Skip to content

Commit bfc4325

Browse files
committed
properly escape html to avoid invalid utf8 causing XSS attacks
1 parent 586a944 commit bfc4325

File tree

2 files changed

+8
-1
lines changed

2 files changed

+8
-1
lines changed

Diff for: activesupport/lib/active_support/core_ext/string/output_safety.rb

+1-1
Original file line numberDiff line numberDiff line change
@@ -20,7 +20,7 @@ def html_escape(s)
2020
if s.html_safe?
2121
s
2222
else
23-
s.gsub(/[&"><]/) { |special| HTML_ESCAPE[special] }.html_safe
23+
s.to_s.gsub(/&/, "&amp;").gsub(/\"/, "&quot;").gsub(/>/, "&gt;").gsub(/</, "&lt;").html_safe
2424
end
2525
end
2626

Diff for: activesupport/test/core_ext/string_ext_test.rb

+7
Original file line numberDiff line numberDiff line change
@@ -7,10 +7,17 @@
77
require 'active_support/core_ext/string'
88
require 'active_support/time'
99
require 'active_support/core_ext/string/strip'
10+
require 'active_support/core_ext/string/output_safety'
1011

1112
class StringInflectionsTest < Test::Unit::TestCase
1213
include InflectorTestCases
1314

15+
def test_erb_escape
16+
string = [192, 60].pack('CC')
17+
expected = 192.chr + "&lt;"
18+
assert_equal expected, ERB::Util.html_escape(string)
19+
end
20+
1421
def test_strip_heredoc_on_an_empty_string
1522
assert_equal '', ''.strip_heredoc
1623
end

0 commit comments

Comments
 (0)