1
0
Fork 0
mirror of https://github.com/rails/rails.git synced 2022-11-09 12:12:34 -05:00
Commit graph

2 commits

Author SHA1 Message Date
Rafael Mendonça França
33cb47ee48 Use the reference for the mime type to get the format
Before we were calling to_sym in the mime type, even when it is unknown
what can cause denial of service since symbols are not removed by the
garbage collector.

Fixes: CVE-2014-0082
2014-02-18 16:12:51 -03:00
Prem Sichanugrist
920f3ba266 Introduce render :html for render HTML string
This is an option for to HTML content with a content type of
`text/html`. This rendering option calls `ERB::Util.html_escape`
internally to escape unsafe HTML string, so you will have to mark your
string as html safe if you have any HTML tag in it.

Please see #12374 for more detail.
2014-02-18 12:08:36 -05:00