aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDavid Heinemeier Hansson <david@loudthinking.com>2008-11-06 13:02:32 +0100
committerDavid Heinemeier Hansson <david@loudthinking.com>2008-11-06 13:02:32 +0100
commita358d87e16fa876de29286b69474ab6aaee4a80b (patch)
tree6d5a68b1948a2727fb515c794f1e4854c8eedb3e
parent077773257b682b7929e77ced3bbf46acf56a10c9 (diff)
downloadrails-a358d87e16fa876de29286b69474ab6aaee4a80b.tar.gz
rails-a358d87e16fa876de29286b69474ab6aaee4a80b.tar.bz2
rails-a358d87e16fa876de29286b69474ab6aaee4a80b.zip
Fixed the sanitize helper to avoid double escaping already properly escaped entities [#683 state:committed]
-rw-r--r--actionpack/CHANGELOG2
-rw-r--r--actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb2
-rw-r--r--actionpack/test/controller/html-scanner/sanitizer_test.rb4
-rw-r--r--activerecord/CHANGELOG2
4 files changed, 8 insertions, 2 deletions
diff --git a/actionpack/CHANGELOG b/actionpack/CHANGELOG
index 3ce6522535..e7d5031f1a 100644
--- a/actionpack/CHANGELOG
+++ b/actionpack/CHANGELOG
@@ -1,5 +1,7 @@
*2.2.1 [RC2 or 2.2 final]*
+* Fixed the sanitize helper to avoid double escaping already properly escaped entities #683 [antonmos/Ryan McGeary]
+
* Fixed that FormTagHelper generated illegal html if name contained square brackets #1238 [Vladimir Dobriakov]
* Fix regression bug that made date_select and datetime_select raise a Null Pointer Exception when a nil date/datetime was passed and only month and year were displayed #1289 [Bernardo Padua/Tor Erik]
diff --git a/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb b/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
index 12c8405101..ae20f9947c 100644
--- a/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
+++ b/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
@@ -160,7 +160,7 @@ module HTML
if !options[:attributes].include?(attr_name) || contains_bad_protocols?(attr_name, value)
node.attributes.delete(attr_name)
else
- node.attributes[attr_name] = attr_name == 'style' ? sanitize_css(value) : CGI::escapeHTML(value)
+ node.attributes[attr_name] = attr_name == 'style' ? sanitize_css(value) : CGI::escapeHTML(CGI::unescapeHTML(value))
end
end
end
diff --git a/actionpack/test/controller/html-scanner/sanitizer_test.rb b/actionpack/test/controller/html-scanner/sanitizer_test.rb
index a9e8447e32..bae0f5c9fd 100644
--- a/actionpack/test/controller/html-scanner/sanitizer_test.rb
+++ b/actionpack/test/controller/html-scanner/sanitizer_test.rb
@@ -253,6 +253,10 @@ class SanitizerTest < Test::Unit::TestCase
assert_sanitized "<![CDATA[<span>neverending...", "&lt;![CDATA[&lt;span>neverending...]]>"
end
+ def test_should_not_mangle_urls_with_ampersand
+ assert_sanitized %{<a href=\"http://www.domain.com?var1=1&amp;var2=2\">my link</a>}
+ end
+
protected
def assert_sanitized(input, expected = nil)
@sanitizer ||= HTML::WhiteListSanitizer.new
diff --git a/activerecord/CHANGELOG b/activerecord/CHANGELOG
index 154d9f71c4..290c0d785c 100644
--- a/activerecord/CHANGELOG
+++ b/activerecord/CHANGELOG
@@ -1,6 +1,6 @@
*2.2.1 [RC2 or 2.2 final]*
-* Stop logging SHOW FIELDS and SET SQL_AUTO_IS_NULL=0 as they only clutter up the log and offer no value [DHH]
+* Stop logging SHOW FIELDS and SET SQL_AUTO_IS_NULL=0 for the MysqlAdapter as they only clutter up the log and offer no value [DHH]
* Ensure indices don't flip order in schema.rb #1266 [Jordi Bunster]