Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

Handle integers and such, only strings can contain XSS attacks

  • Loading branch information...
commit e44cc0031244b01046b67168a1bc537eaf4e8c7e 1 parent 6b4f51d
Michael Koziarski authored July 12, 2009
3  lib/rails_xss_escaping.rb
@@ -3,7 +3,8 @@
3 3
 ERB::Util.module_eval do  # :nodoc:
4 4
 
5 5
   def html_escape_with_output_safety(value)
6  
-    if value.html_safe?
  6
+    # Values which don't respond to html_safe, should be checked
  7
+    if value.respond_to?(:html_safe?) && value.html_safe?
7 8
       value
8 9
     else
9 10
       html_escape_without_output_safety(value).html_safe!
6  test/rails_xss_test.rb
@@ -15,4 +15,10 @@ class RailsXssTest < ActiveSupport::TestCase
15 15
     assert_equal "<p>", escaped
16 16
     assert escaped.html_safe?
17 17
   end
  18
+  
  19
+  test "ERB::Util.h should not implode when passed a non-string" do
  20
+    assert_nothing_raised do
  21
+      assert_equal "1", ERB::Util.h(1)
  22
+    end
  23
+  end
18 24
 end

0 notes on commit e44cc00

Please sign in to comment.
Something went wrong with that request. Please try again.