diff options
| -rw-r--r-- | ChangeLog | 5 | ||||
| -rw-r--r-- | lib/erb.rb | 4 | ||||
| -rw-r--r-- | test/erb/test_erb.rb | 10 |
3 files changed, 18 insertions, 1 deletions
@@ -1,3 +1,8 @@ +Mon Aug 13 13:13:19 2012 Shugo Maeda <shugo@ruby-lang.org> + + * lib/erb.rb (ERB::Util.html_escape): use CGI.escape to escape + single quotes. [ruby-core:47138] [Bug #6861] + Sun Aug 12 11:57:20 2012 Kazuki Tsujimoto <kazuki@callcc.net> * vm.c (invoke_block_from_c): fix unintentional block passing. diff --git a/lib/erb.rb b/lib/erb.rb index bb47943a86..d30911e0f1 100644 --- a/lib/erb.rb +++ b/lib/erb.rb @@ -10,6 +10,8 @@ # # You can redistribute it and/or modify it under the same terms as Ruby. +require "cgi/util" + # # = ERB -- Ruby Templating # @@ -909,7 +911,7 @@ class ERB # is a > 0 & a < 10? # def html_escape(s) - s.to_s.gsub(/&/, "&").gsub(/\"/, """).gsub(/>/, ">").gsub(/</, "<") + CGI.escapeHTML(s) end alias h html_escape module_function :h diff --git a/test/erb/test_erb.rb b/test/erb/test_erb.rb index 05d255623a..79c8d9c0e2 100644 --- a/test/erb/test_erb.rb +++ b/test/erb/test_erb.rb @@ -37,6 +37,16 @@ class TestERB < Test::Unit::TestCase } assert_match(/\Atest filename:1\b/, e.backtrace[0]) end + + def test_html_escape + # TODO: ' should be chaged to ' + assert_equal(" !"\#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~", + ERB::Util.html_escape(" !\"\#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~")) + + assert_equal("", ERB::Util.html_escape("")) + assert_equal("abc", ERB::Util.html_escape("abc")) + assert_equal("<<", ERB::Util.html_escape("<<")) + end end class TestERBCore < Test::Unit::TestCase |