File rubygem-actionpack-2.1.2_CVE-2009-3009_actionpa... of Package rubygem-actionpack-2_1

Overview Repositories Revisions Requests Users Attributes Meta

File rubygem-actionpack-2.1.2_CVE-2009-3009_actionpack.patch of Package rubygem-actionpack-2_1

From 9af2823b32e001358babde7644e5cc1c0ec29d6e Mon Sep 17 00:00:00 2001
From: Michael Koziarski <michael@koziarski.com>
Date: Mon, 31 Aug 2009 12:07:30 -0700
Subject: [PATCH] Clean tag attributes before passing through the escape_once logic.

Addresses CVE-2009-3009
---
 actionpack/lib/action_view/helpers/tag_helper.rb |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

Index: lib/action_view/helpers/tag_helper.rb
===================================================================
--- lib/action_view/helpers/tag_helper.rb.orig	1970-01-01 01:00:00.000000000 +0100
+++ lib/action_view/helpers/tag_helper.rb	2009-09-16 15:09:10.075039531 +0200
@@ -101,7 +101,7 @@ module ActionView
       #   escape_once("&lt;&lt; Accept & Checkout")
       #   # => "&lt;&lt; Accept &amp; Checkout"
       def escape_once(html)
-        html.to_s.gsub(/[\"><]|&(?!([a-zA-Z]+|(#\d+));)/) { |special| ERB::Util::HTML_ESCAPE[special] }
+        ActiveSupport::Multibyte.clean(html.to_s).gsub(/[\"><]|&(?!([a-zA-Z]+|(#\d+));)/) { |special| ERB::Util::HTML_ESCAPE[special] }
       end
 
       private

Places

File rubygem-actionpack-2.1.2_CVE-2009-3009_actionpack.patch of Package rubygem-actionpack-2_1

Places