3 files changed, 10 insertions, 1 deletions

diff --git a/actionpack/CHANGELOG b/actionpack/CHANGELOG
index 80decb7413..0c18ec14b1 100644
--- a/actionpack/CHANGELOG
+++ b/actionpack/CHANGELOG
@@ -1,5 +1,7 @@
 *SVN*
 
+* Fixed HTML::Tokenizer (used in sanitize helper) didn't handle unclosed CDATA tags #10071 [esad, packagethief]
+
 * Improve documentation. [Radar, Jan De Poorter, chuyeow, xaviershay, danger, miloops, Xavier Noria,  Sunny Ripert]
 
 * Fixed that FormHelper#radio_button would produce invalid ids #11298 [harlancrystal]
diff --git a/actionpack/lib/action_controller/vendor/html-scanner/html/tokenizer.rb b/actionpack/lib/action_controller/vendor/html-scanner/html/tokenizer.rb
index b950e84628..602411ed37 100644
--- a/actionpack/lib/action_controller/vendor/html-scanner/html/tokenizer.rb
+++ b/actionpack/lib/action_controller/vendor/html-scanner/html/tokenizer.rb
@@ -54,7 +54,7 @@ module HTML #:nodoc:
           tag << (@scanner.scan_until(/--\s*>/) || @scanner.scan_until(/\Z/))
         elsif @scanner.scan(/!\[CDATA\[/)
           tag << @scanner.matched
-          tag << @scanner.scan_until(/\]\]>/)
+          tag << (@scanner.scan_until(/\]\]>/) || @scanner.scan_until(/\Z/))
         elsif @scanner.scan(/!/) # doctype
           tag << @scanner.matched
           tag << consume_quoted_regions
diff --git a/actionpack/test/controller/html-scanner/tokenizer_test.rb b/actionpack/test/controller/html-scanner/tokenizer_test.rb
index 53f032ac17..a001bcbbad 100644
--- a/actionpack/test/controller/html-scanner/tokenizer_test.rb
+++ b/actionpack/test/controller/html-scanner/tokenizer_test.rb
@@ -78,6 +78,13 @@ class TokenizerTest < Test::Unit::TestCase
     assert_end
   end
 
+  def test_unterminated_cdata_tag
+    tokenize %{<content:encoded><![CDATA[ neverending...}
+    assert_next %{<content:encoded>}
+    assert_next %{<![CDATA[ neverending...}
+    assert_end
+  end
+
   def test_less_than_with_space
     tokenize %{original < hello > world}
     assert_next %{original }