Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Don't escape forward slashes with String#to_json, our unicode encodin…

…g of < and > prevent the XSS problems. [tpope] Closes #10273

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8255 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
  • Loading branch information...
commit 92f02adf407d6884ffea789b39f78f44b7fd3722 1 parent e7c5da6
@NZKoz NZKoz authored
View
8 actionpack/test/template/javascript_helper_test.rb
@@ -38,14 +38,14 @@ def test_link_to_function_with_rjs_block
html = link_to_function( "Greet me!" ) do |page|
page.replace_html 'header', "<h1>Greetings</h1>"
end
- assert_dom_equal %(<a href="#" onclick="Element.update(&quot;header&quot;, &quot;\\u003Ch1\\u003EGreetings\\u003C\\/h1\\u003E&quot;);; return false;">Greet me!</a>), html
+ assert_dom_equal %(<a href="#" onclick="Element.update(&quot;header&quot;, &quot;\\u003Ch1\\u003EGreetings\\u003C/h1\\u003E&quot;);; return false;">Greet me!</a>), html
end
def test_link_to_function_with_rjs_block_and_options
html = link_to_function( "Greet me!", :class => "updater" ) do |page|
page.replace_html 'header', "<h1>Greetings</h1>"
end
- assert_dom_equal %(<a href="#" class="updater" onclick="Element.update(&quot;header&quot;, &quot;\\u003Ch1\\u003EGreetings\\u003C\\/h1\\u003E&quot;);; return false;">Greet me!</a>), html
+ assert_dom_equal %(<a href="#" class="updater" onclick="Element.update(&quot;header&quot;, &quot;\\u003Ch1\\u003EGreetings\\u003C/h1\\u003E&quot;);; return false;">Greet me!</a>), html
end
def test_link_to_function_with_href
@@ -67,14 +67,14 @@ def test_button_to_function_with_rjs_block
html = button_to_function( "Greet me!" ) do |page|
page.replace_html 'header', "<h1>Greetings</h1>"
end
- assert_dom_equal %(<input type="button" onclick="Element.update(&quot;header&quot;, &quot;\\u003Ch1\\u003EGreetings\\u003C\\/h1\\u003E&quot;);;" value="Greet me!" />), html
+ assert_dom_equal %(<input type="button" onclick="Element.update(&quot;header&quot;, &quot;\\u003Ch1\\u003EGreetings\\u003C/h1\\u003E&quot;);;" value="Greet me!" />), html
end
def test_button_to_function_with_rjs_block_and_options
html = button_to_function( "Greet me!", :class => "greeter" ) do |page|
page.replace_html 'header', "<h1>Greetings</h1>"
end
- assert_dom_equal %(<input type="button" class="greeter" onclick="Element.update(&quot;header&quot;, &quot;\\u003Ch1\\u003EGreetings\\u003C\\/h1\\u003E&quot;);;" value="Greet me!" />), html
+ assert_dom_equal %(<input type="button" class="greeter" onclick="Element.update(&quot;header&quot;, &quot;\\u003Ch1\\u003EGreetings\\u003C\/h1\\u003E&quot;);;" value="Greet me!" />), html
end
def test_button_to_function_with_onclick
View
20 actionpack/test/template/prototype_helper_test.rb
@@ -303,23 +303,23 @@ def setup
end
def test_insert_html_with_string
- assert_equal 'new Insertion.Top("element", "\\u003Cp\\u003EThis is a test\\u003C\\/p\\u003E");',
+ assert_equal 'new Insertion.Top("element", "\\u003Cp\\u003EThis is a test\\u003C/p\\u003E");',
@generator.insert_html(:top, 'element', '<p>This is a test</p>')
- assert_equal 'new Insertion.Bottom("element", "\\u003Cp\u003EThis is a test\\u003C\\/p\u003E");',
+ assert_equal 'new Insertion.Bottom("element", "\\u003Cp\u003EThis is a test\\u003C/p\u003E");',
@generator.insert_html(:bottom, 'element', '<p>This is a test</p>')
- assert_equal 'new Insertion.Before("element", "\\u003Cp\u003EThis is a test\\u003C\\/p\u003E");',
+ assert_equal 'new Insertion.Before("element", "\\u003Cp\u003EThis is a test\\u003C/p\u003E");',
@generator.insert_html(:before, 'element', '<p>This is a test</p>')
- assert_equal 'new Insertion.After("element", "\\u003Cp\u003EThis is a test\\u003C\\/p\u003E");',
+ assert_equal 'new Insertion.After("element", "\\u003Cp\u003EThis is a test\\u003C/p\u003E");',
@generator.insert_html(:after, 'element', '<p>This is a test</p>')
end
def test_replace_html_with_string
- assert_equal 'Element.update("element", "\\u003Cp\\u003EThis is a test\\u003C\\/p\\u003E");',
+ assert_equal 'Element.update("element", "\\u003Cp\\u003EThis is a test\\u003C/p\\u003E");',
@generator.replace_html('element', '<p>This is a test</p>')
end
def test_replace_element_with_string
- assert_equal 'Element.replace("element", "\\u003Cdiv id=\"element\"\\u003E\\u003Cp\\u003EThis is a test\\u003C\\/p\\u003E\\u003C\\/div\\u003E");',
+ assert_equal 'Element.replace("element", "\\u003Cdiv id=\"element\"\\u003E\\u003Cp\\u003EThis is a test\\u003C/p\\u003E\\u003C/div\\u003E");',
@generator.replace('element', '<div id="element"><p>This is a test</p></div>')
end
@@ -356,7 +356,7 @@ def test_alert
end
def test_redirect_to
- assert_equal 'window.location.href = "http:\\/\\/www.example.com\\/welcome";',
+ assert_equal 'window.location.href = "http://www.example.com/welcome";',
@generator.redirect_to(:action => 'welcome')
end
@@ -375,10 +375,10 @@ def test_to_s
@generator.replace_html('baz', '<p>This is a test</p>')
assert_equal <<-EOS.chomp, @generator.to_s
-new Insertion.Top("element", "\\u003Cp\\u003EThis is a test\\u003C\\/p\\u003E");
-new Insertion.Bottom("element", "\\u003Cp\\u003EThis is a test\\u003C\\/p\\u003E");
+new Insertion.Top("element", "\\u003Cp\\u003EThis is a test\\u003C/p\\u003E");
+new Insertion.Bottom("element", "\\u003Cp\\u003EThis is a test\\u003C/p\\u003E");
["foo", "bar"].each(Element.remove);
-Element.update("baz", "\\u003Cp\\u003EThis is a test\\u003C\\/p\\u003E");
+Element.update("baz", "\\u003Cp\\u003EThis is a test\\u003C/p\\u003E");
EOS
end
View
5 activesupport/lib/active_support/json/encoders/string.rb
@@ -11,8 +11,7 @@ module Encoding
'\\' => '\\\\',
'>' => '\u003E',
'<' => '\u003C',
- '&' => '\u0026',
- '/' => '\\/'
+ '&' => '\u0026'
}
end
end
@@ -20,7 +19,7 @@ module Encoding
class String
def to_json(options = nil) #:nodoc:
- '"' + gsub(/[\010\f\n\r\t"\\><&\/]/) { |s|
+ '"' + gsub(/[\010\f\n\r\t"\\><&]/) { |s|
ActiveSupport::JSON::Encoding::ESCAPED_CHARS[s]
}.gsub(/([\xC0-\xDF][\x80-\xBF]|
[\xE0-\xEF][\x80-\xBF]{2}|
View
2  activesupport/test/json/encoding_test.rb
@@ -15,7 +15,7 @@ def initialize(a, b)
StringTests = [[ 'this is the <string>', %("this is the \\u003Cstring\\u003E")],
[ 'a "string" with quotes & an ampersand', %("a \\"string\\" with quotes \\u0026 an ampersand") ],
- [ 'http://test.host/posts/1', %("http:\\/\\/test.host\\/posts\\/1")]]
+ [ 'http://test.host/posts/1', %("http://test.host/posts/1")]]
ArrayTests = [[ ['a', 'b', 'c'], %([\"a\", \"b\", \"c\"]) ],
[ [1, 'a', :b, nil, false], %([1, \"a\", \"b\", null, false]) ]]
Please sign in to comment.
Something went wrong with that request. Please try again.