From 5d5e34fa52183566968cb22f7c49544a7361a130 Mon Sep 17 00:00:00 2001
From: Michael Koziarski <michael@koziarski.com>
Date: Thu, 15 Oct 2009 09:58:17 +1300
Subject: Use ERB::Util.h over CGI.escapeHTML as the former is safety aware and
 the latter isn't

---
 actionpack/lib/action_controller/metal/redirector.rb | 2 +-
 actionpack/lib/action_view/safe_buffer.rb            | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

(limited to 'actionpack')

diff --git a/actionpack/lib/action_controller/metal/redirector.rb b/actionpack/lib/action_controller/metal/redirector.rb
index f79fd54acd..b55f5e7bfc 100644
--- a/actionpack/lib/action_controller/metal/redirector.rb
+++ b/actionpack/lib/action_controller/metal/redirector.rb
@@ -16,7 +16,7 @@ module ActionController
       logger.info("Redirected to #{url}") if logger && logger.info?
       self.status = status
       self.location = url.gsub(/[\r\n]/, '')
-      self.response_body = "<html><body>You are being <a href=\"#{CGI.escapeHTML(url)}\">redirected</a>.</body></html>"
+      self.response_body = "<html><body>You are being <a href=\"#{ERB::Util.h(url)}\">redirected</a>.</body></html>"
     end
   end
 end
diff --git a/actionpack/lib/action_view/safe_buffer.rb b/actionpack/lib/action_view/safe_buffer.rb
index 8ba9cd80d6..09f44ab26f 100644
--- a/actionpack/lib/action_view/safe_buffer.rb
+++ b/actionpack/lib/action_view/safe_buffer.rb
@@ -5,7 +5,7 @@ module ActionView #:nodoc:
       if value.html_safe?
         super(value)
       else
-        super(CGI.escapeHTML(value))
+        super(ERB::Util.h(value))
       end
     end
 
-- 
cgit v1.2.3