From 40f6e9f8e126c494ff89b4c149bbd7a1fe7df197 Mon Sep 17 00:00:00 2001
From: Jeremy Kemper <jeremy@bitsweat.net>
Date: Sat, 23 Jun 2007 00:40:53 +0000
Subject: Demote Hash#to_xml to use XmlSimple#xml_in_string so it can't read
 files or stdin. Closes #8453.

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7086 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
---
 .../active_support/core_ext/hash/conversions.rb    | 23 +++++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

(limited to 'activesupport/lib/active_support')

diff --git a/activesupport/lib/active_support/core_ext/hash/conversions.rb b/activesupport/lib/active_support/core_ext/hash/conversions.rb
index 2c0d894518..929dd45e98 100644
--- a/activesupport/lib/active_support/core_ext/hash/conversions.rb
+++ b/activesupport/lib/active_support/core_ext/hash/conversions.rb
@@ -20,6 +20,27 @@ class Array
   end
 end
 
+# Locked down XmlSimple#xml_in_string
+class XmlSimple
+  # Same as xml_in but doesn't try to smartly shoot itself in the foot.
+  def xml_in_string(string, options = nil)
+    handle_options('in', options)
+
+    @doc = parse(string)
+    result = collapse(@doc.root)
+
+    if @options['keeproot']
+      merge({}, @doc.root.name, result)
+    else
+      result
+    end
+  end
+
+  def self.xml_in_string(string, options = nil)
+    new.xml_in_string(string, options)
+  end
+end
+
 module ActiveSupport #:nodoc:
   module CoreExtensions #:nodoc:
     module Hash #:nodoc:
@@ -135,7 +156,7 @@ module ActiveSupport #:nodoc:
         module ClassMethods
           def from_xml(xml)
             # TODO: Refactor this into something much cleaner that doesn't rely on XmlSimple
-            typecast_xml_value(undasherize_keys(XmlSimple.xml_in(xml,
+            typecast_xml_value(undasherize_keys(XmlSimple.xml_in_string(xml,
               'forcearray'   => false,
               'forcecontent' => true,
               'keeproot'     => true,
-- 
cgit v1.2.3