#47 Fixed String#escapeHTML and String#unescapeHTML (several fixes, memory leak) - Prototype

Type	To find
responsible:me	tickets assigned to you
tagged:"@high"	tickets tagged @high
milestone:next	tickets in the upcoming milestone
state:invalid	tickets with the state invalid
created:"last week"	tickets created last week
sort:id	tickets sorted by id (creation time)
Combine keywords for powerful searching.
Use advanced searching »

#47 √ resolved

Fixed String#escapeHTML and String#unescapeHTML (several fixes, memory leak)

Reported by same | April 24th, 2008 @ 09:52 PM | in 1.6.0.3

reads:

return this.replace(/&/g,'&').replace(/</g,'<').replace(/>/g,'>');

it should read:

return this.replace(/</g,'<').replace(/>/g,'>').replace(/&/g,'&');

Comments and changes to this ticket

same April 24th, 2008 @ 09:54 PM
that didn't show up
- line533.txt 189 Bytes
John-David Dalton April 24th, 2008 @ 10:09 PM
- → Milestone changed from “” to “1.6.0.3”
- → State changed from “new” to “bug”
- → Title changed from “version 1.6.0.2 line 533” to “Fixed String#escapeHTML and String#unescapeHTML (several fixes, memory leak)”
duplicate of http://dev.rubyonrails.org/ticke...
John-David Dalton April 24th, 2008 @ 10:11 PM
also the patch is committed in my fork
http://github.com/jdalton/protot...
I would like to discuss this because its a pretty drastic patch, maybe some things could be done better
same April 24th, 2008 @ 10:40 PM
This is simply a problem in the code. The ampersand should be replaced last in unescapeHTML...
Otherwise, a string ">" will turn into ">".
same April 24th, 2008 @ 10:42 PM
Sorry, i'm figuring out the formatting.
As it stands:
```
unescapeHTML on line 533 will turn "&amp;gt;" into ">"
```
John-David Dalton April 24th, 2008 @ 10:47 PM
Right. That simple problem is the tip of the iceberg of issues with these 2 methods.
Check out the tickets I linked to for more info.
same April 24th, 2008 @ 10:56 PM
Just to confirm:
you are saying that the difference between the following line 533: @@@
return this.replace(/&/g,'&').replace(/</g,'<').replace(/>/g,'>');
```
and this line: @@@
    return this.replace(/&lt;/g,'<').replace(/&gt;/g,'>').replace(/&amp;/g,'&');
```
causes all kinds of problems?
the former is broken... the latter is correct based on the escapeHTML definition on line 529
same April 24th, 2008 @ 10:58 PM
Still learning...
you are saying that the difference between the following line 533: @@@
return this.replace(/&/g,'&').replace(/</g,'<').replace(/>/g,'>');
```
and this line: @@@
    return this.replace(/&lt;/g,'<').replace(/&gt;/g,'>').replace(/&amp;/g,'&');
```
John-David Dalton April 25th, 2008 @ 06:26 AM
I am not arguing with you, I am saying this as well as other issues have
already been addressed, patched, and tested in a previous ticket. :)
Before you post again please take the time to follow my links,
read the tickets, read the tickets they link to and so on.
I will give you some hints:
IE/Safari only unescape about 3 characters where
Firefox/Opera and others unescape hundreds more.
There is a memoryleak in IE.
There are issues in IE with escaping those 3 characters.
There are issues between escaping whitespace in IE.
Safari 3 has issues with the ">" char as well.
Andrew Dupont May 20th, 2008 @ 12:20 AM
- → State changed from “bug” to “resolved”
http://github.com/sstephenson/pr...

Please Login or create a free account to add a new comment.

You can update this ticket by sending an email to from your email client. (help)

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

The Prototype JavaScript library.

Shared Ticket Bins (Sort)

194New/Open Tickets ↓↑ drag
77Patch Needed ↓↑ drag
23Tests Needed ↓↑ drag
0Regression bugs ↓↑ drag

People watching this ticket

Attachments

line533.txt 189 Bytes

Prototype