Permalink
Browse files

fixing utf8 escape vulerability

  • Loading branch information...
1 parent 60f783d commit e0774e47302a907319ed974ccf59b8b54d32bbde @tenderlove tenderlove committed Aug 16, 2011
View
2 activesupport/lib/active_support/core_ext/string/output_safety.rb
@@ -19,7 +19,7 @@ def html_escape(s)
if s.html_safe?
s
else
- s.gsub(/[&"><]/) { |special| HTML_ESCAPE[special] }.html_safe
+ s.to_s.gsub(/&/, "&amp;").gsub(/\"/, "&quot;").gsub(/>/, "&gt;").gsub(/</, "&lt;").html_safe
end
end
View
7 activesupport/test/core_ext/string_ext_test.rb
@@ -2,10 +2,17 @@
require 'date'
require 'abstract_unit'
require 'inflector_test_cases'
+require 'active_support/core_ext/string/output_safety'
class StringInflectionsTest < Test::Unit::TestCase
include InflectorTestCases
+ def test_erb_escape
+ string = [192, 60].pack('CC')
+ expected = 192.chr + "&lt;"
+ assert_equal expected, ERB::Util.html_escape(string)
+ end
+
def test_pluralize
SingularToPlural.each do |singular, plural|
assert_equal(plural, singular.pluralize)

0 comments on commit e0774e4

Please sign in to comment.