From bfc432574d0b141fd7fe759edfe9b6771dd306bd Mon Sep 17 00:00:00 2001
From: Aaron Patterson <aaron.patterson@gmail.com>
Date: Tue, 16 Aug 2011 15:18:53 -0700
Subject: properly escape html to avoid invalid utf8 causing XSS attacks

---
 activesupport/lib/active_support/core_ext/string/output_safety.rb | 2 +-
 activesupport/test/core_ext/string_ext_test.rb                    | 7 +++++++
 2 files changed, 8 insertions(+), 1 deletion(-)

(limited to 'activesupport')

diff --git a/activesupport/lib/active_support/core_ext/string/output_safety.rb b/activesupport/lib/active_support/core_ext/string/output_safety.rb
index 6d6c4912bb..f111c8e5a3 100644
--- a/activesupport/lib/active_support/core_ext/string/output_safety.rb
+++ b/activesupport/lib/active_support/core_ext/string/output_safety.rb
@@ -20,7 +20,7 @@ class ERB
       if s.html_safe?
         s
       else
-        s.gsub(/[&"><]/) { |special| HTML_ESCAPE[special] }.html_safe
+        s.to_s.gsub(/&/, "&amp;").gsub(/\"/, "&quot;").gsub(/>/, "&gt;").gsub(/</, "&lt;").html_safe
       end
     end
 
diff --git a/activesupport/test/core_ext/string_ext_test.rb b/activesupport/test/core_ext/string_ext_test.rb
index a4bba056df..81a284dded 100644
--- a/activesupport/test/core_ext/string_ext_test.rb
+++ b/activesupport/test/core_ext/string_ext_test.rb
@@ -7,10 +7,17 @@ require 'active_support/inflector'
 require 'active_support/core_ext/string'
 require 'active_support/time'
 require 'active_support/core_ext/string/strip'
+require 'active_support/core_ext/string/output_safety'
 
 class StringInflectionsTest < Test::Unit::TestCase
   include InflectorTestCases
 
+  def test_erb_escape
+    string = [192, 60].pack('CC')
+    expected = 192.chr + "&lt;"
+    assert_equal expected, ERB::Util.html_escape(string)
+  end
+
   def test_strip_heredoc_on_an_empty_string
     assert_equal '', ''.strip_heredoc
   end
-- 
cgit v1.2.3