File CVE-2013-6415.patch of Package rubygem-actionpack-2_3
diff --git a/actionpack/lib/action_view/helpers/number_helper.rb b/actionpack/lib/action_view/helpers/number_helper.rb
index ad86d13..eee9e59 100644
--- a/actionpack/lib/action_view/helpers/number_helper.rb
+++ b/actionpack/lib/action_view/helpers/number_helper.rb
@@ -85,11 +85,11 @@
separator = '' if precision == 0
begin
- format.gsub(/%n/, number_with_precision(number,
+ format.gsub(/%n/, ERB::Util.html_escape(number_with_precision(number,
:precision => precision,
:delimiter => delimiter,
- :separator => separator)
- ).gsub(/%u/, unit).html_safe
+ :separator => separator))
+ ).gsub(/%u/, ERB::Util.html_escape(unit)).html_safe
rescue
number
end