Make sure strip_tags removes tags which start with a non-printable character

Signed-off-by: N Michael Koziarski <michael@koziarski.com>

Make sure strip_tags removes tags which start with a non-printable character
Signed-off-by: N Michael Koziarski <michael@koziarski.com>
785281ad · Gabe da Silveira · Michael Koziarski · a60779f7 · 785281ad · 785281ad
2 changed file
--- a/actionpack/lib/action_controller/vendor/html-scanner/html/node.rb
+++ b/actionpack/lib/action_controller/vendor/html-scanner/html/node.rb
@@ -162,7 +162,7 @@ def parse(parent, line, pos, content, strict=true)
          end
          
          closing = ( scanner.scan(/\//) ? :close : nil )
-          return Text.new(parent, line, pos, content) unless name = scanner.scan(/[\w:-]+/)
+          return Text.new(parent, line, pos, content) unless name = scanner.scan(/[-:\w\x00-\x09\x0b-\x0c\x0e-\x1f]+/)
          name.downcase!
  
          unless closing

--- a/actionpack/test/controller/html-scanner/sanitizer_test.rb
+++ b/actionpack/test/controller/html-scanner/sanitizer_test.rb
@@ -19,6 +19,7 @@ def test_strip_tags
    assert_equal "This has a  here.", sanitizer.sanitize("This has a <!-- comment --> here.")
    assert_equal "This has a  here.", sanitizer.sanitize("This has a <![CDATA[<section>]]> here.")
    assert_equal "This has an unclosed ", sanitizer.sanitize("This has an unclosed <![CDATA[<section>]] here...")
+    assert_equal "non printable char is a tag", sanitizer.sanitize("<\x07a href='/hello'>non printable char is a tag</a>")
    [nil, '', '   '].each { |blank| assert_equal blank, sanitizer.sanitize(blank) }
  end