TEST_CODEOWNERS/rails
3
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Escape the unit value provided to number_to_currency

Browse Source 
Previously the unit values were trusted leading to potential XSS vulnerabilities.

Fixes: CVE-2013-6415
This commit is contained in:
Michael Koziarski 2013-12-02 10:12:47 +13:00 committed by Aaron Patterson
parent 2e3c3a87d8
commit b31a7a6f1e
2 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
actionview/lib/action_view/helpers/number_helper.rb
View File

@ -394,6 +394,7 @@ def delegate_number_helper_method(method, number, options)
def escape_unsafe_delimiters_and_separators(options)
options[:separator] = ERB::Util.html_escape(options[:separator]) if options[:separator] && !options[:separator].html_safe?
options[:delimiter] = ERB::Util.html_escape(options[:delimiter]) if options[:delimiter] && !options[:delimiter].html_safe?
options[:unit] = ERB::Util.html_escape(options[:unit]) if options[:unit] && !options[:unit].html_safe?
options
end

3
actionview/test/template/number_helper_test.rb
View File

@ -14,7 +14,8 @@ def test_number_to_currency
assert_equal nil, number_to_currency(nil)
assert_equal "$1,234,567,890.50", number_to_currency(1234567890.50)
assert_equal "$1,234,567,892", number_to_currency(1234567891.50, precision: 0)
assert_equal "1,234,567,890.50 - Kč", number_to_currency("-1234567890.50", unit: "Kč", format: "%n %u", negative_format: "%n - %u")
assert_equal "1,234,567,890.50 - Kč", number_to_currency("-1234567890.50", unit: raw("Kč"), format: "%n %u", negative_format: "%n - %u")
assert_equal "£1,234,567,890.50", number_to_currency("1234567890.50", unit: "£")
end
def test_number_to_percentage