Permalink
Browse files

Handle integers and such, only strings can contain XSS attacks

  • Loading branch information...
1 parent 6b4f51d commit e44cc0031244b01046b67168a1bc537eaf4e8c7e @NZKoz NZKoz committed Jul 12, 2009
Showing with 8 additions and 1 deletion.
  1. +2 −1 lib/rails_xss_escaping.rb
  2. +6 −0 test/rails_xss_test.rb
@@ -3,7 +3,8 @@
ERB::Util.module_eval do # :nodoc:
def html_escape_with_output_safety(value)
- if value.html_safe?
+ # Values which don't respond to html_safe, should be checked
+ if value.respond_to?(:html_safe?) && value.html_safe?
value
else
html_escape_without_output_safety(value).html_safe!
@@ -15,4 +15,10 @@ class RailsXssTest < ActiveSupport::TestCase
assert_equal "<p>", escaped
assert escaped.html_safe?
end
+
+ test "ERB::Util.h should not implode when passed a non-string" do
+ assert_nothing_raised do
+ assert_equal "1", ERB::Util.h(1)
+ end
+ end
end

0 comments on commit e44cc00

Please sign in to comment.