From f8e2fe8810d67adfcef8acd95b0e51a31de16acd Mon Sep 17 00:00:00 2001
From: Arthur Neves <arthurnn@gmail.com>
Date: Wed, 24 Feb 2016 20:29:10 -0500
Subject: [PATCH] Don't allow render(params) on views.

If `render(params)` is called in a view it should be protected the same
 way it is in the controllers. We should raise an error if thats happens.

Fix CVE-2016-2098.
---
 actionview/test/template/render_test.rb         | 19 +++++++++++++++++++
 1 files changed, 19 insertions(+), 0 deletion(-)

diff --git a/actionview/test/template/render_test.rb b/actionview/test/template/render_test.rb
index caf6d13..b3de94f 100644
--- a/actionview/test/template/render_test.rb
+++ b/actionview/test/template/render_test.rb
@@ -149,6 +149,25 @@ module RenderTestCases
     end
   end
 
+  def test_render_with_strong_parameters
+    params = { :inline => '<%= RUBY_VERSION %>' }
+    def params.permitted?
+      false
+    end
+    e = assert_raises ArgumentError do
+      @view.render(params)
+    end
+    assert_equal "render parameters are not permitted", e.message
+  end
+
+  def test_render_with_permitted_strong_parameters
+    params = { inline: "<%= 'hello' %>" }
+    def params.permitted?
+      true
+    end
+    assert_equal 'hello', @view.render(params)
+  end
+
   def test_render_partial
     assert_equal "only partial", @view.render(:partial => "test/partial_only")
   end
-- 
2.5.4 (Apple Git-61)