Use ERB::Util.h over CGI.escapeHTML as the former is safety aware and the latter isn't

5d5e34fa · Michael Koziarski · 1b3195b6 · 5d5e34fa · 5d5e34fa
Showing with 2 addition and 2 deletion

actionpack/lib/action_controller/metal/redirector.rb actionpack/lib/action_controller/metal/redirector.rb +1 -1

actionpack/lib/action_view/safe_buffer.rb actionpack/lib/action_view/safe_buffer.rb +1 -1

未找到文件。
--- a/actionpack/lib/action_controller/metal/redirector.rb
+++ b/actionpack/lib/action_controller/metal/redirector.rb
@@ -16,7 +16,7 @@ def redirect_to(url, status) #:doc:
      logger.info("Redirected to #{url}") if logger && logger.info?
      self.status = status
      self.location = url.gsub(/[\r\n]/, '')
-      self.response_body = "<html><body>You are being <a href=\"#{CGI.escapeHTML(url)}\">redirected</a>.</body></html>"
+      self.response_body = "<html><body>You are being <a href=\"#{ERB::Util.h(url)}\">redirected</a>.</body></html>"
    end
  end
 end
--- a/actionpack/lib/action_view/safe_buffer.rb
+++ b/actionpack/lib/action_view/safe_buffer.rb
@@ -5,7 +5,7 @@ def <<(value)
      if value.html_safe?
        super(value)
      else
-        super(CGI.escapeHTML(value))
+        super(ERB::Util.h(value))
      end
    end