Skip to content
This repository
Browse code

Make sure strip_tags removes tags which start with a non-printable ch…

…aracter

Signed-off-by: Michael Koziarski <michael@koziarski.com>
  • Loading branch information...
commit bfe032858077bb2946abe25e95e485ba6da86bd5 1 parent 3719bd3
Gabe da Silveira authored November 16, 2009 NZKoz committed November 27, 2009
2  actionpack/lib/action_controller/vendor/html-scanner/html/node.rb
@@ -162,7 +162,7 @@ def parse(parent, line, pos, content, strict=true)
162 162
           end
163 163
           
164 164
           closing = ( scanner.scan(/\//) ? :close : nil )
165  
-          return Text.new(parent, line, pos, content) unless name = scanner.scan(/[\w:-]+/)
  165
+          return Text.new(parent, line, pos, content) unless name = scanner.scan(/[-:\w\x00-\x09\x0b-\x0c\x0e-\x1f]+/)
166 166
           name.downcase!
167 167
   
168 168
           unless closing
1  actionpack/test/controller/html-scanner/sanitizer_test.rb
@@ -19,6 +19,7 @@ def test_strip_tags
19 19
     assert_equal "This has a  here.", sanitizer.sanitize("This has a <!-- comment --> here.")
20 20
     assert_equal "This has a  here.", sanitizer.sanitize("This has a <![CDATA[<section>]]> here.")
21 21
     assert_equal "This has an unclosed ", sanitizer.sanitize("This has an unclosed <![CDATA[<section>]] here...")
  22
+    assert_equal "non printable char is a tag", sanitizer.sanitize("<\x07a href='/hello'>non printable char is a tag</a>")
22 23
     [nil, '', '   '].each { |blank| assert_equal blank, sanitizer.sanitize(blank) }
23 24
   end
24 25
 

3 notes on commit bfe0328

Brian Cardarella

Is there a reason why ActiveModel is in the 2.3.5 branch?

Pratik
Owner

It has always been there.

Jeremy Kemper
Owner

Right, it's been there. It's just not released in the 2.x series.

Please sign in to comment.
Something went wrong with that request. Please try again.