Closed distler closed 10 years ago
irb(main):001:0> require 'maruku' => true irb(main):002:0> s = <<END irb(main):003:0" *foo*{: style='ball & chain'} irb(main):004:0" irb(main):005:0" *foo*{: style='ball\008 chain'} irb(main):006:0" irb(main):007:0" *foo*{: style='ball\" badAttribute=\"chain'} irb(main):008:0" END => "*foo*{: style='ball & chain'}\n\n*foo*{: style='ball\u00008 chain'}\n\n*foo*{: style='ball\" badAttribute=\"chain'}\n" irb(main):009:0> Maruku.new(s).to_html => "<p><em style=\"ball & chain\">foo</em></p>\n\n<p><em style=\"ball\u00008 chain\">foo</em></p>\n\n<p><em style=\"ball\" badAttribute=\"chain\">foo</em></p>"
Nokogiri would ensure sane attribute values. So the output from the previous serializer would have been
<p><em style="ball & chain">foo</em></p> <p><em style="ball">foo</em></p> <p><em style="ball" badAttribute="chain">foo</em></p>
In addition to well-formedness issues, the third example has obvious security implications, depending on how the client program's sanitization works.
Thanks, I'll get some tests in for that.
Thanks. This is now fixed. Let me know if you find anything else that needs work, I'm building up a 0.7.1 release soon.
Nokogiri would ensure sane attribute values. So the output from the previous serializer would have been
In addition to well-formedness issues, the third example has obvious security implications, depending on how the client program's sanitization works.