github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-22 03:21:12 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

Escape values of HTML attributes

Browse Source
This commit is contained in:
Dmitry Klimensky
2021-08-10 16:14:37 +03:00
committed by Robin Ward
parent 7dc8f8b794
commit d54b339809
2 changed files with 6 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
lib/discourse_diff.rb
View File

@ -256,7 +256,7 @@ class DiscourseDiff
USELESS_TAGS = %w{html body}
def start_element(name, attributes = [])
return if USELESS_TAGS.include?(name)
attrs = attributes.map { |a| " #{a[0]}=\"#{a[1]}\"" }.join
attrs = attributes.map { |a| " #{a[0]}=\"#{CGI::escapeHTML(a[1])}\"" }.join
@tokens << "<#{name}#{attrs}>"
end