From b6640db0b69b3f3ee4d029abf05754cbe6097c41 Mon Sep 17 00:00:00 2001 From: Michael Koziarski Date: Mon, 2 Dec 2013 10:12:47 +1300 Subject: [PATCH] Escape the unit value provided to number_to_currency Previously the unit values were trusted leading to potential XSS vulnerabilities. Fixes: CVE-2013-6415 --- actionpack/lib/action_view/helpers/number_helper.rb | 1 + actionpack/test/template/number_helper_test.rb | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/actionpack/lib/action_view/helpers/number_helper.rb b/actionpack/lib/action_view/helpers/number_helper.rb index fda7038..f3914e4 100644 --- a/actionpack/lib/action_view/helpers/number_helper.rb +++ b/actionpack/lib/action_view/helpers/number_helper.rb @@ -411,6 +411,7 @@ module ActionView def escape_unsafe_delimiters_and_separators(options) options[:separator] = ERB::Util.html_escape(options[:separator]) if options[:separator] && !options[:separator].html_safe? options[:delimiter] = ERB::Util.html_escape(options[:delimiter]) if options[:delimiter] && !options[:delimiter].html_safe? + options[:unit] = ERB::Util.html_escape(options[:unit]) if options[:unit] && !options[:unit].html_safe? options end diff --git a/actionpack/test/template/number_helper_test.rb b/actionpack/test/template/number_helper_test.rb index 6e64088..be336ea 100644 --- a/actionpack/test/template/number_helper_test.rb +++ b/actionpack/test/template/number_helper_test.rb @@ -14,7 +14,8 @@ class NumberHelperTest < ActionView::TestCase assert_equal nil, number_to_currency(nil) assert_equal "$1,234,567,890.50", number_to_currency(1234567890.50) assert_equal "$1,234,567,892", number_to_currency(1234567891.50, precision: 0) - assert_equal "1,234,567,890.50 - Kč", number_to_currency("-1234567890.50", unit: "Kč", format: "%n %u", negative_format: "%n - %u") + assert_equal "1,234,567,890.50 - Kč", number_to_currency("-1234567890.50", unit: raw("Kč"), format: "%n %u", negative_format: "%n - %u") + assert_equal "&pound;1,234,567,890.50", number_to_currency("1234567890.50", unit: "£") end def test_number_to_percentage -- 1.8.3.4