Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
张重言
rails
提交
d94ae72a
R
rails
项目概览
张重言
/
rails
通知
1
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
R
rails
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
d94ae72a
编写于
10月 20, 2015
作者:
S
Sean Griffin
浏览文件
操作
浏览文件
下载
差异文件
Merge pull request #19992 from greysteil/handle-invalid-utf8-in-html-escape
Handle invalid UTF-8 strings when HTML escaping
上级
cd46bfc5
05a2a6a0
变更
3
隐藏空白更改
内联
并排
Showing
3 changed file
with
19 addition
and
4 deletion
+19
-4
activesupport/CHANGELOG.md
activesupport/CHANGELOG.md
+9
-0
activesupport/lib/active_support/core_ext/string/output_safety.rb
...pport/lib/active_support/core_ext/string/output_safety.rb
+2
-2
activesupport/test/core_ext/string_ext_test.rb
activesupport/test/core_ext/string_ext_test.rb
+8
-2
未找到文件。
activesupport/CHANGELOG.md
浏览文件 @
d94ae72a
*
Handle invalid UTF-8 strings when HTML escaping
Use `ActiveSupport::Multibyte::Unicode.tidy_bytes` to handle invalid UTF-8
strings in `ERB::Util.unwrapped_html_escape` and `ERB::Util.html_escape_once`.
Prevents user-entered input passed from a querystring into a form field from
causing invalid byte sequence errors.
*Grey Baker*
*
Update
`ActiveSupport::Multibyte::Chars#slice!`
to return
`nil`
if the
arguments are out of bounds, to mirror the behavior of
`String#slice!`
...
...
activesupport/lib/active_support/core_ext/string/output_safety.rb
浏览文件 @
d94ae72a
...
...
@@ -37,7 +37,7 @@ def unwrapped_html_escape(s) # :nodoc:
if
s
.
html_safe?
s
else
s
.
gsub
(
HTML_ESCAPE_REGEXP
,
HTML_ESCAPE
)
ActiveSupport
::
Multibyte
::
Unicode
.
tidy_bytes
(
s
)
.
gsub
(
HTML_ESCAPE_REGEXP
,
HTML_ESCAPE
)
end
end
module_function
:unwrapped_html_escape
...
...
@@ -50,7 +50,7 @@ def unwrapped_html_escape(s) # :nodoc:
# html_escape_once('<< Accept & Checkout')
# # => "<< Accept & Checkout"
def
html_escape_once
(
s
)
result
=
s
.
to_s
.
gsub
(
HTML_ESCAPE_ONCE_REGEXP
,
HTML_ESCAPE
)
result
=
ActiveSupport
::
Multibyte
::
Unicode
.
tidy_bytes
(
s
.
to_s
)
.
gsub
(
HTML_ESCAPE_ONCE_REGEXP
,
HTML_ESCAPE
)
s
.
html_safe?
?
result
.
html_safe
:
result
end
...
...
activesupport/test/core_ext/string_ext_test.rb
浏览文件 @
d94ae72a
...
...
@@ -782,8 +782,8 @@ def to_s
end
test
"ERB::Util.html_escape should correctly handle invalid UTF-8 strings"
do
string
=
[
192
,
60
].
pack
(
'CC'
)
expected
=
192
.
chr
+
"
<"
string
=
"
\251
<"
expected
=
"©
<"
assert_equal
expected
,
ERB
::
Util
.
html_escape
(
string
)
end
...
...
@@ -799,6 +799,12 @@ def to_s
assert_equal
escaped_string
,
ERB
::
Util
.
html_escape_once
(
string
)
assert_equal
escaped_string
,
ERB
::
Util
.
html_escape_once
(
escaped_string
)
end
test
"ERB::Util.html_escape_once should correctly handle invalid UTF-8 strings"
do
string
=
"
\251
<"
expected
=
"© <"
assert_equal
expected
,
ERB
::
Util
.
html_escape_once
(
string
)
end
end
class
StringExcludeTest
<
ActiveSupport
::
TestCase
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录