Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Fix double-escaped entities, such as &, {, etc. [Rick]

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@5321 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
  • Loading branch information...
commit 02358c83b76f9fc56b6cabaee24b244d17d08cff 1 parent a0f7409
@technoweenie technoweenie authored
View
2  actionpack/CHANGELOG
@@ -1,5 +1,7 @@
*SVN*
+* Fix double-escaped entities, such as &, {, etc. [Rick]
+
* Fix deprecation warnings when rendering the template error template. [Nicholas Seckar]
* Fix routing to correctly determine when generation fails. Closes #6300. [psross].
View
7 actionpack/lib/action_view/helpers/tag_helper.rb
@@ -34,7 +34,7 @@ def cdata_section(content)
private
def tag_options(options)
cleaned_options = convert_booleans(options.stringify_keys.reject {|key, value| value.nil?})
- ' ' + cleaned_options.map {|key, value| %(#{key}="#{html_escape(value.to_s)}")}.sort * ' ' unless cleaned_options.empty?
+ ' ' + cleaned_options.map {|key, value| %(#{key}="#{fix_double_escape(html_escape(value.to_s))}")}.sort * ' ' unless cleaned_options.empty?
end
def convert_booleans(options)
@@ -45,6 +45,11 @@ def convert_booleans(options)
def boolean_attribute(options, attribute)
options[attribute] ? options[attribute] = attribute : options.delete(attribute)
end
+
+ # Fix double-escaped entities, such as &, {, etc.
+ def fix_double_escape(escaped)
+ escaped.gsub(/&([a-z]+|(#\d+));/i) { "&#{$1};" }
+ end
end
end
end
View
12 actionpack/test/template/tag_helper_test.rb
@@ -38,4 +38,16 @@ def test_content_tag
def test_cdata_section
assert_equal "<![CDATA[<hello world>]]>", cdata_section("<hello world>")
end
+
+ def test_double_escaping_attributes
+ ['1&amp;2', '1 &lt; 2', '&#8220;test&#8220;'].each do |escaped|
+ assert_equal %(<a href="#{escaped}" />), tag('a', :href => escaped)
+ end
+ end
+
+ def test_skip_invalid_escaped_attributes
+ ['&1;', '&#1dfa3;', '& #123;'].each do |escaped|
+ assert_equal %(<a href="#{escaped.gsub /&/, '&amp;'}" />), tag('a', :href => escaped)
+ end
+ end
end
Please sign in to comment.
Something went wrong with that request. Please try again.