Permalink
Browse files

Ensure simple_format escapes its html attributes

The previous behavior equated the sanitize option for simple_format with the
escape option of content_tag, however these are two distinct concepts.

This fixes CVE-2013-6416

Conflicts:
	actionview/lib/action_view/helpers/text_helper.rb
  • Loading branch information...
1 parent b31a7a6 commit bea9c9b4c0f9bb7356ea2058118fe40495432010 @NZKoz NZKoz committed with tenderlove Nov 18, 2013
Showing with 1 addition and 1 deletion.
  1. +1 −1 actionview/lib/action_view/helpers/text_helper.rb
@@ -268,7 +268,7 @@ def simple_format(text, html_options = {}, options = {})
content_tag(wrapper_tag, nil, html_options)
else
paragraphs.map! { |paragraph|
- content_tag(wrapper_tag, paragraph, html_options, false)
+ content_tag(wrapper_tag, raw(paragraph), html_options, false)
}.join("\n\n").html_safe
end
end

0 comments on commit bea9c9b

Please sign in to comment.