[Haml] Fix the nasty potential XSS issue that Rails fixed a bit ago.
This commit is contained in:
parent
25e06a126d
commit
fcf0d8ff74
|
@ -3,6 +3,11 @@
|
|||
* Table of contents
|
||||
{:toc}
|
||||
|
||||
## 2.2.8 (Unreleased)
|
||||
|
||||
* Fixed a potential XSS issue with HTML escaping and wacky Unicode nonsense.
|
||||
This is the same as [the issue fixed in Rails](http://groups.google.com/group/rubyonrails-security/browse_thread/thread/48ab3f4a2c16190f) a bit ago.
|
||||
|
||||
## [2.2.7](http://github.com/nex3/haml/commit/2.2.7)
|
||||
|
||||
* Fixed an `html2haml` issue where ERB attribute values
|
||||
|
|
|
@ -473,7 +473,7 @@ END
|
|||
# @param text [String] The string to sanitize
|
||||
# @return [String] The sanitized string
|
||||
def html_escape(text)
|
||||
text.to_s.gsub(/[\"><&]/) { |s| HTML_ESCAPE[s] }
|
||||
text.to_s.gsub(/[\"><&]/n) {|s| HTML_ESCAPE[s]}
|
||||
end
|
||||
|
||||
# Escapes HTML entities in `text`, but without escaping an ampersand
|
||||
|
@ -482,7 +482,7 @@ END
|
|||
# @param text [String] The string to sanitize
|
||||
# @return [String] The sanitized string
|
||||
def escape_once(text)
|
||||
text.to_s.gsub(/[\"><]|&(?!([a-zA-Z]+|(#\d+));)/) { |s| HTML_ESCAPE[s] }
|
||||
text.to_s.gsub(/[\"><]|&(?!(?:[a-zA-Z]+|(#\d+));)/n) {|s| HTML_ESCAPE[s]}
|
||||
end
|
||||
|
||||
# Returns whether or not the current template is a Haml template.
|
||||
|
|
Loading…
Reference in New Issue