Skip to content

Commit

Permalink
Fix handling of hexadecimal escapes in escape_once
Browse files Browse the repository at this point in the history
This also aligns the behavior once again with current behavior of
ActionView::Helpers::TagHelper#escape_once / ERB::Util::html_escape_once,
which escape_once was originally based on.

Fixes #792
  • Loading branch information
cr7pt0gr4ph7 committed Feb 22, 2024
1 parent 4a4fe3c commit 8ad8b43
Show file tree
Hide file tree
Showing 2 changed files with 3 additions and 1 deletion.
2 changes: 1 addition & 1 deletion lib/liquid/standardfilters.rb
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ module StandardFilters
'"' => '"',
"'" => ''',
}.freeze
HTML_ESCAPE_ONCE_REGEXP = /["><']|&(?!([a-zA-Z]+|(#\d+));)/
HTML_ESCAPE_ONCE_REGEXP = /["><']|&(?!([a-zA-Z]+|(#\d+)|(#[xX][\dA-Fa-f]+));)/
STRIP_HTML_BLOCKS = Regexp.union(
%r{<script.*?</script>}m,
/<!--.*?-->/m,
Expand Down
2 changes: 2 additions & 0 deletions test/integration/standard_filter_test.rb
Original file line number Diff line number Diff line change
Expand Up @@ -168,6 +168,8 @@ def test_h

def test_escape_once
assert_equal('&lt;strong&gt;Hulk&lt;/strong&gt;', @filters.escape_once('&lt;strong&gt;Hulk</strong>'))
assert_equal("1 &lt;&gt;&amp;&quot;&#39; 2 &amp; 3", @filters.escape_once('1 <>&"\' 2 &amp; 3'))
assert_equal(" &#X27; &#x27; &#x03BB; &#X03bb; &quot; &#39; &lt; &gt; ", @filters.escape_once(" &#X27; &#x27; &#x03BB; &#X03bb; \" ' < > "))
end

def test_base64_encode
Expand Down

0 comments on commit 8ad8b43

Please sign in to comment.