mirror of
https://github.com/rails/rails.git
synced 2022-11-09 12:12:34 -05:00
Restore performance of ERB::Util.html_escape
Revert html_escape to do a single gsub again, but add the "n" flag (no language, i.e. not multi-byte) to protect against XSS via invalid utf8 Signed-off-by: José Valim <jose.valim@gmail.com>
This commit is contained in:
parent
9ac6310bd9
commit
0e17cf17eb
2 changed files with 18 additions and 7 deletions
|
@ -20,7 +20,7 @@ class ERB
|
|||
if s.html_safe?
|
||||
s
|
||||
else
|
||||
s.gsub(/&/, "&").gsub(/\"/, """).gsub(/>/, ">").gsub(/</, "<").html_safe
|
||||
s.gsub(/[&"><]/n) { |special| HTML_ESCAPE[special] }.html_safe
|
||||
end
|
||||
end
|
||||
|
||||
|
|
|
@ -21,12 +21,6 @@ class StringInflectionsTest < Test::Unit::TestCase
|
|||
include InflectorTestCases
|
||||
include ConstantizeTestCases
|
||||
|
||||
def test_erb_escape
|
||||
string = [192, 60].pack('CC')
|
||||
expected = 192.chr + "<"
|
||||
assert_equal expected, ERB::Util.html_escape(string)
|
||||
end
|
||||
|
||||
def test_strip_heredoc_on_an_empty_string
|
||||
assert_equal '', ''.strip_heredoc
|
||||
end
|
||||
|
@ -497,6 +491,23 @@ class OutputSafetyTest < ActiveSupport::TestCase
|
|||
assert string.html_safe?
|
||||
assert !string.to_param.html_safe?
|
||||
end
|
||||
|
||||
test "ERB::Util.html_escape should escape unsafe characters" do
|
||||
string = '<>&"'
|
||||
expected = '<>&"'
|
||||
assert_equal expected, ERB::Util.html_escape(string)
|
||||
end
|
||||
|
||||
test "ERB::Util.html_escape should correctly handle invalid UTF-8 strings" do
|
||||
string = [192, 60].pack('CC')
|
||||
expected = 192.chr + "<"
|
||||
assert_equal expected, ERB::Util.html_escape(string)
|
||||
end
|
||||
|
||||
test "ERB::Util.html_escape should not escape safe strings" do
|
||||
string = "<b>hello</b>".html_safe
|
||||
assert_equal string, ERB::Util.html_escape(string)
|
||||
end
|
||||
end
|
||||
|
||||
class StringExcludeTest < ActiveSupport::TestCase
|
||||
|
|
Loading…
Reference in a new issue