Merge pull request #19992 from greysteil/handle-invalid-utf8-in-html-escape

Handle invalid UTF-8 strings when HTML escaping
2015-10-20 16:50:01 -06:00 · 2015-10-20 16:50:01 -06:00 · d94ae72a52
parent cd46bfc54f 05a2a6a0c5
commit d94ae72a52
3 changed files with 19 additions and 4 deletions
--- a/activesupport/CHANGELOG.md
+++ b/activesupport/CHANGELOG.md
@ -1,3 +1,12 @@
+*   Handle invalid UTF-8 strings when HTML escaping
+
+    Use `ActiveSupport::Multibyte::Unicode.tidy_bytes` to handle invalid UTF-8
+    strings in `ERB::Util.unwrapped_html_escape` and `ERB::Util.html_escape_once`.
+    Prevents user-entered input passed from a querystring into a form field from
+    causing invalid byte sequence errors.
+
+    *Grey Baker*
+
 *   Update `ActiveSupport::Multibyte::Chars#slice!` to return `nil` if the
    arguments are out of bounds, to mirror the behavior of `String#slice!`

--- a/activesupport/lib/active_support/core_ext/string/output_safety.rb
+++ b/activesupport/lib/active_support/core_ext/string/output_safety.rb
@ -37,7 +37,7 @@ class ERB
      if s.html_safe?
        s
      else
-        s.gsub(HTML_ESCAPE_REGEXP, HTML_ESCAPE)
+        ActiveSupport::Multibyte::Unicode.tidy_bytes(s).gsub(HTML_ESCAPE_REGEXP, HTML_ESCAPE)
      end
    end
    module_function :unwrapped_html_escape
@ -50,7 +50,7 @@ class ERB
    #   html_escape_once('&lt;&lt; Accept & Checkout')
    #   # => "&lt;&lt; Accept &amp; Checkout"
    def html_escape_once(s)
-      result = s.to_s.gsub(HTML_ESCAPE_ONCE_REGEXP, HTML_ESCAPE)
+      result = ActiveSupport::Multibyte::Unicode.tidy_bytes(s.to_s).gsub(HTML_ESCAPE_ONCE_REGEXP, HTML_ESCAPE)
      s.html_safe? ? result.html_safe : result
    end

--- a/activesupport/test/core_ext/string_ext_test.rb
+++ b/activesupport/test/core_ext/string_ext_test.rb
@ -782,8 +782,8 @@ class OutputSafetyTest < ActiveSupport::TestCase
  end

  test "ERB::Util.html_escape should correctly handle invalid UTF-8 strings" do
-    string = [192, 60].pack('CC')
-    expected = 192.chr + "&lt;"
+    string = "\251 <"
+    expected = "© &lt;"
    assert_equal expected, ERB::Util.html_escape(string)
  end

@ -799,6 +799,12 @@ class OutputSafetyTest < ActiveSupport::TestCase
    assert_equal escaped_string, ERB::Util.html_escape_once(string)
    assert_equal escaped_string, ERB::Util.html_escape_once(escaped_string)
  end
+
+  test "ERB::Util.html_escape_once should correctly handle invalid UTF-8 strings" do
+    string = "\251 <"
+    expected = "© &lt;"
+    assert_equal expected, ERB::Util.html_escape_once(string)
+  end
 end

 class StringExcludeTest < ActiveSupport::TestCase