aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/lib/action_controller/vendor/html-scanner
diff options
context:
space:
mode:
authorDavid Heinemeier Hansson <david@loudthinking.com>2008-11-06 13:02:32 +0100
committerDavid Heinemeier Hansson <david@loudthinking.com>2008-11-06 13:02:32 +0100
commita358d87e16fa876de29286b69474ab6aaee4a80b (patch)
tree6d5a68b1948a2727fb515c794f1e4854c8eedb3e /actionpack/lib/action_controller/vendor/html-scanner
parent077773257b682b7929e77ced3bbf46acf56a10c9 (diff)
downloadrails-a358d87e16fa876de29286b69474ab6aaee4a80b.tar.gz
rails-a358d87e16fa876de29286b69474ab6aaee4a80b.tar.bz2
rails-a358d87e16fa876de29286b69474ab6aaee4a80b.zip
Fixed the sanitize helper to avoid double escaping already properly escaped entities [#683 state:committed]
Diffstat (limited to 'actionpack/lib/action_controller/vendor/html-scanner')
-rw-r--r--actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb2
1 files changed, 1 insertions, 1 deletions
diff --git a/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb b/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
index 12c8405101..ae20f9947c 100644
--- a/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
+++ b/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
@@ -160,7 +160,7 @@ module HTML
if !options[:attributes].include?(attr_name) || contains_bad_protocols?(attr_name, value)
node.attributes.delete(attr_name)
else
- node.attributes[attr_name] = attr_name == 'style' ? sanitize_css(value) : CGI::escapeHTML(value)
+ node.attributes[attr_name] = attr_name == 'style' ? sanitize_css(value) : CGI::escapeHTML(CGI::unescapeHTML(value))
end
end
end
generated by cgit v1.2.3 (git 2.25.1) at 2024-12-28 16:48:23 +0000