ext/string_ext_test.rb +++ b/activesupport/test/core_ext/string_ext_test.rb @@ -21,12 +21,6 @@ class StringInflectionsTest < Test::Unit::TestCase include InflectorTestCases include ConstantizeTestCases - def test_erb_escape - string = [192, 60].pack('CC') - expected = 192.chr + "<" - assert_equal expected, ERB::Util.html_escape(string) - end - def test_strip_heredoc_on_an_empty_string assert_equal '', ''.strip_heredoc end @@ -497,6 +491,23 @@ class OutputSafetyTest < ActiveSupport::TestCase assert string.html_safe? assert !string.to_param.html_safe? end + + test "ERB::Util.html_escape should escape unsafe characters" do + string = '<>&"' + expected = '<>&"' + assert_equal expected, ERB::Util.html_escape(string) + end + + test "ERB::Util.html_escape should correctly handle invalid UTF-8 strings" do + string = [192, 60].pack('CC') + expected = 192.chr + "<" + assert_equal expected, ERB::Util.html_escape(string) + end + + test "ERB::Util.html_escape should not escape safe strings" do + string = "<b>hello</b>".html_safe + assert_equal string, ERB::Util.html_escape(string) + end end class StringExcludeTest < ActiveSupport::TestCase |