mirrors
/
rails
mirror of https://github.com/rails/rails
8
0
Fork 0
Code Issues Projects Releases Wiki Activity

_html translation should escape interpolated arguments

This commit is contained in:
lest 2011-11-17 18:29:55 +03:00 committed by Jon Leighton
parent 1079724fe6
commit e8d57f361a
3 changed files with 29 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
actionpack/CHANGELOG.md
View File

@ -64,6 +64,20 @@
## Rails 3.1.2 (unreleased) ## ## Rails 3.1.2 (unreleased) ##
* Fix XSS security vulnerability in the `translate` helper method. When using interpolation
in combination with HTML-safe translations, the interpolated input would not get HTML
escaped. *GH 3664*
Before:
translate('foo_html', :something => '<script>') # => "...<script>..."
After:
translate('foo_html', :something => '<script>') # => "...&lt;script&gt;..."
*Sergey Nartimov*
* Upgrade sprockets dependency to ~> 2.1.0 * Upgrade sprockets dependency to ~> 2.1.0
* Ensure that the format isn't applied twice to the cache key, else it becomes impossible * Ensure that the format isn't applied twice to the cache key, else it becomes impossible

13
actionpack/lib/action_view/helpers/translation_helper.rb
View File

@ -45,11 +45,16 @@ module ActionView
# you know what kind of output to expect when you call translate in a template. # you know what kind of output to expect when you call translate in a template.
def translate(key, options = {}) def translate(key, options = {})
options.merge!(:rescue_format => :html) unless options.key?(:rescue_format) options.merge!(:rescue_format => :html) unless options.key?(:rescue_format)
translation = I18n.translate(scope_key_by_partial(key), options) if html_safe_translation_key?(key)
if html_safe_translation_key?(key) && translation.respond_to?(:html_safe) html_safe_options = options.dup
translation.html_safe options.except(*I18n::RESERVED_KEYS).each do |name, value|
html_safe_options[name] = ERB::Util.html_escape(value.to_s)
end
translation = I18n.translate(scope_key_by_partial(key), html_safe_options)
translation.respond_to?(:html_safe) ? translation.html_safe : translation
else else
translation I18n.translate(scope_key_by_partial(key), options)
end end
end end
alias :t :translate alias :t :translate

6
actionpack/test/template/translation_helper_test.rb
View File

@ -17,6 +17,7 @@ class TranslationHelperTest < ActiveSupport::TestCase
:hello => '<a>Hello World</a>', :hello => '<a>Hello World</a>',
:html => '<a>Hello World</a>', :html => '<a>Hello World</a>',
:hello_html => '<a>Hello World</a>', :hello_html => '<a>Hello World</a>',
:interpolated_html => '<a>Hello %{word}</a>',
:array_html => %w(foo bar), :array_html => %w(foo bar),
:array => %w(foo bar) :array => %w(foo bar)
} }
@ -83,6 +84,11 @@ class TranslationHelperTest < ActiveSupport::TestCase
assert translate(:'translations.hello_html').html_safe? assert translate(:'translations.hello_html').html_safe?
end end
def test_translate_escapes_interpolations_in_translations_with_a_html_suffix
assert_equal '<a>Hello &lt;World&gt;</a>', translate(:'translations.interpolated_html', :word => '<World>')
assert_equal '<a>Hello &lt;World&gt;</a>', translate(:'translations.interpolated_html', :word => stub(:to_s => "<World>"))
end
def test_translation_returning_an_array_ignores_html_suffix def test_translation_returning_an_array_ignores_html_suffix
assert_equal ["foo", "bar"], translate(:'translations.array_html') assert_equal ["foo", "bar"], translate(:'translations.array_html')
end end