Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Demote Hash#to_xml to use XmlSimple#xml_in_string so it can't read fi…

…les or stdin. Closes #8453.

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7086 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
  • Loading branch information...
commit 40f6e9f8e126c494ff89b4c149bbd7a1fe7df197 1 parent 95c9ece
@jeremy jeremy authored
View
2  activesupport/CHANGELOG
@@ -1,5 +1,7 @@
*SVN*
+* Demote Hash#to_xml to use XmlSimple#xml_in_string so it can't read files or stdin. #8453 [candlerb, Jeremy Kemper]
+
* Backport clean_logger changes to support ruby 1.8.2 [mislav]
* Added proper handling of arrays #8537 [hasmanyjosh]
View
23 activesupport/lib/active_support/core_ext/hash/conversions.rb
@@ -20,6 +20,27 @@ def to_query(key) #:nodoc:
end
end
+# Locked down XmlSimple#xml_in_string
+class XmlSimple
+ # Same as xml_in but doesn't try to smartly shoot itself in the foot.
+ def xml_in_string(string, options = nil)
+ handle_options('in', options)
+
+ @doc = parse(string)
+ result = collapse(@doc.root)
+
+ if @options['keeproot']
+ merge({}, @doc.root.name, result)
+ else
+ result
+ end
+ end
+
+ def self.xml_in_string(string, options = nil)
+ new.xml_in_string(string, options)
+ end
+end
+
module ActiveSupport #:nodoc:
module CoreExtensions #:nodoc:
module Hash #:nodoc:
@@ -135,7 +156,7 @@ def to_xml(options = {})
module ClassMethods
def from_xml(xml)
# TODO: Refactor this into something much cleaner that doesn't rely on XmlSimple
- typecast_xml_value(undasherize_keys(XmlSimple.xml_in(xml,
+ typecast_xml_value(undasherize_keys(XmlSimple.xml_in_string(xml,
'forcearray' => false,
'forcecontent' => true,
'keeproot' => true,
Please sign in to comment.
Something went wrong with that request. Please try again.