Do not mark strip_tags result as html_safe

Thanks to Marek Labos & Nethemba

CVE-2012-3465

actionpack/CHANGELOG.md

@@ -1,5 +1,12 @@
 ## Rails 3.1.8 (Aug 9, 2012)
 
+* There is an XSS vulnerability in the strip_tags helper in Ruby on Rails, the
+  helper doesn't correctly handle malformed html.  As a result an attacker can
+  execute arbitrary javascript through the use of specially crafted malformed
+  html.
+
+  *Marek from Nethemba (www.nethemba.com) & Santiago Pastorino*
+
 * When a "prompt" value is supplied to the `select_tag` helper, the "prompt" value is not escaped.
   If untrusted data is not escaped, and is supplied as the prompt value, there is a potential for XSS attacks.
   Vulnerable code will look something like this:

actionpack/lib/action_view/helpers/sanitize_helper.rb

@@ -81,7 +81,7 @@ module ActionView
       #   strip_tags("<div id='top-bar'>Welcome to my website!</div>")
       #   # => Welcome to my website!
       def strip_tags(html)
-        self.class.full_sanitizer.sanitize(html).try(:html_safe)
+        self.class.full_sanitizer.sanitize(html)
       end
 
       # Strips all link tags from +text+ leaving just the link text.

actionpack/test/template/sanitize_helper_test.rb

@@ -42,9 +42,9 @@ class SanitizeHelperTest < ActionView::TestCase
     [nil, '', '   '].each do |blank|
       stripped = strip_tags(blank)
       assert_equal blank, stripped
-      assert stripped.html_safe? unless blank.nil?
     end
-    assert strip_tags("<script>").html_safe?
+    assert_equal "", strip_tags("<script>")
+    assert_equal "something &lt;img onerror=alert(1337)", ERB::Util.html_escape(strip_tags("something <img onerror=alert(1337)"))
   end
 
   def test_sanitize_is_marked_safe