Skip to content
Browse files

Fixed the bug of double-escaping in comments

  • Loading branch information...
1 parent da61158 commit 823dde2fc1933240bfc47f67b41eae0ddcf3ae04 @smathy committed
Showing with 10 additions and 3 deletions.
  1. +10 −3 app/models/comment.rb
View
13 app/models/comment.rb
@@ -40,9 +40,16 @@ def self.kill_tags(input)
# if we're passed nil, let's be kind and return an empty string
return ''
end
- input = input.gsub(/<\/?[^>]*>/, '')
- input = input.gsub('<', '&lt;')
- input = input.gsub('>', '&gt;')
+
+ _tf = Preference.get_setting('TEXT_FILTER')
+ if _tf == 'convert line breaks' || _tf == 'plain text' || !_tf
+ input = input.gsub(/<\/?[^>]*>/, '')
+ input = input.gsub('<', '&lt;')
+ input = input.gsub('>', '&gt;')
+ end
+
+ # no more XSS
+ input = input.gsub(%r{<+([/ ]*)script}i, '&lt;\1script')
end
# convert text using our filter and clean up dashes

0 comments on commit 823dde2

Please sign in to comment.
Something went wrong with that request. Please try again.