SafeBuffer#gsub breaks block form match variables $1, $2, $`, $&, and $’ #1046

Closed
hooopo opened this Issue Feb 4, 2013 · 0 comments

2 participants

@hooopo

SafeBuffer#gsub breaks js_escape_html method:

[28] pry(main)> require 'active_support/core_ext/string/output_safety'
=> false
[29] pry(main)> html = ActiveSupport::SafeBuffer.new('<a href="http://ask.csdn.net">"s"</a>')
=> "<a href=\"http://ask.csdn.net\">\"s\"</a>"
[30] pry(main)> javascript_mapping = { '\\' => '\\\\', '</' => '<\/', "\r\n" => '\n', "\n" => '\n', "\r" => '\n', '"' => '\\"', "'" => "\\'" }
=> {"\\"=>"\\\\",
 "</"=>"<\\/",
 "\r\n"=>"\\n",
 "\n"=>"\\n",
 "\r"=>"\\n",
 "\""=>"\\\"",
 "'"=>"\\'"}
[31] pry(main)> html.gsub(/(\\|<\/|\r\n|[\n\r"'])/) { javascript_mapping[$1] }
=> "<a href=http://ask.csdn.net>sa>"
[32] pry(main)> html.gsub(/(\\|<\/|\r\n|[\n\r"'])/) { p $1}
"s"
"s"
"s"
"s"
"s"
=> "<a href=shttp://ask.csdn.nets>ssssa>"
[33] pry(main)> html.gsub(/(\\|<\/|\r\n|[\n\r"'])/) {|m| p m}
"\""
"\""
"\""
"\""
"</"

related issue: rails/rails#1555

@skade skade was assigned Feb 4, 2013
@hooopo hooopo added a commit that referenced this issue Feb 8, 2013
@hooopo hooopo fix broken js_escape_html #1046 fb6a509
@hooopo hooopo closed this Feb 8, 2013
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment