diff options
author | David Heinemeier Hansson <david@loudthinking.com> | 2008-11-06 13:02:32 +0100 |
---|---|---|
committer | David Heinemeier Hansson <david@loudthinking.com> | 2008-11-06 13:02:32 +0100 |
commit | a358d87e16fa876de29286b69474ab6aaee4a80b (patch) | |
tree | 6d5a68b1948a2727fb515c794f1e4854c8eedb3e | |
parent | 077773257b682b7929e77ced3bbf46acf56a10c9 (diff) | |
download | rails-a358d87e16fa876de29286b69474ab6aaee4a80b.tar.gz rails-a358d87e16fa876de29286b69474ab6aaee4a80b.tar.bz2 rails-a358d87e16fa876de29286b69474ab6aaee4a80b.zip |
Fixed the sanitize helper to avoid double escaping already properly escaped entities [#683 state:committed]
-rw-r--r-- | actionpack/CHANGELOG | 2 | ||||
-rw-r--r-- | actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb | 2 | ||||
-rw-r--r-- | actionpack/test/controller/html-scanner/sanitizer_test.rb | 4 | ||||
-rw-r--r-- | activerecord/CHANGELOG | 2 |
4 files changed, 8 insertions, 2 deletions
diff --git a/actionpack/CHANGELOG b/actionpack/CHANGELOG index 3ce6522535..e7d5031f1a 100644 --- a/actionpack/CHANGELOG +++ b/actionpack/CHANGELOG @@ -1,5 +1,7 @@ *2.2.1 [RC2 or 2.2 final]* +* Fixed the sanitize helper to avoid double escaping already properly escaped entities #683 [antonmos/Ryan McGeary] + * Fixed that FormTagHelper generated illegal html if name contained square brackets #1238 [Vladimir Dobriakov] * Fix regression bug that made date_select and datetime_select raise a Null Pointer Exception when a nil date/datetime was passed and only month and year were displayed #1289 [Bernardo Padua/Tor Erik] diff --git a/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb b/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb index 12c8405101..ae20f9947c 100644 --- a/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb +++ b/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb @@ -160,7 +160,7 @@ module HTML if !options[:attributes].include?(attr_name) || contains_bad_protocols?(attr_name, value) node.attributes.delete(attr_name) else - node.attributes[attr_name] = attr_name == 'style' ? sanitize_css(value) : CGI::escapeHTML(value) + node.attributes[attr_name] = attr_name == 'style' ? sanitize_css(value) : CGI::escapeHTML(CGI::unescapeHTML(value)) end end end diff --git a/actionpack/test/controller/html-scanner/sanitizer_test.rb b/actionpack/test/controller/html-scanner/sanitizer_test.rb index a9e8447e32..bae0f5c9fd 100644 --- a/actionpack/test/controller/html-scanner/sanitizer_test.rb +++ b/actionpack/test/controller/html-scanner/sanitizer_test.rb @@ -253,6 +253,10 @@ class SanitizerTest < Test::Unit::TestCase assert_sanitized "<![CDATA[<span>neverending...", "<![CDATA[<span>neverending...]]>" end + def test_should_not_mangle_urls_with_ampersand + assert_sanitized %{<a href=\"http://www.domain.com?var1=1&var2=2\">my link</a>} + end + protected def assert_sanitized(input, expected = nil) @sanitizer ||= HTML::WhiteListSanitizer.new diff --git a/activerecord/CHANGELOG b/activerecord/CHANGELOG index 154d9f71c4..290c0d785c 100644 --- a/activerecord/CHANGELOG +++ b/activerecord/CHANGELOG @@ -1,6 +1,6 @@ *2.2.1 [RC2 or 2.2 final]* -* Stop logging SHOW FIELDS and SET SQL_AUTO_IS_NULL=0 as they only clutter up the log and offer no value [DHH] +* Stop logging SHOW FIELDS and SET SQL_AUTO_IS_NULL=0 for the MysqlAdapter as they only clutter up the log and offer no value [DHH] * Ensure indices don't flip order in schema.rb #1266 [Jordi Bunster] |