From b31a7a6f1ec3c74f75b4cd12386b08295287418d Mon Sep 17 00:00:00 2001
From: Michael Koziarski <michael@koziarski.com>
Date: Mon, 2 Dec 2013 10:12:47 +1300
Subject: Escape the unit value provided to number_to_currency

Previously the unit values were trusted leading to potential XSS vulnerabilities.

Fixes: CVE-2013-6415
---
 actionview/lib/action_view/helpers/number_helper.rb | 1 +
 1 file changed, 1 insertion(+)

(limited to 'actionview/lib/action_view')

diff --git a/actionview/lib/action_view/helpers/number_helper.rb b/actionview/lib/action_view/helpers/number_helper.rb
index 9adc2c1a8f..13387078a4 100644
--- a/actionview/lib/action_view/helpers/number_helper.rb
+++ b/actionview/lib/action_view/helpers/number_helper.rb
@@ -394,6 +394,7 @@ module ActionView
       def escape_unsafe_delimiters_and_separators(options)
         options[:separator] = ERB::Util.html_escape(options[:separator]) if options[:separator] && !options[:separator].html_safe?
         options[:delimiter] = ERB::Util.html_escape(options[:delimiter]) if options[:delimiter] && !options[:delimiter].html_safe?
+        options[:unit]      = ERB::Util.html_escape(options[:unit]) if options[:unit] && !options[:unit].html_safe?
         options
       end
 
-- 
cgit v1.2.3