properly escape html to avoid invalid utf8 causing XSS attacks
This commit is contained in:
parent
586a944ddd
commit
bfc432574d
|
@ -20,7 +20,7 @@ class ERB
|
|||
if s.html_safe?
|
||||
s
|
||||
else
|
||||
s.gsub(/[&"><]/) { |special| HTML_ESCAPE[special] }.html_safe
|
||||
s.to_s.gsub(/&/, "&").gsub(/\"/, """).gsub(/>/, ">").gsub(/</, "<").html_safe
|
||||
end
|
||||
end
|
||||
|
||||
|
|
|
@ -7,10 +7,17 @@ require 'active_support/inflector'
|
|||
require 'active_support/core_ext/string'
|
||||
require 'active_support/time'
|
||||
require 'active_support/core_ext/string/strip'
|
||||
require 'active_support/core_ext/string/output_safety'
|
||||
|
||||
class StringInflectionsTest < Test::Unit::TestCase
|
||||
include InflectorTestCases
|
||||
|
||||
def test_erb_escape
|
||||
string = [192, 60].pack('CC')
|
||||
expected = 192.chr + "<"
|
||||
assert_equal expected, ERB::Util.html_escape(string)
|
||||
end
|
||||
|
||||
def test_strip_heredoc_on_an_empty_string
|
||||
assert_equal '', ''.strip_heredoc
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue