Applying strip_html filter to escaped html will unescape the string #306
Comments
|
This happened because we use Jsoup library for stripping html, while the Ruby's implementation is simple and naive: STRIP_HTML_BLOCKS = Regexp.union(
/<script.*?<\/script>/m,
/<!--.*?-->/m,
/<style.*?<\/style>/m
)
STRIP_HTML_TAGS = /<.*?>/m
def strip_html(input)
empty = ''
result = input.to_s.gsub(STRIP_HTML_BLOCKS, empty)
result.gsub!(STRIP_HTML_TAGS, empty)
result
endAnd we probably should go naive implementation too |
|
Will it be safer? |
|
Fixed in <dependency>
<groupId>org.jsoup</groupId>
<artifactId>jsoup</artifactId>
<version>1.15.3</version>
</dependency>As for this library the Jsoup has single use here. |
|
very much appreciate the fix here! Now that the fix is in place though, is there any other way to unescape strings at this point? |
|
@ugenl probably not. as unescaping is destructive operation - you never know which symbol before unescaping was represented via escape sequence and which not. |
|
yeah, fair enough - and people can directly substitute via |
Encountered this on liqp 0.9, though it could go further back.
Ex.
{{ "<em>test</em>" | escape }}--><em>test</em>{{ "<em>test</em>" | escape | strip_html }}--><em>test</em>The text was updated successfully, but these errors were encountered: