From e8d57f361a9982382f75449ec0d65d6c798b9ce2 Mon Sep 17 00:00:00 2001 From: lest Date: Thu, 17 Nov 2011 18:29:55 +0300 Subject: _html translation should escape interpolated arguments --- actionpack/CHANGELOG.md | 14 ++++++++++++++ actionpack/lib/action_view/helpers/translation_helper.rb | 13 +++++++++---- actionpack/test/template/translation_helper_test.rb | 6 ++++++ 3 files changed, 29 insertions(+), 4 deletions(-) (limited to 'actionpack') diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md index 4c265c41d8..9d847c763b 100644 --- a/actionpack/CHANGELOG.md +++ b/actionpack/CHANGELOG.md @@ -64,6 +64,20 @@ ## Rails 3.1.2 (unreleased) ## +* Fix XSS security vulnerability in the `translate` helper method. When using interpolation + in combination with HTML-safe translations, the interpolated input would not get HTML + escaped. *GH 3664* + + Before: + + translate('foo_html', :something => '