@@ -1,5 +1,7 @@ *2.2.1 [RC2 or 2.2 final]* +* Fixed the sanitize helper to avoid double escaping already properly escaped entities #683 [antonmos/Ryan McGeary] + * Fixed that FormTagHelper generated illegal html if name contained square brackets #1238 [Vladimir Dobriakov] * Fix regression bug that made date_select and datetime_select raise a Null Pointer Exception when a nil date/datetime was passed and only month and year were displayed #1289 [Bernardo Padua/Tor Erik] actionpack/CHANGELOG @@ -160,7 +160,7 @@ module HTML if !options[:attributes].include?(attr_name) || contains_bad_protocols?(attr_name, value) node.attributes.delete(attr_name) else - node.attributes[attr_name] = attr_name == 'style' ? sanitize_css(value) : CGI::escapeHTML(value) + node.attributes[attr_name] = attr_name == 'style' ? sanitize_css(value) : CGI::escapeHTML(CGI::unescapeHTML(value)) end end end actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb @@ -253,6 +253,10 @@ class SanitizerTest < Test::Unit::TestCase assert_sanitized "<![CDATA[<span>neverending...", "&lt;![CDATA[&lt;span>neverending...]]>" end + def test_should_not_mangle_urls_with_ampersand + assert_sanitized %{<a href=\"http://www.domain.com?var1=1&amp;var2=2\">my link</a>} + end + protected def assert_sanitized(input, expected = nil) @sanitizer ||= HTML::WhiteListSanitizer.new actionpack/test/controller/html-scanner/sanitizer_test.rb @@ -1,6 +1,6 @@ *2.2.1 [RC2 or 2.2 final]* -* Stop logging SHOW FIELDS and SET SQL_AUTO_IS_NULL=0 as they only clutter up the log and offer no value [DHH] +* Stop logging SHOW FIELDS and SET SQL_AUTO_IS_NULL=0 for the MysqlAdapter as they only clutter up the log and offer no value [DHH] * Ensure indices don't flip order in schema.rb #1266 [Jordi Bunster] activerecord/CHANGELOG 077773257b682b7929e77ced3bbf46acf56a10c9 David Heinemeier Hansson dhh david@loudthinking.com http://github.com/rails/rails/commit/a358d87e16fa876de29286b69474ab6aaee4a80b a358d87e16fa876de29286b69474ab6aaee4a80b 2008-11-06T04:02:32-08:00 2008-11-06T04:02:32-08:00 Fixed the sanitize helper to avoid double escaping already properly escaped entities [#683 state:committed] 6d5a68b1948a2727fb515c794f1e4854c8eedb3e David Heinemeier Hansson dhh david@loudthinking.com