From 97b811b7f8d3750635bea7e4f816d1ad71b5f9a1 Mon Sep 17 00:00:00 2001 From: Michael Koziarski Date: Tue, 19 Nov 2013 09:00:08 +1300 Subject: [PATCH] Ensure simple_format escapes its html attributes The previous behavior equated the sanitize option for simple_format with the escape option of content_tag, however these are two distinct concepts. This fixes CVE-2013-6416 --- actionpack/lib/action_view/helpers/text_helper.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/actionpack/lib/action_view/helpers/text_helper.rb b/actionpack/lib/action_view/helpers/text_helper.rb index 2ed825e..285d27d 100644 --- a/actionpack/lib/action_view/helpers/text_helper.rb +++ b/actionpack/lib/action_view/helpers/text_helper.rb @@ -266,7 +266,7 @@ module ActionView content_tag(wrapper_tag, nil, html_options) else paragraphs.map { |paragraph| - content_tag(wrapper_tag, paragraph, html_options, options[:sanitize]) + content_tag(wrapper_tag, raw(paragraph), html_options) }.join("\n\n").html_safe end end -- 1.8.3.4