Fixed the sanitize helper to avoid double escaping already properly e…

…scaped entities [#683 state:committed]
rails · Nov 6, 2008 · a358d87 · a358d87
1 parent 0777732
commit a358d87
Show file tree

Hide file tree

Showing 4 changed files with 8 additions and 2 deletions.
diff --git a/actionpack/CHANGELOG b/actionpack/CHANGELOG
@@ -1,5 +1,7 @@
 *2.2.1 [RC2 or 2.2 final]*
 
+* Fixed the sanitize helper to avoid double escaping already properly escaped entities #683 [antonmos/Ryan McGeary]
+
 * Fixed that FormTagHelper generated illegal html if name contained square brackets #1238 [Vladimir Dobriakov]
 
 * Fix regression bug that made date_select and datetime_select raise a Null Pointer Exception when a nil date/datetime was passed and only month and year were displayed #1289 [Bernardo Padua/Tor Erik]

diff --git a/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb b/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
@@ -160,7 +160,7 @@ def process_attributes_for(node, options)
         if !options[:attributes].include?(attr_name) || contains_bad_protocols?(attr_name, value)
           node.attributes.delete(attr_name)
         else
-          node.attributes[attr_name] = attr_name == 'style' ? sanitize_css(value) : CGI::escapeHTML(value)
+          node.attributes[attr_name] = attr_name == 'style' ? sanitize_css(value) : CGI::escapeHTML(CGI::unescapeHTML(value))
         end
       end
     end

diff --git a/actionpack/test/controller/html-scanner/sanitizer_test.rb b/actionpack/test/controller/html-scanner/sanitizer_test.rb
@@ -253,6 +253,10 @@ def test_should_sanitize_unterminated_cdata_section
     assert_sanitized "<![CDATA[<span>neverending...", "&lt;![CDATA[&lt;span>neverending...]]>"
   end
 
+  def test_should_not_mangle_urls_with_ampersand
+     assert_sanitized %{<a href=\"http://www.domain.com?var1=1&amp;var2=2\">my link</a>}
+  end
+
 protected
   def assert_sanitized(input, expected = nil)
     @sanitizer ||= HTML::WhiteListSanitizer.new

diff --git a/activerecord/CHANGELOG b/activerecord/CHANGELOG
@@ -1,6 +1,6 @@
 *2.2.1 [RC2 or 2.2 final]*
 
-* Stop logging SHOW FIELDS and SET SQL_AUTO_IS_NULL=0 as they only clutter up the log and offer no value [DHH]
+* Stop logging SHOW FIELDS and SET SQL_AUTO_IS_NULL=0 for the MysqlAdapter as they only clutter up the log and offer no value [DHH]
 
 * Ensure indices don't flip order in schema.rb #1266 [Jordi Bunster]