Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:11.4:Update
rubygem-activesupport-2_3.869
3-0-escape_html-activesupport.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 3-0-escape_html-activesupport.patch of Package rubygem-activesupport-2_3.869
From ac9844bb1a8dc5465ec3d6f9a746b3f34d9c29d4 Mon Sep 17 00:00:00 2001 From: Aaron Patterson <aaron.patterson@gmail.com> Date: Wed, 8 Aug 2012 11:05:31 -0700 Subject: [PATCH] Squashed commit of the following: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit commit 9ef905f19807c62fb549ae6fe3784be4bcda96dc Author: Rafael Mendonça França <rafaelmfranca@gmail.com> Date: Tue Aug 7 22:38:40 2012 -0300 Fix tests about single quote escaping commit 780a718723cf87b49cfe204d355948c4e0932d23 Author: Santiago Pastorino <santiago@wyeworks.com> Date: Tue Jul 31 22:25:54 2012 -0300 html_escape should escape single quotes https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content Closes #7215 Conflicts: actionpack/test/controller/new_base/render_template_test.rb actionpack/test/template/asset_tag_helper_test.rb actionpack/test/template/erb_util_test.rb actionpack/test/template/javascript_helper_test.rb actionpack/test/template/template_test.rb activesupport/lib/active_support/core_ext/string/output_safety.rb activesupport/test/core_ext/string_ext_test.rb railties/test/application/assets_test.rb --- actionpack/test/controller/render_test.rb | 4 ++-- actionpack/test/template/asset_tag_helper_test.rb | 23 ++++++++++++++++------ actionpack/test/template/erb_util_test.rb | 10 +++++----- .../test/template/form_options_helper_test.rb | 6 +++--- actionpack/test/template/form_tag_helper_test.rb | 2 +- actionpack/test/template/javascript_helper_test.rb | 10 +++++----- actionpack/test/template/template_test.rb | 2 +- actionpack/test/template/text_helper_test.rb | 2 +- actionpack/test/template/url_helper_test.rb | 10 +++++----- .../core_ext/string/output_safety.rb | 6 +++--- activesupport/test/core_ext/string_ext_test.rb | 17 ++++++++++++++++ 11 files changed, 60 insertions(+), 32 deletions(-) Index: lib/active_support/core_ext/string/output_safety.rb =================================================================== --- lib/active_support/core_ext/string/output_safety.rb.orig 2012-08-15 15:36:09.274922225 +0200 +++ lib/active_support/core_ext/string/output_safety.rb 2012-08-15 15:36:16.614922223 +0200 @@ -2,13 +2,13 @@ require 'erb' class ERB module Util - HTML_ESCAPE = { '&' => '&', '>' => '>', '<' => '<', '"' => '"' } + HTML_ESCAPE = { '&' => '&', '>' => '>', '<' => '<', '"' => '"', "'" => ''' } JSON_ESCAPE = { '&' => '\u0026', '>' => '\u003E', '<' => '\u003C' } # A utility method for escaping HTML tag characters. # This method is also aliased as <tt>h</tt>. # - # In your ERb templates, use this method to escape any unsafe content. For example: + # In your ERB templates, use this method to escape any unsafe content. For example: # <%=h @person.name %> # # ==== Example: @@ -19,7 +19,7 @@ class ERB if s.html_safe? s else - s.to_s.gsub(/&/, "&").gsub(/\"/, """).gsub(/>/, ">").gsub(/</, "<").html_safe + s.gsub(/[&"'><]/n) { |special| HTML_ESCAPE[special] }.html_safe end end # test case missing in the gem # diff --git a/activesupport/test/core_ext/string_ext_test.rb b/activesupport/test/core_ext/string_ext_test.rb # index 8f07cd1..be9a41b 100644 # --- a/activesupport/test/core_ext/string_ext_test.rb # +++ b/activesupport/test/core_ext/string_ext_test.rb # @@ -527,6 +527,23 @@ class OutputSafetyTest < ActiveSupport::TestCase # assert string.html_safe? # assert !string.to_param.html_safe? # end # + # + test "ERB::Util.html_escape should escape unsafe characters" do # + string = '<>&"\'' # + expected = '<>&"'' # + assert_equal expected, ERB::Util.html_escape(string) # + end # + # + test "ERB::Util.html_escape should correctly handle invalid UTF-8 strings" do # + string = [192, 60].pack('CC') # + expected = 192.chr + "<" # + assert_equal expected, ERB::Util.html_escape(string) # + end # + # + test "ERB::Util.html_escape should not escape safe strings" do # + string = "<b>hello</b>".html_safe # + assert_equal string, ERB::Util.html_escape(string) # + end # end # # class StringExcludeTest < ActiveSupport::TestCase
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor