* lib/cgi.rb (CGI::unescapeHTML): invalid decoding for single

unescaped ampersand. a patch from Tietew <tietew+ruby-dev at tietew.net> in [ruby-dev:30292]. fixed: [ruby-dev:30289] git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_1_8@11746 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
marcandre · Feb 15, 2007 · 713920f · 713920f
1 parent c31e487
commit 713920f
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 5 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -1,3 +1,10 @@
+Thu Feb 15 10:57:38 2007  Tietew  <tietew@tietew.net>>
+
+	* lib/cgi.rb (CGI::unescapeHTML): invalid decoding for single
+	  unescaped ampersand.  a patch from Tietew
+	  <tietew+ruby-dev at tietew.net> in [ruby-dev:30292].
+	  fixed: [ruby-dev:30289]
+
 Thu Feb 15 10:48:40 2007  MenTaLguY  <mental@rydia.net>
 
 	* ext/thread/thread.c: Handle interrupted waits correctly.

diff --git a/lib/cgi.rb b/lib/cgi.rb
@@ -367,13 +367,13 @@ def CGI::escapeHTML(string)
   #   CGI::unescapeHTML("Usage: foo &quot;bar&quot; &lt;baz&gt;")
   #      # => "Usage: foo \"bar\" <baz>"
   def CGI::unescapeHTML(string)
-    string.gsub(/&(.*?);/n) do
+    string.gsub(/&(amp|quot|gt|lt|\#[0-9]+|\#x[0-9A-Fa-f]+);/n) do
       match = $1.dup
       case match
-      when /\Aamp\z/ni           then '&'
-      when /\Aquot\z/ni          then '"'
-      when /\Agt\z/ni            then '>'
-      when /\Alt\z/ni            then '<'
+      when 'amp'                 then '&'
+      when 'quot'                then '"'
+      when 'gt'                  then '>'
+      when 'lt'                  then '<'
       when /\A#0*(\d+)\z/n       then
         if Integer($1) < 256
           Integer($1).chr