lib/rack/directory.rb in rack-1.5.5 vs lib/rack/directory.rb in rack-1.6.0.beta
- old
+ new
@@ -133,12 +133,12 @@
"Content-Length" => size.to_s,
"X-Cascade" => "pass"}, [body]]
end
def each
- show_path = @path.sub(/^#{@root}/,'')
- files = @files.map{|f| DIR_FILE % f }*"\n"
+ show_path = Rack::Utils.escape_html(@path.sub(/^#{@root}/,''))
+ files = @files.map{|f| DIR_FILE % DIR_FILE_escape(*f) }*"\n"
page = DIR_PAGE % [ show_path, show_path , files ]
page.each_line{|l| yield l }
end
# Stolen from Ramaze
@@ -154,8 +154,14 @@
FILESIZE_FORMAT.each do |format, size|
return format % (int.to_f / size) if int >= size
end
int.to_s + 'B'
+ end
+
+ private
+ # Assumes url is already escaped.
+ def DIR_FILE_escape url, *html
+ [url, *html.map { |e| Utils.escape_html(e) }]
end
end
end