Permalink
Browse files

Fixed the sanitize helper to avoid double escaping already properly e…

…scaped entities [#683 state:committed]
  • Loading branch information...
1 parent 0777732 commit a358d87e16fa876de29286b69474ab6aaee4a80b @dhh dhh committed Nov 6, 2008
View
@@ -1,5 +1,7 @@
*2.2.1 [RC2 or 2.2 final]*
+* Fixed the sanitize helper to avoid double escaping already properly escaped entities #683 [antonmos/Ryan McGeary]
+
* Fixed that FormTagHelper generated illegal html if name contained square brackets #1238 [Vladimir Dobriakov]
* Fix regression bug that made date_select and datetime_select raise a Null Pointer Exception when a nil date/datetime was passed and only month and year were displayed #1289 [Bernardo Padua/Tor Erik]
@@ -160,7 +160,7 @@ def process_attributes_for(node, options)
if !options[:attributes].include?(attr_name) || contains_bad_protocols?(attr_name, value)
node.attributes.delete(attr_name)
else
- node.attributes[attr_name] = attr_name == 'style' ? sanitize_css(value) : CGI::escapeHTML(value)
+ node.attributes[attr_name] = attr_name == 'style' ? sanitize_css(value) : CGI::escapeHTML(CGI::unescapeHTML(value))
end
end
end
@@ -253,6 +253,10 @@ def test_should_sanitize_unterminated_cdata_section
assert_sanitized "<![CDATA[<span>neverending...", "&lt;![CDATA[&lt;span>neverending...]]>"
end
+ def test_should_not_mangle_urls_with_ampersand
+ assert_sanitized %{<a href=\"http://www.domain.com?var1=1&amp;var2=2\">my link</a>}
+ end
+
protected
def assert_sanitized(input, expected = nil)
@sanitizer ||= HTML::WhiteListSanitizer.new
View
@@ -1,6 +1,6 @@
*2.2.1 [RC2 or 2.2 final]*
-* Stop logging SHOW FIELDS and SET SQL_AUTO_IS_NULL=0 as they only clutter up the log and offer no value [DHH]
+* Stop logging SHOW FIELDS and SET SQL_AUTO_IS_NULL=0 for the MysqlAdapter as they only clutter up the log and offer no value [DHH]
* Ensure indices don't flip order in schema.rb #1266 [Jordi Bunster]

0 comments on commit a358d87

Please sign in to comment.