fixing utf8 escape vulerability

tenderlove · tenderlove · commit e0774e47302a · 2011-08-16T14:58:39.000-07:00
diff --git a/activesupport/lib/active_support/core_ext/string/output_safety.rb b/activesupport/lib/active_support/core_ext/string/output_safety.rb
@@ -19,7 +19,7 @@ def html_escape(s)
       if s.html_safe?
         s
       else
-        s.gsub(/[&"><]/) { |special| HTML_ESCAPE[special] }.html_safe
+        s.to_s.gsub(/&/, "&amp;").gsub(/\"/, "&quot;").gsub(/>/, "&gt;").gsub(/</, "&lt;").html_safe
       end
     end
 
diff --git a/activesupport/test/core_ext/string_ext_test.rb b/activesupport/test/core_ext/string_ext_test.rb
@@ -2,10 +2,17 @@
 require 'date'
 require 'abstract_unit'
 require 'inflector_test_cases'
+require 'active_support/core_ext/string/output_safety'
 
 class StringInflectionsTest < Test::Unit::TestCase
   include InflectorTestCases
 
+  def test_erb_escape
+    string = [192, 60].pack('CC')
+    expected = 192.chr + "&lt;"
+    assert_equal expected, ERB::Util.html_escape(string)
+  end
+
   def test_pluralize
     SingularToPlural.each do |singular, plural|
       assert_equal(plural, singular.pluralize)

Original file line number	Diff line number	Diff line change
`@@ -19,7 +19,7 @@ def html_escape(s)`
`19`	`19`	`if s.html_safe?`
`20`	`20`	`s`
`21`	`21`	`else`
`22`		`- s.gsub(/[&"><]/) { \|special\| HTML_ESCAPE[special] }.html_safe`
	`22`	`+ s.to_s.gsub(/&/, "&").gsub(/\"/, """).gsub(/>/, ">").gsub(/</, "<").html_safe`
`23`	`23`	`end`
`24`	`24`	`end`
`25`	`25`