Bugfix: don't do entity escaping inside :script tags

When passing a script tag with multiple text node child elements, the text would still be escaped, which is a valid use case and erroneous behavior.
plexus · Mar 4, 2015 · 8accefd · 8accefd
1 parent 6a6b93f
commit 8accefd
Show file tree

Hide file tree

Showing 4 changed files with 28 additions and 5 deletions.
diff --git a/Changelog.md b/Changelog.md
@@ -1,13 +1,17 @@
 ### Development
 
-[full diff](http://github.com/plexus/hexp/compare/v0.4.4...master)
+[full diff](http://github.com/plexus/hexp/compare/v0.4.5...master)
+
+### v0.4.5
+
+* Bugfix: don't do entity escaping inside :script tags, also not when
+  there's more than one text node as a child element
 
 ### v0.4.4
 
 * Drop the dependency on SASS, use Nokogiri instead for parsing CSS
   selectors
 
-
 ### v0.4.3
 
 Performance improvements

diff --git a/lib/hexp/unparser.rb b/lib/hexp/unparser.rb
@@ -67,8 +67,8 @@ def add_tag(buffer, tag, attrs, children)
     def add_child_nodes(buffer, tag, children)
       # TODO look into the special parsing mode that browsers use inside <script> tags,
       # at the least we should throw an error if the text contains </script>
-      if options[:no_escape].include?(tag) && children.length == 1 && children.first.text?
-        buffer << children.first
+      if options[:no_escape].include?(tag) && children.all?(&:text?)
+        children.each {|node| buffer << node }
       else
         children.each {|node| add_node(buffer, node) }
       end

diff --git a/lib/hexp/version.rb b/lib/hexp/version.rb
@@ -1,3 +1,3 @@
 module Hexp
-  VERSION = '0.4.4'
+  VERSION = '0.4.5'
 end
diff --git a/spec/unit/hexp/unparser_spec.rb b/spec/unit/hexp/unparser_spec.rb
@@ -0,0 +1,19 @@
+require 'spec_helper'
+
+describe Hexp::Unparser do
+  let(:unparser) { described_class.new({}) }
+  let(:node) { H[:p, %q{Hello "world", it's great meet & chat >.<}] }
+  let(:html) { unparser.call(node) }
+
+  it 'should escape sensitive characters' do
+    expect(html).to eql '<p>Hello &quot;world&quot;, it&#x27;s great meet &amp; chat &gt;.&lt;</p>'
+  end
+
+  context 'inside a script tag' do
+    let(:node) { H[:script, %q{Hello "world", }, %q{it's great meet & chat >.<}] }
+
+    it 'should not escape' do
+      expect(html).to eql %q{<script>Hello "world", it's great meet & chat >.<</script>}
+    end
+  end
+end