Use CGI.escapeHTML for html escape
This commit is contained in:
parent
9aff14f1ee
commit
51152fc0f8
@ -5,7 +5,6 @@ class ERB
|
||||
module Util
|
||||
HTML_ESCAPE = { '&' => '&', '>' => '>', '<' => '<', '"' => '"', "'" => ''' }
|
||||
JSON_ESCAPE = { '&' => '\u0026', '>' => '\u003e', '<' => '\u003c', "\u2028" => '\u2028', "\u2029" => '\u2029' }
|
||||
HTML_ESCAPE_REGEXP = /[&"'><]/
|
||||
HTML_ESCAPE_ONCE_REGEXP = /["><']|&(?!([a-zA-Z]+|(#\d+)|(#[xX][\dA-Fa-f]+));)/
|
||||
JSON_ESCAPE_REGEXP = /[\u2028\u2029&><]/u
|
||||
|
||||
@ -37,7 +36,7 @@ def unwrapped_html_escape(s) # :nodoc:
|
||||
if s.html_safe?
|
||||
s
|
||||
else
|
||||
ActiveSupport::Multibyte::Unicode.tidy_bytes(s).gsub(HTML_ESCAPE_REGEXP, HTML_ESCAPE)
|
||||
CGI.escapeHTML(ActiveSupport::Multibyte::Unicode.tidy_bytes(s))
|
||||
end
|
||||
end
|
||||
module_function :unwrapped_html_escape
|
||||
@ -243,8 +242,7 @@ def #{unsafe_method}!(*args) # def capitalize!(*args)
|
||||
private
|
||||
|
||||
def html_escape_interpolated_argument(arg)
|
||||
(!html_safe? || arg.html_safe?) ? arg :
|
||||
arg.to_s.gsub(ERB::Util::HTML_ESCAPE_REGEXP, ERB::Util::HTML_ESCAPE)
|
||||
(!html_safe? || arg.html_safe?) ? arg : CGI.escapeHTML(arg.to_s)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
Loading…
Reference in New Issue
Block a user