From 5ed70c591fa086d745b35a16713d91fc0e3ec858 Mon Sep 17 00:00:00 2001
From: Michael Koziarski <michael@koziarski.com>
Date: Wed, 13 Nov 2013 16:14:07 +1300
Subject: Escape the unit value provided to number_to_currency

Fixes CVE-2013-6415

Previously the values were trusted blindly allowing for potential XSS attacks.
---
 actionpack/lib/action_view/helpers/number_helper.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'actionpack/lib')

diff --git a/actionpack/lib/action_view/helpers/number_helper.rb b/actionpack/lib/action_view/helpers/number_helper.rb
index ad86d13456..eee9e59a24 100644
--- a/actionpack/lib/action_view/helpers/number_helper.rb
+++ b/actionpack/lib/action_view/helpers/number_helper.rb
@@ -156,7 +156,7 @@ module ActionView
 
         begin
           value = number_with_precision(number, options.merge(:raise => true))
-          format.gsub(/%n/, value).gsub(/%u/, unit).html_safe
+          format.gsub(/%n/, ERB::Util.html_escape(value)).gsub(/%u/, ERB::Util.html_escape(unit)).html_safe
         rescue InvalidNumberError => e
           if options[:raise]
             raise
-- 
cgit v1.2.3