From 9257106b09714feb0904bc540e8995953d979622 Mon Sep 17 00:00:00 2001 From: "Philipp Kempgen (Amooma)" Date: Thu, 14 Apr 2011 07:51:14 -0700 Subject: properly escape "'" to "'" for XML/HTML (BTW Erubis does that as well) --- activesupport/lib/active_support/core_ext/string/output_safety.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'activesupport') diff --git a/activesupport/lib/active_support/core_ext/string/output_safety.rb b/activesupport/lib/active_support/core_ext/string/output_safety.rb index c27cbc37c5..252168dacc 100644 --- a/activesupport/lib/active_support/core_ext/string/output_safety.rb +++ b/activesupport/lib/active_support/core_ext/string/output_safety.rb @@ -3,7 +3,7 @@ require 'active_support/core_ext/kernel/singleton_class' class ERB module Util - HTML_ESCAPE = { '&' => '&', '>' => '>', '<' => '<', '"' => '"' } + HTML_ESCAPE = { '&' => '&', '>' => '>', '<' => '<', '"' => '"', "'" => ''' } JSON_ESCAPE = { '&' => '\u0026', '>' => '\u003E', '<' => '\u003C' } # A utility method for escaping HTML tag characters. @@ -20,7 +20,7 @@ class ERB if s.html_safe? s else - s.gsub(/[&"><]/) { |special| HTML_ESCAPE[special] }.html_safe + s.gsub(/[&"'><]/) { |special| HTML_ESCAPE[special] }.html_safe end end -- cgit v1.2.3 From 328a16b31ef6d8970a1d8fe4243c2973e4fd8b94 Mon Sep 17 00:00:00 2001 From: "Philipp Kempgen (Amooma)" Date: Thu, 14 Apr 2011 07:55:10 -0700 Subject: for escaping HTML can be treated as normal XML --- activesupport/lib/active_support/core_ext/string/output_safety.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'activesupport') diff --git a/activesupport/lib/active_support/core_ext/string/output_safety.rb b/activesupport/lib/active_support/core_ext/string/output_safety.rb index 252168dacc..6f410819ba 100644 --- a/activesupport/lib/active_support/core_ext/string/output_safety.rb +++ b/activesupport/lib/active_support/core_ext/string/output_safety.rb @@ -3,7 +3,7 @@ require 'active_support/core_ext/kernel/singleton_class' class ERB module Util - HTML_ESCAPE = { '&' => '&', '>' => '>', '<' => '<', '"' => '"', "'" => ''' } + XML_ESCAPE = { '&' => '&', '>' => '>', '<' => '<', '"' => '"', "'" => ''' } JSON_ESCAPE = { '&' => '\u0026', '>' => '\u003E', '<' => '\u003C' } # A utility method for escaping HTML tag characters. @@ -20,7 +20,7 @@ class ERB if s.html_safe? s else - s.gsub(/[&"'><]/) { |special| HTML_ESCAPE[special] }.html_safe + s.gsub(/[&"'><]/) { |special| XML_ESCAPE[special] }.html_safe end end -- cgit v1.2.3 From 474e313d02f0c8f9d821efe720bd5242e700233f Mon Sep 17 00:00:00 2001 From: Philipp Kempgen Date: Tue, 26 Apr 2011 01:04:05 +0200 Subject: test "Escapes special HTML/XML characters" do ... --- activesupport/test/core_ext/string_ext_test.rb | 12 ++++++++++++ 1 file changed, 12 insertions(+) (limited to 'activesupport') diff --git a/activesupport/test/core_ext/string_ext_test.rb b/activesupport/test/core_ext/string_ext_test.rb index bb865cae91..38b344b885 100644 --- a/activesupport/test/core_ext/string_ext_test.rb +++ b/activesupport/test/core_ext/string_ext_test.rb @@ -381,6 +381,18 @@ class OutputSafetyTest < ActiveSupport::TestCase assert !@other_combination.html_safe? end + test "Escapes special HTML/XML characters" do + @other_string = "other".html_safe + @combination = @other_string + "&\"'" + @other_combination = @string + "&\"'" + + assert_equal "other<foo>&"'", @combination + assert_equal "hello&\"'", @other_combination + + assert @combination.html_safe? + assert !@other_combination.html_safe? + end + test "Concatting safe onto unsafe yields unsafe" do @other_string = "other" -- cgit v1.2.3