Encode form inputs #16

Merged
merged 1 commit into from Jun 21, 2012
View
2 lib/openid/message.rb
@@ -288,7 +288,7 @@ def to_form_markup(action_url, form_tag_attrs=nil, submit_text='Continue')
markup += ">\n"
to_post_args.each { |k,v|
- markup += "<input type='hidden' name='#{k}' value='#{v}' />\n"
+ markup += "<input type='hidden' name='#{k}' value='#{OpenID::Util.html_encode(v)}' />\n"
}
markup += "<input type='submit' value='#{submit_text}' />\n"
markup += "\n</form>"
View
6 lib/openid/util.rb
@@ -105,6 +105,12 @@ def Util.auto_submit_html(form, title='OpenID transaction in progress')
</html>
"
end
+
+ ESCAPE_TABLE = { '&' => '&amp;', '<' => '&lt;', '>' => '&gt;', '"' => '&quot;', "'" => '&#039;' }
+ # Modified from ERb's html_encode
+ def Util.html_encode(s)
+ s.to_s.gsub(/[&<>"']/) {|s| ESCAPE_TABLE[s] }
+ end
end
end
View
1 test/test_message.rb
@@ -902,6 +902,7 @@ def setup
'openid.identity' => 'http://bogus.example.invalid:port/',
'openid.assoc_handle' => 'FLUB',
'openid.return_to' => 'Neverland',
+ 'openid.ax.value.fullname' => "Bob&Smith'"
}
@action_url = 'scheme://host:port/path?query'