source: trunk/server/common/patches/rubygem-actionpack-2.3.x-CVE-2009-3009.patch @ 1339

Last change on this file since 1339 was 1329, checked in by mitchb, 15 years ago
Scriptsify activesupport and actionpack ruby gems, patch for CVE-2009-3009
File size: 693 bytes
RevLine 
[1329]1diff --git a/actionpack/lib/action_view/helpers/tag_helper.rb b/actionpack/lib/action_view/helpers/tag_helper.rb
2index af8c4d5..db99a0e 100644
3--- a/actionpack/lib/action_view/helpers/tag_helper.rb
4+++ b/actionpack/lib/action_view/helpers/tag_helper.rb
5@@ -103,7 +103,7 @@ module ActionView
6       #   escape_once("<< Accept & Checkout")
7       #   # => "<< Accept & Checkout"
8       def escape_once(html)
9-        html.to_s.gsub(/[\"><]|&(?!([a-zA-Z]+|(#\d+));)/) { |special| ERB::Util::HTML_ESCAPE[special] }
10+        ActiveSupport::Multibyte.clean(html.to_s).gsub(/[\"><]|&(?!([a-zA-Z]+|(#\d+));)/) { |special| ERB::Util::HTML_ESCAPE[special] }
11       end
12 
13       private
14
Note: See TracBrowser for help on using the repository browser.