diff options
author | Aaron Patterson <aaron.patterson@gmail.com> | 2011-08-16 15:18:53 -0700 |
---|---|---|
committer | Aaron Patterson <aaron.patterson@gmail.com> | 2011-08-16 15:24:58 -0700 |
commit | bfc432574d0b141fd7fe759edfe9b6771dd306bd (patch) | |
tree | 17ebd530a798128910f56c0b9dddd2202726ed8b /activesupport | |
parent | 586a944ddd4d03e66dea1093306147594748037a (diff) | |
download | rails-bfc432574d0b141fd7fe759edfe9b6771dd306bd.tar.gz rails-bfc432574d0b141fd7fe759edfe9b6771dd306bd.tar.bz2 rails-bfc432574d0b141fd7fe759edfe9b6771dd306bd.zip |
properly escape html to avoid invalid utf8 causing XSS attacks
Diffstat (limited to 'activesupport')
-rw-r--r-- | activesupport/lib/active_support/core_ext/string/output_safety.rb | 2 | ||||
-rw-r--r-- | activesupport/test/core_ext/string_ext_test.rb | 7 |
2 files changed, 8 insertions, 1 deletions
diff --git a/activesupport/lib/active_support/core_ext/string/output_safety.rb b/activesupport/lib/active_support/core_ext/string/output_safety.rb index 6d6c4912bb..f111c8e5a3 100644 --- a/activesupport/lib/active_support/core_ext/string/output_safety.rb +++ b/activesupport/lib/active_support/core_ext/string/output_safety.rb @@ -20,7 +20,7 @@ class ERB if s.html_safe? s else - s.gsub(/[&"><]/) { |special| HTML_ESCAPE[special] }.html_safe + s.to_s.gsub(/&/, "&").gsub(/\"/, """).gsub(/>/, ">").gsub(/</, "<").html_safe end end diff --git a/activesupport/test/core_ext/string_ext_test.rb b/activesupport/test/core_ext/string_ext_test.rb index a4bba056df..81a284dded 100644 --- a/activesupport/test/core_ext/string_ext_test.rb +++ b/activesupport/test/core_ext/string_ext_test.rb @@ -7,10 +7,17 @@ require 'active_support/inflector' require 'active_support/core_ext/string' require 'active_support/time' require 'active_support/core_ext/string/strip' +require 'active_support/core_ext/string/output_safety' class StringInflectionsTest < Test::Unit::TestCase include InflectorTestCases + def test_erb_escape + string = [192, 60].pack('CC') + expected = 192.chr + "<" + assert_equal expected, ERB::Util.html_escape(string) + end + def test_strip_heredoc_on_an_empty_string assert_equal '', ''.strip_heredoc end |