Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Fix failing test related to escaping include_blank in select_tag

Rails 3.0.x doesn't have the :prompt option in select_tag, it was
introduced in c5d54be that is only
available from 3.1.x on.

The test and related fix were introduced in
c979587 for Rails 3.0.17, as a fix for
a security vulnerability. The code is completely fine but the test was
using the invalid :prompt option for this version, probably because it
was cherry-picked from other branch which has the option.
  • Loading branch information...
commit 709fbd3f323607f6974bfc4aeaeca791479e5fbe 1 parent e8ac985
@carlosantoniodasilva carlosantoniodasilva authored
View
4 actionpack/CHANGELOG
@@ -19,9 +19,9 @@
*Marek from Nethemba (www.nethemba.com) & Santiago Pastorino*
-* When a "prompt" value is supplied to the `select_tag` helper, the "prompt" value is not escaped. If untrusted data is not escaped, and is supplied as the prompt value, there is a potential for XSS attacks.
+* When an "include_blank" value is supplied to the `select_tag` helper, the "include_blank" value is not escaped. If untrusted data is not escaped, and is supplied as the prompt value, there is a potential for XSS attacks.
Vulnerable code will look something like this:
- select_tag("name", options, :prompt => UNTRUSTED_INPUT)
+ select_tag("name", options, :include_blank => UNTRUSTED_INPUT)
*Santiago Pastorino*
View
4 actionpack/test/template/form_tag_helper_test.rb
@@ -195,8 +195,8 @@ def test_select_tag_with_include_blank
assert_dom_equal expected, actual
end
- def test_select_tag_escapes_prompt
- actual = select_tag "places", "<option>Home</option><option>Work</option><option>Pub</option>".html_safe, :prompt => "<script>alert(1337)</script>"
+ def test_select_tag_escapes_include_blank
+ actual = select_tag "places", "<option>Home</option><option>Work</option><option>Pub</option>".html_safe, :include_blank => "<script>alert(1337)</script>"
expected = %(<select id="places" name="places"><option value="">&lt;script&gt;alert(1337)&lt;/script&gt;</option><option>Home</option><option>Work</option><option>Pub</option></select>)
assert_dom_equal expected, actual
end
Please sign in to comment.
Something went wrong with that request. Please try again.