Overview

File CVE-2013-6415.patch of Package rubygem-actionpack-2_3

diff --git a/actionpack/lib/action_view/helpers/number_helper.rb b/actionpack/lib/action_view/helpers/number_helper.rb
index ad86d13..eee9e59 100644
--- a/actionpack/lib/action_view/helpers/number_helper.rb
+++ b/actionpack/lib/action_view/helpers/number_helper.rb
@@ -85,11 +85,11 @@
         separator = '' if precision == 0
 
         begin
-          format.gsub(/%n/, number_with_precision(number,
+          format.gsub(/%n/, ERB::Util.html_escape(number_with_precision(number,
             :precision => precision,
             :delimiter => delimiter,
-            :separator => separator)
-          ).gsub(/%u/, unit).html_safe
+            :separator => separator))
+          ).gsub(/%u/, ERB::Util.html_escape(unit)).html_safe
         rescue
           number
         end
openSUSE Build Service is sponsored by
Places