From 0e17cf17ebeb70490d7c7cd25c6bf8f9401e44b3 Mon Sep 17 00:00:00 2001
From: Jon Jensen <jenseng@gmail.com>
Date: Fri, 2 Dec 2011 12:55:33 -0700
Subject: Restore performance of ERB::Util.html_escape
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Revert html_escape to do a single gsub again, but add the "n" flag (no
language, i.e. not multi-byte) to protect against XSS via invalid utf8

Signed-off-by: José Valim <jose.valim@gmail.com>
---
 activesupport/lib/active_support/core_ext/string/output_safety.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'activesupport/lib/active_support/core_ext/string')

diff --git a/activesupport/lib/active_support/core_ext/string/output_safety.rb b/activesupport/lib/active_support/core_ext/string/output_safety.rb
index 5d7f74bb65..7b359a039b 100644
--- a/activesupport/lib/active_support/core_ext/string/output_safety.rb
+++ b/activesupport/lib/active_support/core_ext/string/output_safety.rb
@@ -20,7 +20,7 @@ class ERB
       if s.html_safe?
         s
       else
-        s.gsub(/&/, "&amp;").gsub(/\"/, "&quot;").gsub(/>/, "&gt;").gsub(/</, "&lt;").html_safe
+        s.gsub(/[&"><]/n) { |special| HTML_ESCAPE[special] }.html_safe
       end
     end
 
-- 
cgit v1.2.3