summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorshugo <shugo@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>2012-08-13 04:17:00 +0000
committershugo <shugo@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>2012-08-13 04:17:00 +0000
commit4093598bf6eca8fce16fcb8695c4717063a5f6a0 (patch)
tree44e970d39dc70a9d995fdfe5a8b72a7eabe0bc30
parenta63210855772fbeb62203872044e4403981c2daa (diff)
* lib/erb.rb (ERB::Util.html_escape): use CGI.escape to escape
single quotes. [ruby-core:47138] [Bug #6861] git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@36687 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
-rw-r--r--ChangeLog5
-rw-r--r--lib/erb.rb4
-rw-r--r--test/erb/test_erb.rb10
3 files changed, 18 insertions, 1 deletions
diff --git a/ChangeLog b/ChangeLog
index 2a15949..c7f16d7 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+Mon Aug 13 13:13:19 2012 Shugo Maeda <shugo@ruby-lang.org>
+
+ * lib/erb.rb (ERB::Util.html_escape): use CGI.escape to escape
+ single quotes. [ruby-core:47138] [Bug #6861]
+
Sun Aug 12 11:57:20 2012 Kazuki Tsujimoto <kazuki@callcc.net>
* vm.c (invoke_block_from_c): fix unintentional block passing.
diff --git a/lib/erb.rb b/lib/erb.rb
index bb47943..d30911e 100644
--- a/lib/erb.rb
+++ b/lib/erb.rb
@@ -10,6 +10,8 @@
#
# You can redistribute it and/or modify it under the same terms as Ruby.
+require "cgi/util"
+
#
# = ERB -- Ruby Templating
#
@@ -909,7 +911,7 @@ class ERB
# is a &gt; 0 &amp; a &lt; 10?
#
def html_escape(s)
- s.to_s.gsub(/&/, "&amp;").gsub(/\"/, "&quot;").gsub(/>/, "&gt;").gsub(/</, "&lt;")
+ CGI.escapeHTML(s)
end
alias h html_escape
module_function :h
diff --git a/test/erb/test_erb.rb b/test/erb/test_erb.rb
index 05d2556..79c8d9c 100644
--- a/test/erb/test_erb.rb
+++ b/test/erb/test_erb.rb
@@ -37,6 +37,16 @@ class TestERB < Test::Unit::TestCase
}
assert_match(/\Atest filename:1\b/, e.backtrace[0])
end
+
+ def test_html_escape
+ # TODO: &apos; should be chaged to &#x27;
+ assert_equal(" !&quot;\#$%&amp;&apos;()*+,-./0123456789:;&lt;=&gt;?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~",
+ ERB::Util.html_escape(" !\"\#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~"))
+
+ assert_equal("", ERB::Util.html_escape(""))
+ assert_equal("abc", ERB::Util.html_escape("abc"))
+ assert_equal("&lt;&lt;", ERB::Util.html_escape("<<"))
+ end
end
class TestERBCore < Test::Unit::TestCase