1
0
Fork 0
mirror of https://github.com/haml/haml.git synced 2022-11-09 12:33:31 -05:00

Don't escape quotes when escaping HTML.

Quotes only need to be escaped for attributes,
and that's handled adequately and more intelligently by build_attributes.
This commit is contained in:
Nathan Weizenbaum 2008-03-22 22:14:40 -07:00
parent 402977ccc7
commit f3ac053f9c
2 changed files with 5 additions and 4 deletions

View file

@ -324,18 +324,18 @@ END
end
# Characters that need to be escaped to HTML entities from user input
HTML_ESCAPE = { '&'=>'&amp;', '<'=>'&lt;', '>'=>'&gt;', '"'=>'&quot;', "'"=>'&#039;', }
HTML_ESCAPE = {'&'=>'&amp;', '<'=>'&lt;', '>'=>'&gt;'}
# Returns a copy of <tt>text</tt> with ampersands, angle brackets and quotes
# escaped into HTML entities.
def html_escape(text)
text.to_s.gsub(/[\"><&]/) { |s| HTML_ESCAPE[s] }
text.to_s.gsub(/[><&]/) { |s| HTML_ESCAPE[s] }
end
# Escapes HTML entities in <tt>text</tt>, but without escaping an ampersand
# that is already part of an escaped entity.
def escape_once(text)
text.to_s.gsub(/[\"><]|&(?!([a-zA-Z]+|(#\d+));)/) { |s| HTML_ESCAPE[s] }
text.to_s.gsub(/[><]|&(?!([a-zA-Z]+|(#\d+));)/) { |s| HTML_ESCAPE[s] }
end
private

View file

@ -211,7 +211,8 @@ class EngineTest < Test::Unit::TestCase
def test_attr_wrapper
assert_equal("<p strange=*attrs*>\n</p>\n", render("%p{ :strange => 'attrs'}", :attr_wrapper => '*'))
assert_equal("<p escaped=\"quo&quot;te\">\n</p>\n", render("%p{ :escaped => 'quo\"te'}", :attr_wrapper => '"'))
assert_equal("<p escaped='quo\"te'>\n</p>\n", render("%p{ :escaped => 'quo\"te'}", :attr_wrapper => '"'))
assert_equal("<p escaped=\"quo'te\">\n</p>\n", render("%p{ :escaped => 'quo\\'te'}", :attr_wrapper => '"'))
assert_equal("<p escaped=\"q'uo&quot;te\">\n</p>\n", render("%p{ :escaped => 'q\\'uo\"te'}", :attr_wrapper => '"'))
assert_equal("<?xml version=\"1.0\" encoding=\"utf-8\" ?>\n", render("!!! XML", :attr_wrapper => '"'))
end