From 3ddd7f7ec9b156e4b7de4c23d448c2db98f30504 Mon Sep 17 00:00:00 2001
From: Michael Koziarski <michael@koziarski.com>
Date: Tue, 7 Dec 2010 16:27:55 +1300
Subject: Be sure to javascript_escape the email address to prevent apostrophes
 inadvertently causing javascript errors.

This fixes CVE-2011-0446
---
 actionpack/lib/action_view/helpers/url_helper.rb | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

(limited to 'actionpack/lib/action_view/helpers')

diff --git a/actionpack/lib/action_view/helpers/url_helper.rb b/actionpack/lib/action_view/helpers/url_helper.rb
index cfa88c91e3..2cd2dca711 100644
--- a/actionpack/lib/action_view/helpers/url_helper.rb
+++ b/actionpack/lib/action_view/helpers/url_helper.rb
@@ -497,13 +497,14 @@ module ActionView
         email_address_obfuscated = email_address.dup
         email_address_obfuscated.gsub!(/@/, html_options.delete("replace_at")) if html_options.key?("replace_at")
         email_address_obfuscated.gsub!(/\./, html_options.delete("replace_dot")) if html_options.key?("replace_dot")
-
         case encode
         when "javascript"
-          string =
-            "document.write('#{content_tag("a", name || email_address_obfuscated.html_safe, html_options.merge("href" => "mailto:#{email_address}#{extras}".html_safe))}');".unpack('C*').map { |c|
-            sprintf("%%%x", c)
-          }.join
+          string = ''
+          html   = content_tag("a", name || email_address_obfuscated.html_safe, html_options.merge("href" => "mailto:#{email_address}#{extras}".html_safe))
+          html   = escape_javascript(html)
+          "document.write('#{html}');".each_byte do |c|
+            string << sprintf("%%%x", c)
+          end
           "<script type=\"#{Mime::JS}\">eval(decodeURIComponent('#{string}'))</script>".html_safe
         when "hex"
           email_address_encoded = email_address_obfuscated.unpack('C*').map {|c|
-- 
cgit v1.2.3