Permalink
Browse files

Ensure simple_format escapes its html attributes

The previous behavior equated the sanitize option for simple_format with the
escape option of content_tag, however these are two distinct concepts.

This fixes CVE-2013-6416
  • Loading branch information...
1 parent 6658782 commit 4b4f5847f64f81c961625e647711ef9f6ad1a454 @NZKoz NZKoz committed with tenderlove Nov 18, 2013
Showing with 1 addition and 1 deletion.
  1. +1 −1 actionpack/lib/action_view/helpers/text_helper.rb
@@ -266,7 +266,7 @@ def simple_format(text, html_options = {}, options = {})
content_tag(wrapper_tag, nil, html_options)
else
paragraphs.map { |paragraph|
- content_tag(wrapper_tag, paragraph, html_options, options[:sanitize])
+ content_tag(wrapper_tag, raw(paragraph), html_options)
}.join("\n\n").html_safe
end
end

0 comments on commit 4b4f584

Please sign in to comment.