From 6d0526db91afb0675c2ad3d871529d1536303c64 Mon Sep 17 00:00:00 2001 From: Santiago Pastorino Date: Wed, 8 Aug 2012 15:10:35 -0700 Subject: escape select_tag :prompt values CVE-2012-3463 --- actionpack/lib/action_view/helpers/form_tag_helper.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'actionpack/lib/action_view') diff --git a/actionpack/lib/action_view/helpers/form_tag_helper.rb b/actionpack/lib/action_view/helpers/form_tag_helper.rb index 066b98d4a2..9e0ec17836 100644 --- a/actionpack/lib/action_view/helpers/form_tag_helper.rb +++ b/actionpack/lib/action_view/helpers/form_tag_helper.rb @@ -122,11 +122,11 @@ module ActionView html_name = (options[:multiple] == true && !name.to_s.ends_with?("[]")) ? "#{name}[]" : name if options.delete(:include_blank) - option_tags = "".html_safe + option_tags + option_tags = content_tag(:option, '', :value => '').safe_concat(option_tags) end if prompt = options.delete(:prompt) - option_tags = "".html_safe + option_tags + option_tags = content_tag(:option, prompt, :value => '').safe_concat(option_tags) end content_tag :select, option_tags, { "name" => html_name, "id" => sanitize_to_id(name) }.update(options.stringify_keys) -- cgit v1.2.3 From e91e4e8bbee12ce1496bf384c04da6be296b687a Mon Sep 17 00:00:00 2001 From: Santiago Pastorino Date: Wed, 8 Aug 2012 14:33:39 -0700 Subject: Do not mark strip_tags result as html_safe Thanks to Marek Labos & Nethemba CVE-2012-3465 --- actionpack/lib/action_view/helpers/sanitize_helper.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'actionpack/lib/action_view') diff --git a/actionpack/lib/action_view/helpers/sanitize_helper.rb b/actionpack/lib/action_view/helpers/sanitize_helper.rb index 7768c8c151..0f6a5ed405 100644 --- a/actionpack/lib/action_view/helpers/sanitize_helper.rb +++ b/actionpack/lib/action_view/helpers/sanitize_helper.rb @@ -80,7 +80,7 @@ module ActionView # strip_tags("
Welcome to my website!
") # # => Welcome to my website! def strip_tags(html) - self.class.full_sanitizer.sanitize(html).try(:html_safe) + self.class.full_sanitizer.sanitize(html) end # Strips all link tags from +text+ leaving just the link text. -- cgit v1.2.3