fixed XSS issue in link_to helper

mojolicious · Mar 1, 2011 · f6801ef · f6801ef
1 parent 18f34bb
commit f6801ef
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 4 deletions.
diff --git a/Changes b/Changes
@@ -10,6 +10,7 @@ This file documents the revision history for Perl extension Mojolicious.
         - Improved tag helper attribute escaping.
         - Improved attrs method in Mojo::DOM.
         - Updated to jQuery to version 1.5.1.
+        - Fixed XSS issue in link_to helper.
         - Fixed route unescaping bug.
         - Fixed small documentation bug.
 

diff --git a/lib/Mojolicious/Plugin/TagHelpers.pm b/lib/Mojolicious/Plugin/TagHelpers.pm
@@ -102,6 +102,7 @@ sub register {
       # Content
       unless (defined $_[-1] && ref $_[-1] eq 'CODE') {
         @url = (shift);
+        xml_escape $content;
         push @_, sub {$content}
       }
 

diff --git a/t/mojolicious/tag_helper_lite_app.t b/t/mojolicious/tag_helper_lite_app.t
@@ -41,9 +41,9 @@ EOF
 
 # GET /links
 $t->get_ok('/links')->status_is(200)->content_is(<<EOF);
-<a href="/path">Path</a>
+<a href="/path">Pa&lt;th</a>
 <a href="http://example.com/" title="Foo">Foo</a>
-<a href="http://example.com/">Example</a>
+<a href="http://example.com/"><foo>Example</foo></a>
 <a href="/links">Home</a>
 <a href="/form/23" title="Foo">Foo</a>
 EOF
@@ -216,9 +216,9 @@ __DATA__
 <%= tag 'foo', one => 't<wo', three => 'four' => begin %>Hello<% end %>
 
 @@ links.html.ep
-<%= link_to Path => '/path' %>
+<%= link_to 'Pa<th' => '/path' %>
 <%= link_to 'http://example.com/', title => 'Foo', sub { 'Foo' } %>
-<%= link_to 'http://example.com/' => begin %>Example<% end %>
+<%= link_to 'http://example.com/' => begin %><foo>Example</foo><% end %>
 <%= link_to Home => 'links' %>
 <%= link_to Foo => 'form', {test => 23}, title => 'Foo' %>