escape format for CVE-2014-0081

actionpack/lib/action_view/helpers/number_helper.rb

@@ -73,6 +73,8 @@ def number_to_phone(number, options = {})
       def number_to_currency(number, options = {})
         options.symbolize_keys!
 
+        options[:format]    = ERB::Util.html_escape(options[:format]) if options[:format]
+
         defaults  = I18n.translate(:'number.format', :locale => options[:locale], :raise => true) rescue {}
         currency  = I18n.translate(:'number.currency.format', :locale => options[:locale], :raise => true) rescue {}
         defaults  = defaults.merge(currency)

actionpack/test/template/number_helper_test.rb

@@ -3,6 +3,12 @@
 class NumberHelperTest < ActionView::TestCase
   tests ActionView::Helpers::NumberHelper
 
+  def test_number_helpers_escape_delimiter_and_separator
+    assert_equal "$1&lt;script&gt;&lt;/script&gt;01", number_to_currency(1.01, :separator => "<script></script>")
+    assert_equal "$1&lt;script&gt;&lt;/script&gt;000.00", number_to_currency(1000, :delimiter => "<script></script>")
+    assert_equal "&lt;script&gt;1,000.00$&lt;/script&gt;", number_to_currency(1000, :format => "<script>%n%u</script>")
+  end
+
   def test_number_to_phone
     assert_equal("555-1234", number_to_phone(5551234))
     assert_equal("800-555-1212", number_to_phone(8005551212))