Permalink
Browse files

Add link_to protection

  • Loading branch information...
1 parent 318b381 commit afc1610fe4b94150faee98c16f15a24290d20900 @dhh dhh committed Jan 14, 2010
Showing with 31 additions and 3 deletions.
  1. +1 −0 init.rb
  2. +0 −3 lib/rails_xss_escaping.rb
  3. +30 −0 lib/rails_xss_helper.rb
View
@@ -10,6 +10,7 @@
end
require 'rails_xss_escaping'
+ require 'rails_xss_helper'
require 'av_patch'
rescue LoadError
puts "Could not load all modules required by rails_xss. Please make sure erubis is installed an try again."
@@ -1,7 +1,4 @@
-
-
ERB::Util.module_eval do # :nodoc:
-
def html_escape_with_output_safety(value)
# Values which don't respond to html_safe, should be checked
if value.respond_to?(:html_safe?) && value.html_safe?
@@ -0,0 +1,30 @@
+# Overwrites helper methods in Action Pack to give them Rails XSS powers. These powers are there by default in Rails 3.
+module RailsXssHelper
+ def link_to(*args, &block)
+ if block_given?
+ options = args.first || {}
+ html_options = args.second
+ concat(link_to(capture(&block), options, html_options).html_safe!)
+ else
+ name = args.first
+ options = args.second || {}
+ html_options = args.third
+
+ url = url_for(options)
+
+ if html_options
+ html_options = html_options.stringify_keys
+ href = html_options['href']
+ convert_options_to_javascript!(html_options, url)
+ tag_options = tag_options(html_options)
+ else
+ tag_options = nil
+ end
+
+ href_attr = "href=\"#{url}\"" unless href
+ "<a #{href_attr}#{tag_options}>#{ERB::Util.h(name || url)}</a>".html_safe!
+ end
+ end
+end
+
+ActionController::Base.helper(RailsXssHelper)

0 comments on commit afc1610

Please sign in to comment.