diff --git a/Gemfile.lock b/Gemfile.lock index d737253219d25..3b29cd668731a 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -9,7 +9,7 @@ GEM nokogiri (1.3.3) pg (0.9.0) rack (1.1.0) - railslts-version (2.3.18.6) + railslts-version (2.3.18.8) rake (0.8.7) rdoc (2.5.11) sqlite3 (1.3.7) diff --git a/actionpack/lib/action_view/helpers/number_helper.rb b/actionpack/lib/action_view/helpers/number_helper.rb index 788c459e2ef91..37f6b3ac21162 100644 --- a/actionpack/lib/action_view/helpers/number_helper.rb +++ b/actionpack/lib/action_view/helpers/number_helper.rb @@ -83,7 +83,7 @@ def number_to_currency(number, options = {}) unit = options[:unit] || defaults[:unit] separator = options[:separator] || defaults[:separator] delimiter = options[:delimiter] || defaults[:delimiter] - format = options[:format] || defaults[:format] + format = options[:format] ? ERB::Util.html_escape(options[:format]) : defaults[:format] separator = '' if precision == 0 begin diff --git a/actionpack/test/template/number_helper_test.rb b/actionpack/test/template/number_helper_test.rb index 4263613a9c3c6..fcf4b4ba4fa19 100644 --- a/actionpack/test/template/number_helper_test.rb +++ b/actionpack/test/template/number_helper_test.rb @@ -3,6 +3,28 @@ class NumberHelperTest < ActionView::TestCase tests ActionView::Helpers::NumberHelper + + def test_number_helpers_escape_delimiter_and_separator + # html-escaping the right side is fine, since we only have a problem if the helper does + # not escape AND return a safe string + + assert_equal "111<script></script>111<script></script>1111", ERB::Util.html_escape(number_to_phone(1111111111, :delimiter => "")) + + assert_equal "$1<script></script>01", ERB::Util.html_escape(number_to_currency(1.01, :separator => "")) + assert_equal "$1<script></script>000.00", ERB::Util.html_escape(number_to_currency(1000, :delimiter => "")) + + assert_equal "1<script></script>010%", ERB::Util.html_escape(number_to_percentage(1.01, :separator => "")) + assert_equal "1<script></script>000.000%", ERB::Util.html_escape(number_to_percentage(1000, :delimiter => "")) + + assert_equal "1<script></script>01", ERB::Util.html_escape(number_with_delimiter(1.01, :separator => "")) + assert_equal "1<script></script>000", ERB::Util.html_escape(number_with_delimiter(1000, :delimiter => "")) + + assert_equal "1<script></script>010", ERB::Util.html_escape(number_with_precision(1.01, :separator => "")) + assert_equal "1<script></script>000.000", ERB::Util.html_escape(number_with_precision(1000, :delimiter => "")) + + assert_equal "9<script></script>9 KB", ERB::Util.html_escape(number_to_human_size(10100, :separator => "")) + end + def test_number_to_phone assert_equal("555-1234", number_to_phone(5551234)) assert_equal("800-555-1212", number_to_phone(8005551212)) @@ -15,6 +37,8 @@ def test_number_to_phone assert_equal("+18005551212", number_to_phone(8005551212, :country_code => 1, :delimiter => '')) assert_equal("22-555-1212", number_to_phone(225551212)) assert_equal("+45-22-555-1212", number_to_phone(225551212, :country_code => 45)) + assert_equal "+<script></script>8005551212", ERB::Util.html_escape(number_to_phone(8005551212, :country_code => "", :delimiter => "")) + assert_equal "8005551212 x <script></script>", ERB::Util.html_escape(number_to_phone(8005551212, :extension => "", :delimiter => "")) assert_equal("x", number_to_phone("x")) assert_nil number_to_phone(nil) end @@ -28,6 +52,7 @@ def test_number_to_currency assert_equal("&pound;1234567890,50", number_to_currency(1234567890.50, {:unit => "£", :separator => ",", :delimiter => ""})) assert_equal("$1,234,567,890.50", number_to_currency("1234567890.50")) assert_equal("1,234,567,890.50 Kč", number_to_currency("1234567890.50", {:unit => raw("Kč"), :format => "%n %u"})) + assert_equal "<b>1,234,567,890.50</b> $", ERB::Util.html_escape(number_to_currency("1234567890.50", :format => "%n %u")) #assert_equal("$x.", number_to_currency("x")) # fails due to API consolidation assert_equal("$x", number_to_currency("x")) assert_nil number_to_currency(nil) diff --git a/railties/railties.gemspec b/railties/railties.gemspec index 6e780108ca1d1..ccbde9872ed90 100644 --- a/railties/railties.gemspec +++ b/railties/railties.gemspec @@ -19,5 +19,5 @@ Gem::Specification.new do |s| s.add_dependency 'actionpack', '= 2.3.18' s.add_dependency 'actionmailer', '= 2.3.18' s.add_dependency 'activeresource', '= 2.3.18' - s.add_dependency 'railslts-version', '= 2.3.18.7' + s.add_dependency 'railslts-version', '= 2.3.18.8' end