diff options
author | Matthew Draper <matthew@trebex.net> | 2015-12-22 00:23:40 +1030 |
---|---|---|
committer | Matthew Draper <matthew@trebex.net> | 2015-12-22 00:23:40 +1030 |
commit | 78b523d1823518da698d240131875d84f23c938c (patch) | |
tree | 92459e34ca822c5d650ec323c78a0da4a08f937b /activesupport/lib/active_support | |
parent | 97eb5553f9b750963b4891171fb6e3fd3526a5a6 (diff) | |
parent | 51152fc0f8517b24af4a619faa9df9879920f5d1 (diff) | |
download | rails-78b523d1823518da698d240131875d84f23c938c.tar.gz rails-78b523d1823518da698d240131875d84f23c938c.tar.bz2 rails-78b523d1823518da698d240131875d84f23c938c.zip |
Merge pull request #22722 from k0kubun/use-cgi-html-escape
Use CGI.escapeHTML for html escape
Diffstat (limited to 'activesupport/lib/active_support')
-rw-r--r-- | activesupport/lib/active_support/core_ext/string/output_safety.rb | 6 |
1 files changed, 2 insertions, 4 deletions
diff --git a/activesupport/lib/active_support/core_ext/string/output_safety.rb b/activesupport/lib/active_support/core_ext/string/output_safety.rb index 510fa48189..04ed8e7cd8 100644 --- a/activesupport/lib/active_support/core_ext/string/output_safety.rb +++ b/activesupport/lib/active_support/core_ext/string/output_safety.rb @@ -5,7 +5,6 @@ class ERB module Util HTML_ESCAPE = { '&' => '&', '>' => '>', '<' => '<', '"' => '"', "'" => ''' } JSON_ESCAPE = { '&' => '\u0026', '>' => '\u003e', '<' => '\u003c', "\u2028" => '\u2028', "\u2029" => '\u2029' } - HTML_ESCAPE_REGEXP = /[&"'><]/ HTML_ESCAPE_ONCE_REGEXP = /["><']|&(?!([a-zA-Z]+|(#\d+)|(#[xX][\dA-Fa-f]+));)/ JSON_ESCAPE_REGEXP = /[\u2028\u2029&><]/u @@ -37,7 +36,7 @@ class ERB if s.html_safe? s else - ActiveSupport::Multibyte::Unicode.tidy_bytes(s).gsub(HTML_ESCAPE_REGEXP, HTML_ESCAPE) + CGI.escapeHTML(ActiveSupport::Multibyte::Unicode.tidy_bytes(s)) end end module_function :unwrapped_html_escape @@ -243,8 +242,7 @@ module ActiveSupport #:nodoc: private def html_escape_interpolated_argument(arg) - (!html_safe? || arg.html_safe?) ? arg : - arg.to_s.gsub(ERB::Util::HTML_ESCAPE_REGEXP, ERB::Util::HTML_ESCAPE) + (!html_safe? || arg.html_safe?) ? arg : CGI.escapeHTML(arg.to_s) end end end |