updated escape_html not to escape forward slash

fix: #2096
rack · Jul 17, 2023 · af9e278 · af9e278
1 parent 3855d1d
commit af9e278
Show file tree

Hide file tree

Showing 3 changed files with 4 additions and 5 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,7 @@ All notable changes to this project will be documented in this file. For info on
 ### SPEC Changes
 
 - `rack.input` is now optional. ([#1997](https://github.com/rack/rack/pull/1997), [@ioquatix])
+- `Rack::Utils.escape_html` doesn't escape forward slash (`/`) now. ([#2097](https://github.com/rack/rack/pull/2097), [@JunichiIto])
 
 ### Changed
 

diff --git a/lib/rack/utils.rb b/lib/rack/utils.rb
@@ -179,15 +179,14 @@ def best_q_match(q_value_header, available_mimes)
       "<" => "&lt;",
       ">" => "&gt;",
       "'" => "&#x27;",
-      '"' => "&quot;",
-      "/" => "&#x2F;"
+      '"' => "&quot;"
     }
 
     ESCAPE_HTML_PATTERN = Regexp.union(*ESCAPE_HTML.keys)
 
     # Escape ampersands, brackets and quotes to their HTML/XML entities.
     def escape_html(string)
-      string.to_s.gsub(ESCAPE_HTML_PATTERN){|c| ESCAPE_HTML[c] }
+      string.to_s.gsub(ESCAPE_HTML_PATTERN, ESCAPE_HTML)
     end
 
     def select_best_encoding(available_encodings, accept_encoding)

diff --git a/test/spec_utils.rb b/test/spec_utils.rb
@@ -477,8 +477,7 @@ def initialize(*)
     Rack::Utils.escape_html("f>o").must_equal "f&gt;o"
     Rack::Utils.escape_html("f'o").must_equal "f&#x27;o"
     Rack::Utils.escape_html('f"o').must_equal "f&quot;o"
-    Rack::Utils.escape_html("f/o").must_equal "f&#x2F;o"
-    Rack::Utils.escape_html("<foo></foo>").must_equal "&lt;foo&gt;&lt;&#x2F;foo&gt;"
+    Rack::Utils.escape_html("<foo></foo>").must_equal "&lt;foo&gt;&lt;/foo&gt;"
   end
 
   it "escape html entities even on MRI when it's bugged" do