10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
|
# File 'lib/tainted_love/replacer/replace_action_view.rb', line 10
def replace!
ActionView::OutputBuffer.class_eval do
def append=(value)
if value.tainted? && value.html_safe?
TaintedLove.report(
:ReplaceActionView,
value,
[:xss],
'Tainted string is html_safe'
)
end
self << value
end
end
mod = Module.new do
def render(*args, &block)
super(*args) do |*sub_args, &sub_block|
block.call(*sub_args, &sub_block).untaint
end.untaint
end
end
ActionView::Template.prepend(mod) if Object.const_defined?('ActionView::Template')
end
|