Ruby on Rails | Screencasts | Download | Documentation | Weblog | Community | Source

Ticket #10622 (new defect)

Opened 2 years ago

Last modified 1 year ago

[PATCH] [TEST] String#escapeHTML to escape double quotes.

Reported by: pointy Assigned to: sam
Priority: normal Milestone: 2.x
Component: Prototype Version: edge
Severity: normal Keywords:
Cc:

Description

In order to protect quote characters when (for example) constructing HTML tag attributes from string values, the escapeHTML function should encode single- and double-quote charcters as the appropriate HTML entities.

Attachments

escapeHTML.diff (0.9 kB) - added by kangax on 01/28/08 09:59:17.
escapeHTML_test.diff (0.8 kB) - added by kangax on 02/04/08 16:49:44.

Change History

01/28/08 09:59:17 changed by kangax

  • attachment escapeHTML.diff added.

01/28/08 10:00:06 changed by kangax

Well, looks like Ruby's html_escape escapes only double quotes http://www.ruby-doc.org/stdlib/libdoc/erb/rdoc/classes/ERB/Util.html#M000623

Prototype doesn't escape them at all.

01/28/08 10:01:02 changed by kangax

  • summary changed from Prototype String#escapeHTML() does not escape quotes. to [PATCH] String#escapeHTML to escape double quotes..

02/04/08 16:49:44 changed by kangax

  • attachment escapeHTML_test.diff added.

02/04/08 16:50:05 changed by kangax

  • summary changed from [PATCH] String#escapeHTML to escape double quotes. to [PATCH] [TEST] String#escapeHTML to escape double quotes..

12/18/08 15:24:33 changed by fearphage

the escapeHTML function should encode single- and double-quote charcters as the appropriate HTML entities You say single quotes need to be escaped also but the patch only takes double quotes into account.

12/18/08 17:22:40 changed by kangax

@fearphage

I don't remember saying that single quotes should be escaped. In fact, I would very much want to find some kind of spec that states exact behavior for such facility (i.e. other than ruby's escape_html).

12/18/08 18:10:16 changed by fearphage

@kangax: Look at the description for this ticket. You said it there.

12/18/08 18:20:20 changed by kangax

@fearphage that was "pointy" (ticket author) : )

12/18/08 18:26:18 changed by fearphage

@kangax: Whoops! You added the patches though. The ticket says one thing and the patch does another. That was my point.