Merge pull request #18236 from vipulnsward/dont-eval-frozen

Fix html_safe string access modifying frozen values

Merge pull request #18236 from vipulnsward/dont-eval-frozen
Fix html_safe string access modifying frozen values
724707ed · Rafael Mendonça França · b67b57d4 · 98367466 · 724707ed · 724707ed
Showing with 12 addition and 1 deletion

activesupport/lib/active_support/core_ext/string/output_safety.rb ...pport/lib/active_support/core_ext/string/output_safety.rb +3 -1

activesupport/test/safe_buffer_test.rb activesupport/test/safe_buffer_test.rb +9 -0

未找到文件。
--- a/activesupport/lib/active_support/core_ext/string/output_safety.rb
+++ b/activesupport/lib/active_support/core_ext/string/output_safety.rb
@@ -150,7 +150,9 @@ def [](*args)
      else
        if html_safe?
          new_safe_buffer = super
-          new_safe_buffer.instance_variable_set :@html_safe, true
+          unless new_safe_buffer.respond_to?(:frozen?) && new_safe_buffer.frozen?
+            new_safe_buffer.instance_variable_set :@html_safe, true
+          end
          new_safe_buffer
        else
          to_str[*args]

--- a/activesupport/test/safe_buffer_test.rb
+++ b/activesupport/test/safe_buffer_test.rb
@@ -165,4 +165,13 @@ def test_titleize
    x = 'foo %{x} bar'.html_safe % { x: 'qux' }
    assert x.html_safe?, 'should be safe'
  end
+
+  test 'Should not affect frozen objects when accessing characters' do
+    x = 'Hello'.html_safe
+    assert_nothing_raised do
+      x[/a/, 1]
+    end
+  end
+
+
 end