From b31a7a6f1ec3c74f75b4cd12386b08295287418d Mon Sep 17 00:00:00 2001 From: Michael Koziarski Date: Mon, 2 Dec 2013 10:12:47 +1300 Subject: Escape the unit value provided to number_to_currency Previously the unit values were trusted leading to potential XSS vulnerabilities. Fixes: CVE-2013-6415 --- actionview/test/template/number_helper_test.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'actionview/test') diff --git a/actionview/test/template/number_helper_test.rb b/actionview/test/template/number_helper_test.rb index 6e640889d2..be336ea3fb 100644 --- a/actionview/test/template/number_helper_test.rb +++ b/actionview/test/template/number_helper_test.rb @@ -14,7 +14,8 @@ class NumberHelperTest < ActionView::TestCase assert_equal nil, number_to_currency(nil) assert_equal "$1,234,567,890.50", number_to_currency(1234567890.50) assert_equal "$1,234,567,892", number_to_currency(1234567891.50, precision: 0) - assert_equal "1,234,567,890.50 - Kč", number_to_currency("-1234567890.50", unit: "Kč", format: "%n %u", negative_format: "%n - %u") + assert_equal "1,234,567,890.50 - Kč", number_to_currency("-1234567890.50", unit: raw("Kč"), format: "%n %u", negative_format: "%n - %u") + assert_equal "&pound;1,234,567,890.50", number_to_currency("1234567890.50", unit: "£") end def test_number_to_percentage -- cgit v1.2.3 From 0c7ac34aed1845044cd1911e5a775366d7ca41c1 Mon Sep 17 00:00:00 2001 From: Michael Koziarski Date: Fri, 1 Nov 2013 11:50:05 +1300 Subject: Stop using i18n's built in HTML error handling. i18n doesn't depend on active support which means it can't use our html_safe code to do its escaping when generating the spans. Rather than try to sanitize the output from i18n, just revert to our old behaviour of rescuing the error and constructing the tag ourselves. Fixes: CVE-2013-4491 --- actionview/test/template/translation_helper_test.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'actionview/test') diff --git a/actionview/test/template/translation_helper_test.rb b/actionview/test/template/translation_helper_test.rb index d496dbb35e..0dfe47f5f4 100644 --- a/actionview/test/template/translation_helper_test.rb +++ b/actionview/test/template/translation_helper_test.rb @@ -31,7 +31,7 @@ class TranslationHelperTest < ActiveSupport::TestCase end def test_delegates_to_i18n_setting_the_rescue_format_option_to_html - I18n.expects(:translate).with(:foo, :locale => 'en', :rescue_format => :html).returns("") + I18n.expects(:translate).with(:foo, :locale => 'en', :raise=>true).returns("") translate :foo, :locale => 'en' end -- cgit v1.2.3