mirror of
https://github.com/discourse/discourse.git
synced 2024-11-22 12:42:16 +08:00
Escape values of HTML attributes
This commit is contained in:
parent
7dc8f8b794
commit
d54b339809
|
@ -256,7 +256,7 @@ class DiscourseDiff
|
|||
USELESS_TAGS = %w{html body}
|
||||
def start_element(name, attributes = [])
|
||||
return if USELESS_TAGS.include?(name)
|
||||
attrs = attributes.map { |a| " #{a[0]}=\"#{a[1]}\"" }.join
|
||||
attrs = attributes.map { |a| " #{a[0]}=\"#{CGI::escapeHTML(a[1])}\"" }.join
|
||||
@tokens << "<#{name}#{attrs}>"
|
||||
end
|
||||
|
||||
|
|
|
@ -107,6 +107,11 @@ describe DiscourseDiff do
|
|||
expect(DiscourseDiff.new(before, after).side_by_side_html).to eq("<div class=\"revision-content\"><p><del>'</del></p></div><div class=\"revision-content\"><p></p></div>")
|
||||
end
|
||||
|
||||
it "escapes attribute values" do
|
||||
before = "<p data-attr='Some \"quoted\" string'></p>"
|
||||
after = "<p data-attr='Some \"quoted\" string'></p>"
|
||||
expect(DiscourseDiff.new(before, after).side_by_side_html).to eq("<div class=\"revision-content\"><p data-attr=\"Some "quoted" string\"></p></div><div class=\"revision-content\"><p data-attr=\"Some "quoted" string\"></p></div>")
|
||||
end
|
||||
end
|
||||
|
||||
describe "side_by_side_markdown" do
|
||||
|
|
Loading…
Reference in New Issue
Block a user