Remove monkey patch which is already included in Rails 2.3.17 #1233
This commit is contained in:
parent
6d3dc6e619
commit
8b357a118d
|
@ -159,53 +159,6 @@ module ActionController
|
|||
end
|
||||
end
|
||||
|
||||
# Backported fix for CVE-2012-3464
|
||||
# https://groups.google.com/d/msg/rubyonrails-security/kKGNeMrnmiY/r2yM7xy-G48J
|
||||
# TODO: Remove this once we are on Rails >= 3.2.8
|
||||
require 'active_support/core_ext/string/output_safety'
|
||||
class ERB
|
||||
module Util
|
||||
HTML_ESCAPE["'"] = '''
|
||||
|
||||
if RUBY_VERSION >= '1.9'
|
||||
# A utility method for escaping HTML tag characters.
|
||||
# This method is also aliased as <tt>h</tt>.
|
||||
#
|
||||
# In your ERB templates, use this method to escape any unsafe content. For example:
|
||||
# <%=h @person.name %>
|
||||
#
|
||||
# ==== Example:
|
||||
# puts html_escape("is a > 0 & a < 10?")
|
||||
# # => is a > 0 & a < 10?
|
||||
def html_escape(s)
|
||||
s = s.to_s
|
||||
if s.html_safe?
|
||||
s
|
||||
else
|
||||
s.gsub(/[&"'><]/, HTML_ESCAPE).html_safe
|
||||
end
|
||||
end
|
||||
else
|
||||
def html_escape(s) #:nodoc:
|
||||
s = s.to_s
|
||||
if s.html_safe?
|
||||
s
|
||||
else
|
||||
s.gsub(/[&"'><]/n) { |special| HTML_ESCAPE[special] }.html_safe
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
# Aliasing twice issues a warning "discarding old...". Remove first to avoid it.
|
||||
remove_method(:h)
|
||||
alias h html_escape
|
||||
|
||||
module_function :h
|
||||
|
||||
singleton_class.send(:remove_method, :html_escape)
|
||||
module_function :html_escape
|
||||
end
|
||||
end
|
||||
require 'action_view/helpers/tag_helper'
|
||||
module ActionView::Helpers::TagHelper
|
||||
def escape_once(html)
|
||||
|
|
Loading…
Reference in New Issue