Project

General

Profile

Actions
Copy link

Bug #11855

closed

CGI.escapeHTML and taint/frozen

Added by znz (Kazuhiro NISHIYAMA) over 8 years ago. Updated about 8 years ago.

Status:
Closed
Assignee:
-
Target version:
-
ruby -v:
ruby 2.3.0dev (2015-12-21 trunk 53230) [x86_64-darwin15]
Backport:
2.0.0: DONTNEED, 2.1: DONTNEED, 2.2: DONTNEED
[ruby-dev:49451]

Description

taint フラグや frozen の扱いが変わってしまっているようです。

% ruby -v -r cgi -e 'p CGI.escapeHTML("".taint).tainted?'
ruby 2.3.0dev (2015-12-21 trunk 53230) [x86_64-darwin14]
true
% ruby -v -r cgi -e 'p CGI.escapeHTML("&".taint).tainted?'
ruby 2.3.0dev (2015-12-21 trunk 53230) [x86_64-darwin14]
false
% ruby -v -r cgi -e 'p CGI.escapeHTML("".freeze).frozen?'
ruby 2.3.0dev (2015-12-21 trunk 53230) [x86_64-darwin14]
true
% ruby -v -r cgi -e 'p CGI.escapeHTML("&".freeze).frozen?'
ruby 2.3.0dev (2015-12-21 trunk 53230) [x86_64-darwin14]
false

% ruby -v -r cgi -e 'p CGI.escapeHTML("".taint).tainted?'
ruby 2.2.4p230 (2015-12-16 revision 53155) [x86_64-darwin14]
true
% ruby -v -r cgi -e 'p CGI.escapeHTML("&".taint).tainted?'
ruby 2.2.4p230 (2015-12-16 revision 53155) [x86_64-darwin14]
true
% ruby -v -r cgi -e 'p CGI.escapeHTML("".freeze).frozen?'
ruby 2.2.4p230 (2015-12-16 revision 53155) [x86_64-darwin14]
false
% ruby -v -r cgi -e 'p CGI.escapeHTML("&".freeze).frozen?'
ruby 2.2.4p230 (2015-12-16 revision 53155) [x86_64-darwin14]
false

Files

0001-Preserve-original-state-for-tainted-and-frozen.patch (1.88 KB) 0001-Preserve-original-state-for-tainted-and-frozen.patch k0kubun (Takashi Kokubun), 12/21/2015 03:00 PM
Actions
Copy link

Also available in: Atom PDF

Like0
Like0Like0Like0