ruby-changes:24636

shugo	2012-08-13 13:17:00 +0900 (Mon, 13 Aug 2012)

  New Revision: 36687

  http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=36687

  Log:
    * lib/erb.rb (ERB::Util.html_escape): use CGI.escape to escape
      single quotes. [ruby-core:47138] [Bug #6861]

  Modified files:
    trunk/ChangeLog
    trunk/lib/erb.rb
    trunk/test/erb/test_erb.rb

Index: ChangeLog
===================================================================
--- ChangeLog	(revision 36686)
+++ ChangeLog	(revision 36687)
@@ -1,3 +1,8 @@
+Mon Aug 13 13:13:19 2012  Shugo Maeda  <shugo@r...>
+
+	* lib/erb.rb (ERB::Util.html_escape): use CGI.escape to escape
+	  single quotes. [ruby-core:47138] [Bug #6861]
+
 Sun Aug 12 11:57:20 2012  Kazuki Tsujimoto  <kazuki@c...>
 
 	* vm.c (invoke_block_from_c): fix unintentional block passing.
Index: lib/erb.rb
===================================================================
--- lib/erb.rb	(revision 36686)
+++ lib/erb.rb	(revision 36687)
@@ -10,6 +10,8 @@
 #
 # You can redistribute it and/or modify it under the same terms as Ruby.
 
+require "cgi/util"
+
 #
 # = ERB -- Ruby Templating
 #
@@ -909,7 +911,7 @@
     #   is a &gt; 0 &amp; a &lt; 10?
     #
     def html_escape(s)
-      s.to_s.gsub(/&/, "&amp;").gsub(/\"/, "&quot;").gsub(/>/, "&gt;").gsub(/</, "&lt;")
+      CGI.escapeHTML(s)
     end
     alias h html_escape
     module_function :h
Index: test/erb/test_erb.rb
===================================================================
--- test/erb/test_erb.rb	(revision 36686)
+++ test/erb/test_erb.rb	(revision 36687)
@@ -37,6 +37,16 @@
     }
     assert_match(/\Atest filename:1\b/, e.backtrace[0])
   end
+
+  def test_html_escape
+    # TODO: &apos; should be chaged to &#x27;
+    assert_equal(" !&quot;\#$%&amp;&apos;()*+,-./0123456789:;&lt;=&gt;?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~",
+                 ERB::Util.html_escape(" !\"\#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~"))
+
+    assert_equal("", ERB::Util.html_escape(""))
+    assert_equal("abc", ERB::Util.html_escape("abc"))
+    assert_equal("&lt;&lt;", ERB::Util.html_escape("<<"))
+  end
 end
 
 class TestERBCore < Test::Unit::TestCase

--
ML: ruby-changes@q...
Info: http://www.atdot.net/~ko1/quickml/