diff options
| author | David Heinemeier Hansson <david@loudthinking.com> | 2008-11-06 13:02:32 +0100 |
|---|---|---|
| committer | David Heinemeier Hansson <david@loudthinking.com> | 2008-11-06 13:02:32 +0100 |
| commit | a358d87e16fa876de29286b69474ab6aaee4a80b (patch) | |
| tree | 6d5a68b1948a2727fb515c794f1e4854c8eedb3e /actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb | |
| parent | 077773257b682b7929e77ced3bbf46acf56a10c9 (diff) | |
| download | rails-a358d87e16fa876de29286b69474ab6aaee4a80b.tar.gz rails-a358d87e16fa876de29286b69474ab6aaee4a80b.tar.bz2 rails-a358d87e16fa876de29286b69474ab6aaee4a80b.zip | |
Fixed the sanitize helper to avoid double escaping already properly escaped entities [#683 state:committed]
Diffstat (limited to 'actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb')
| -rw-r--r-- | actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb b/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb index 12c8405101..ae20f9947c 100644 --- a/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb +++ b/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb @@ -160,7 +160,7 @@ module HTML if !options[:attributes].include?(attr_name) || contains_bad_protocols?(attr_name, value) node.attributes.delete(attr_name) else - node.attributes[attr_name] = attr_name == 'style' ? sanitize_css(value) : CGI::escapeHTML(value) + node.attributes[attr_name] = attr_name == 'style' ? sanitize_css(value) : CGI::escapeHTML(CGI::unescapeHTML(value)) end end end |