Remove monkey patch which is already included in Rails 2.3.17 #1233

This commit is contained in:
Holger Just 2013-02-12 12:49:50 +01:00
parent 6d3dc6e619
commit 8b357a118d
1 changed files with 0 additions and 47 deletions

View File

@ -159,53 +159,6 @@ module ActionController
end end
end end
# Backported fix for CVE-2012-3464
# https://groups.google.com/d/msg/rubyonrails-security/kKGNeMrnmiY/r2yM7xy-G48J
# TODO: Remove this once we are on Rails >= 3.2.8
require 'active_support/core_ext/string/output_safety'
class ERB
module Util
HTML_ESCAPE["'"] = '''
if RUBY_VERSION >= '1.9'
# A utility method for escaping HTML tag characters.
# This method is also aliased as <tt>h</tt>.
#
# In your ERB templates, use this method to escape any unsafe content. For example:
# <%=h @person.name %>
#
# ==== Example:
# puts html_escape("is a > 0 & a < 10?")
# # => is a &gt; 0 &amp; a &lt; 10?
def html_escape(s)
s = s.to_s
if s.html_safe?
s
else
s.gsub(/[&"'><]/, HTML_ESCAPE).html_safe
end
end
else
def html_escape(s) #:nodoc:
s = s.to_s
if s.html_safe?
s
else
s.gsub(/[&"'><]/n) { |special| HTML_ESCAPE[special] }.html_safe
end
end
end
# Aliasing twice issues a warning "discarding old...". Remove first to avoid it.
remove_method(:h)
alias h html_escape
module_function :h
singleton_class.send(:remove_method, :html_escape)
module_function :html_escape
end
end
require 'action_view/helpers/tag_helper' require 'action_view/helpers/tag_helper'
module ActionView::Helpers::TagHelper module ActionView::Helpers::TagHelper
def escape_once(html) def escape_once(html)