Merge pull request #2806 from Elberet/fix-escape-single-quotes

FIX: double-escaped single quotes in URLs
2024-11-24 07:34:18 +08:00 · 2014-09-19 13:32:43 +10:00 · 2014-09-19 13:32:43 +10:00 · bf51fbf030
commit bf51fbf030
parent 3c6f7908ac 543bc53598
2 changed files with 2 additions and 2 deletions
--- a/app/assets/javascripts/discourse/lib/markdown.js
+++ b/app/assets/javascripts/discourse/lib/markdown.js
@ -166,7 +166,7 @@ Discourse.Markdown = {
    var url = typeof(uri) === "string" ? uri : uri.toString();
    // escape single quotes
-    url = url.replace(/'/g, "&#39;");
+    url = url.replace(/'/g, "%27");
    // whitelist some iframe only
    if (hints && hints.XML_TAG === "iframe" && hints.XML_ATTR === "src") {
--- a/test/javascripts/lib/markdown-test.js.es6
+++ b/test/javascripts/lib/markdown-test.js.es6
@ -458,7 +458,7 @@ test("urlAllowed", function() {
  allowed("//eviltrout.com/evil/trout", "allows protocol relative urls");
  equal(urlAllowed("http://google.com/test'onmouseover=alert('XSS!');//.swf"),
-        "http://google.com/test&#39;onmouseover=alert(&#39;XSS!&#39;);//.swf",
+        "http://google.com/test%27onmouseover=alert(%27XSS!%27);//.swf",
        "escape single quotes");
 });