* lib/cgi.rb (CGI::unescapeHTML): invalid decoding for single

unescaped ampersand. a patch from Tietew <tietew+ruby-dev at tietew.net> in [ruby-dev:30292]. fixed: [ruby-dev:30289] git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@11660 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2022-11-09 12:17:21 -05:00 · 2007-02-08 07:19:54 +00:00 · 2007-02-08 07:19:54 +00:00 · d592db9308
commit d592db9308
parent ea2dd2e805
2 changed files with 12 additions and 5 deletions
--- a/7
+++ b/7
@ -17,6 +17,13 @@ Thu Feb  8 15:00:14 2007  Koichi Sasada  <ko1@atdot.net>
 	* common.mk: fix around vm_opts.h path
 	  and remove harmful argument passed to insns2vm.rb.

+Thu Feb  8 03:11:47 2007  Yukihiro Matsumoto  <matz@ruby-lang.org>
+
+	* lib/cgi.rb (CGI::unescapeHTML): invalid decoding for single
+	  unescaped ampersand.  a patch from Tietew
+	  <tietew+ruby-dev at tietew.net> in [ruby-dev:30292].
+	  fixed: [ruby-dev:30289]
+
 Wed Feb  7 23:25:31 2007  Nobuyoshi Nakada  <nobu@ruby-lang.org>

 	* eval.c (specific_eval): suppress warning.
--- a/lib/cgi.rb
+++ b/lib/cgi.rb
@ -367,13 +367,13 @@ class CGI
  #   CGI::unescapeHTML("Usage: foo &quot;bar&quot; &lt;baz&gt;")
  #      # => "Usage: foo \"bar\" <baz>"
  def CGI::unescapeHTML(string)
-    string.gsub(/&(.*?);/n) do
+    string.gsub(/&(amp|quot|gt|lt|\#[0-9]+|\#x[0-9A-Fa-f]+);/n) do
      match = $1.dup
      case match
-      when /\Aamp\z/ni           then '&'
-      when /\Aquot\z/ni          then '"'
-      when /\Agt\z/ni            then '>'
-      when /\Alt\z/ni            then '<'
+      when 'amp'                 then '&'
+      when 'quot'                then '"'
+      when 'gt'                  then '>'
+      when 'lt'                  then '<'
      when /\A#0*(\d+)\z/n       then
        if Integer($1) < 256
          Integer($1).chr