From 28f2c6f4037081da0a82104a3f473165ed4ed2ce Mon Sep 17 00:00:00 2001
From: Santiago Pastorino <santiago@wyeworks.com>
Date: Tue, 31 Jul 2012 22:25:54 -0300
Subject: html_escape should escape single quotes

https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
Closes #7215

Conflicts:
	actionpack/test/template/erb_util_test.rb
	actionpack/test/template/form_tag_helper_test.rb
	actionpack/test/template/text_helper_test.rb
	actionpack/test/template/url_helper_test.rb
	activesupport/lib/active_support/core_ext/string/output_safety.rb
---
 actionpack/test/template/form_tag_helper_test.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'actionpack/test/template/form_tag_helper_test.rb')

diff --git a/actionpack/test/template/form_tag_helper_test.rb b/actionpack/test/template/form_tag_helper_test.rb
index dcc6dd0411..68dfceef07 100644
--- a/actionpack/test/template/form_tag_helper_test.rb
+++ b/actionpack/test/template/form_tag_helper_test.rb
@@ -368,7 +368,7 @@ class FormTagHelperTest < ActionView::TestCase
 
   def test_submit_tag
     assert_dom_equal(
-      %(<input name='commit' data-disable-with="Saving..." onclick="alert('hello!')" type="submit" value="Save" />),
+      %(<input name='commit' data-disable-with="Saving..." onclick="alert(&#x27;hello!&#x27;)" type="submit" value="Save" />),
       submit_tag("Save", :disable_with => "Saving...", :onclick => "alert('hello!')")
     )
   end
-- 
cgit v1.2.3


From 6d0526db91afb0675c2ad3d871529d1536303c64 Mon Sep 17 00:00:00 2001
From: Santiago Pastorino <santiago@wyeworks.com>
Date: Wed, 8 Aug 2012 15:10:35 -0700
Subject: escape select_tag :prompt values

CVE-2012-3463
---
 actionpack/test/template/form_tag_helper_test.rb | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'actionpack/test/template/form_tag_helper_test.rb')

diff --git a/actionpack/test/template/form_tag_helper_test.rb b/actionpack/test/template/form_tag_helper_test.rb
index 68dfceef07..6f0d0c3561 100644
--- a/actionpack/test/template/form_tag_helper_test.rb
+++ b/actionpack/test/template/form_tag_helper_test.rb
@@ -208,6 +208,12 @@ class FormTagHelperTest < ActionView::TestCase
     assert_dom_equal expected, actual
   end
 
+  def test_select_tag_escapes_prompt
+    actual = select_tag "places", "<option>Home</option><option>Work</option><option>Pub</option>".html_safe, :prompt => "<script>alert(1337)</script>"
+    expected = %(<select id="places" name="places"><option value="">&lt;script&gt;alert(1337)&lt;/script&gt;</option><option>Home</option><option>Work</option><option>Pub</option></select>)
+    assert_dom_equal expected, actual
+  end
+
   def test_select_tag_with_prompt_and_include_blank
     actual = select_tag "places", "<option>Home</option><option>Work</option><option>Pub</option>".html_safe, :prompt => "string", :include_blank => true
     expected = %(<select name="places" id="places"><option value="">string</option><option value=""></option><option>Home</option><option>Work</option><option>Pub</option></select>)
-- 
cgit v1.2.3