kotovalexarian-likes-github
/
rails--rails
mirror of https://github.com/rails/rails.git
1
0
Fork 0
Code Releases Activity

properly escape html to avoid invalid utf8 causing XSS attacks

This commit is contained in:
Aaron Patterson 2011-08-16 15:18:53 -07:00
parent 586a944ddd
commit bfc432574d
2 changed files with 8 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
activesupport/lib/active_support/core_ext/string/output_safety.rb
View File

@ -20,7 +20,7 @@ class ERB
if s.html_safe?
s
else
s.gsub(/[&"><]/) { |special| HTML_ESCAPE[special] }.html_safe
s.to_s.gsub(/&/, "&amp;").gsub(/\"/, "&quot;").gsub(/>/, "&gt;").gsub(/</, "&lt;").html_safe
end
end

7
activesupport/test/core_ext/string_ext_test.rb
View File

@ -7,10 +7,17 @@ require 'active_support/inflector'
require 'active_support/core_ext/string'
require 'active_support/time'
require 'active_support/core_ext/string/strip'
require 'active_support/core_ext/string/output_safety'
class StringInflectionsTest < Test::Unit::TestCase
include InflectorTestCases
def test_erb_escape
string = [192, 60].pack('CC')
expected = 192.chr + "&lt;"
assert_equal expected, ERB::Util.html_escape(string)
end
def test_strip_heredoc_on_an_empty_string
assert_equal '', ''.strip_heredoc
end