$OpenBSD: patch-lib_action_view_helpers_url_helper_rb,v 1.1 2011/02/10 01:42:22 jeremy Exp $

Fix for CVE-2011-0446.

--- lib/action_view/helpers/url_helper.rb.orig	Wed Dec 31 16:00:00 1969
+++ lib/action_view/helpers/url_helper.rb	Wed Feb  9 08:48:17 2011
@@ -490,7 +490,9 @@ module ActionView
         string = ''
 
         if encode == "javascript"
-          "document.write('#{content_tag("a", name || email_address_obfuscated.html_safe, html_options.merge("href" => "mailto:#{email_address}#{extras}".html_safe))}');".each_byte do |c|
+          html   = content_tag("a", name || email_address_obfuscated.html_safe, html_options.merge("href" => "mailto:#{email_address}#{extras}".html_safe))
+          html   = escape_javascript(html)
+          "document.write('#{html}');".each_byte do |c|
             string << sprintf("%%%x", c)
           end
           "<script type=\"#{Mime::JS}\">eval(decodeURIComponent('#{string}'))</script>".html_safe
