antonmos / rails fork watch download tarball
public
Forks668Right
Watchers2Right
Fork of rails/rails
Description: Ruby on Rails
Homepage: http://rubyonrails.org
Clone URL: git://github.com/antonmos/rails.git 
prevent santize from mangling ampersand in urls
fixes 
http://rails.lighthouseapp.com/projects/8994/tickets/683-problem-with-railssanit
ize-white_list_sanitizer-sanitize
antonmos (author)
Wed Aug 27 10:17:48 -0700 2008
commit  9a27a23d077dbdd3e29f8f1b57b6c04e04259151
tree    e0e2bf55db93dda3df502fa61405803822b58388
parent  54fa6cd0d6babf00a251584499500e7466273944
0
actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb 
...
160
161
162
163
 
164
165
166
 
...
160
161
162
 
163
164
165
166
 
0
@@ -160,7 +160,7 @@ module HTML
0
         if !options[:attributes].include?(attr_name) || contains_bad_protocols?(attr_name, value)
0
           node.attributes.delete(attr_name)
0
         else
0
-          node.attributes[attr_name] = attr_name == 'style' ? sanitize_css(value) : CGI::escapeHTML(value)
0
+          node.attributes[attr_name] = attr_name == 'style' ? sanitize_css(value) : CGI::escapeHTML(CGI::unescapeHTML(value))
0
         end
0
       end
0
     end
0
actionpack/test/controller/html-scanner/sanitizer_test.rb 
...
247
248
249
250
 
 
 
 
251
252
253
 
...
247
248
249
 
250
251
252
253
254
255
256
 
0
@@ -247,7 +247,10 @@ class SanitizerTest < Test::Unit::TestCase
0
   def test_should_not_remove_unknown_tags
0
      assert_sanitized %{begin <foo>foobar</bar> end}, 'begin &lt;foo>foobar&lt;/bar> end'
0
   end
0
0
+  
0
+  def test_should_not_mangle_urls_with_ampersand
0
+     assert_sanitized %{<a href=\"http://www.domain.com?var1=1&amp;var2=2\">my link</a>}
0
+  end
0
 
0
 protected
0
   def assert_sanitized(input, expected = nil)

Comments