From b31a7a6f1ec3c74f75b4cd12386b08295287418d Mon Sep 17 00:00:00 2001
From: Michael Koziarski <michael@koziarski.com>
Date: Mon, 2 Dec 2013 10:12:47 +1300
Subject: Escape the unit value provided to number_to_currency

Previously the unit values were trusted leading to potential XSS vulnerabilities.

Fixes: CVE-2013-6415
---
 actionview/test/template/number_helper_test.rb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'actionview/test/template/number_helper_test.rb')

diff --git a/actionview/test/template/number_helper_test.rb b/actionview/test/template/number_helper_test.rb
index 6e640889d2..be336ea3fb 100644
--- a/actionview/test/template/number_helper_test.rb
+++ b/actionview/test/template/number_helper_test.rb
@@ -14,7 +14,8 @@ class NumberHelperTest < ActionView::TestCase
     assert_equal nil, number_to_currency(nil)
     assert_equal "$1,234,567,890.50", number_to_currency(1234567890.50)
     assert_equal "$1,234,567,892", number_to_currency(1234567891.50, precision: 0)
-    assert_equal "1,234,567,890.50 - K&#269;", number_to_currency("-1234567890.50", unit: "K&#269;", format: "%n %u", negative_format: "%n - %u")
+    assert_equal "1,234,567,890.50 - K&#269;", number_to_currency("-1234567890.50", unit: raw("K&#269;"), format: "%n %u", negative_format: "%n - %u")
+    assert_equal "&amp;pound;1,234,567,890.50", number_to_currency("1234567890.50", unit: "&pound;")
   end
 
   def test_number_to_percentage
-- 
cgit v1.2.3