2.3: escape_once isn't escaping single quotes and is double-escaping hex-encoded entites #9088

Closed
wants to merge 1 commit into
from

Projects

None yet

2 participants

@johndouthat
Contributor

@tenderlove recently committed d549df7, which escapes single quotes 😄 👍 , but escape_once still leaves them unescaped. And escape_once couldn't handle the hex-encoded entity, which caused it to be double-escaped.

i.e. escape_once("'") was returning "'"
and escape_once("'") was returning "'"

Formtastic uses escape_once on field values, so it was causing text inputs containing single quotes to be double-escaped. So if the user submitted the form, it would be saved to the database escaped instead of raw.

@dgm
Contributor
dgm commented Feb 8, 2013

since d549df7 broke 2.3 series, can't this be backported there too?

@johndouthat
Contributor

@dgm it looks like the issue was fixed by converting the hex-encoded entity to a decimal-encoded one https://github.com/rails/rails/commits/2-3-stable 88331c5

@johndouthat
Contributor
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment