From d592db9308fa8823e2d40f94cee8874b39c0dc65 Mon Sep 17 00:00:00 2001 From: matz Date: Thu, 8 Feb 2007 07:19:54 +0000 Subject: [PATCH] * lib/cgi.rb (CGI::unescapeHTML): invalid decoding for single unescaped ampersand. a patch from Tietew in [ruby-dev:30292]. fixed: [ruby-dev:30289] git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@11660 b2dd03c8-39d4-4d8f-98ff-823fe69b080e --- ChangeLog | 7 +++++++ lib/cgi.rb | 10 +++++----- 2 files changed, 12 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index 368dc555ee..8ee3f02089 100644 --- a/ChangeLog +++ b/ChangeLog @@ -17,6 +17,13 @@ Thu Feb 8 15:00:14 2007 Koichi Sasada * common.mk: fix around vm_opts.h path and remove harmful argument passed to insns2vm.rb. +Thu Feb 8 03:11:47 2007 Yukihiro Matsumoto + + * lib/cgi.rb (CGI::unescapeHTML): invalid decoding for single + unescaped ampersand. a patch from Tietew + in [ruby-dev:30292]. + fixed: [ruby-dev:30289] + Wed Feb 7 23:25:31 2007 Nobuyoshi Nakada * eval.c (specific_eval): suppress warning. diff --git a/lib/cgi.rb b/lib/cgi.rb index cb348596ea..b6e432eb48 100644 --- a/lib/cgi.rb +++ b/lib/cgi.rb @@ -367,13 +367,13 @@ class CGI # CGI::unescapeHTML("Usage: foo "bar" <baz>") # # => "Usage: foo \"bar\" " def CGI::unescapeHTML(string) - string.gsub(/&(.*?);/n) do + string.gsub(/&(amp|quot|gt|lt|\#[0-9]+|\#x[0-9A-Fa-f]+);/n) do match = $1.dup case match - when /\Aamp\z/ni then '&' - when /\Aquot\z/ni then '"' - when /\Agt\z/ni then '>' - when /\Alt\z/ni then '<' + when 'amp' then '&' + when 'quot' then '"' + when 'gt' then '>' + when 'lt' then '<' when /\A#0*(\d+)\z/n then if Integer($1) < 256 Integer($1).chr