From 0e17cf17ebeb70490d7c7cd25c6bf8f9401e44b3 Mon Sep 17 00:00:00 2001
From: Jon Jensen <jenseng@gmail.com>
Date: Fri, 2 Dec 2011 12:55:33 -0700
Subject: Restore performance of ERB::Util.html_escape
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Revert html_escape to do a single gsub again, but add the "n" flag (no
language, i.e. not multi-byte) to protect against XSS via invalid utf8

Signed-off-by: José Valim <jose.valim@gmail.com>
---
 .../core_ext/string/output_safety.rb               |  2 +-
 activesupport/test/core_ext/string_ext_test.rb     | 23 ++++++++++++++++------
 2 files changed, 18 insertions(+), 7 deletions(-)

diff --git a/activesupport/lib/active_support/core_ext/string/output_safety.rb b/activesupport/lib/active_support/core_ext/string/output_safety.rb
index 5d7f74bb65..7b359a039b 100644
--- a/activesupport/lib/active_support/core_ext/string/output_safety.rb
+++ b/activesupport/lib/active_support/core_ext/string/output_safety.rb
@@ -20,7 +20,7 @@ class ERB
       if s.html_safe?
         s
       else
-        s.gsub(/&/, "&amp;").gsub(/\"/, "&quot;").gsub(/>/, "&gt;").gsub(/</, "&lt;").html_safe
+        s.gsub(/[&"><]/n) { |special| HTML_ESCAPE[special] }.html_safe
       end
     end
 
diff --git a/activesupport/test/core_ext/string_ext_test.rb b/activesupport/test/core_ext/string_ext_test.rb
index ade09efc56..47b9f68ed0 100644
--- a/activesupport/test/core_ext/string_ext_test.rb
+++ b/activesupport/test/core_ext/string_ext_test.rb
@@ -21,12 +21,6 @@ class StringInflectionsTest < Test::Unit::TestCase
   include InflectorTestCases
   include ConstantizeTestCases
 
-  def test_erb_escape
-    string = [192, 60].pack('CC')
-    expected = 192.chr + "&lt;"
-    assert_equal expected, ERB::Util.html_escape(string)
-  end
-
   def test_strip_heredoc_on_an_empty_string
     assert_equal '', ''.strip_heredoc
   end
@@ -497,6 +491,23 @@ class OutputSafetyTest < ActiveSupport::TestCase
     assert string.html_safe?
     assert !string.to_param.html_safe?
   end
+
+  test "ERB::Util.html_escape should escape unsafe characters" do
+    string = '<>&"'
+    expected = '&lt;&gt;&amp;&quot;'
+    assert_equal expected, ERB::Util.html_escape(string)
+  end
+
+  test "ERB::Util.html_escape should correctly handle invalid UTF-8 strings" do
+    string = [192, 60].pack('CC')
+    expected = 192.chr + "&lt;"
+    assert_equal expected, ERB::Util.html_escape(string)
+  end
+
+  test "ERB::Util.html_escape should not escape safe strings" do
+    string = "<b>hello</b>".html_safe
+    assert_equal string, ERB::Util.html_escape(string)
+  end
 end
 
 class StringExcludeTest < ActiveSupport::TestCase
-- 
cgit v1.2.3