From 97b811b7f8d3750635bea7e4f816d1ad71b5f9a1 Mon Sep 17 00:00:00 2001
From: Michael Koziarski <michael@koziarski.com>
Date: Tue, 19 Nov 2013 09:00:08 +1300
Subject: [PATCH] Ensure simple_format escapes its html attributes

The previous behavior equated the sanitize option for simple_format with the
escape option of content_tag, however these are two distinct concepts.

This fixes CVE-2013-6416
---
 actionpack/lib/action_view/helpers/text_helper.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/actionpack/lib/action_view/helpers/text_helper.rb b/actionpack/lib/action_view/helpers/text_helper.rb
index 2ed825e..285d27d 100644
--- a/actionpack/lib/action_view/helpers/text_helper.rb
+++ b/actionpack/lib/action_view/helpers/text_helper.rb
@@ -266,7 +266,7 @@ module ActionView
           content_tag(wrapper_tag, nil, html_options)
         else
           paragraphs.map { |paragraph|
-            content_tag(wrapper_tag, paragraph, html_options, options[:sanitize])
+            content_tag(wrapper_tag, raw(paragraph), html_options)
           }.join("\n\n").html_safe
         end
       end
-- 
1.8.3.4