FullSantitizer de-escapes escaped HTML entities besides &, <, >

Question

FullSantitizer de-escapes escaped HTML entities besides &, <, >

miloprice opened this issue 8 years ago · 3 comments

If you use FullSanitizer on a string containing an escaped &, <, or >, it remains escaped, as discussed here and added here:

> Rails::Html::FullSanitizer.new.sanitize("Read more &amp; &lt; &gt;")
=> "Read more &amp; &lt; &gt;"

(using version 1.03 with Ruby 2.3.4)

But if you use it on strings containing other escaped characters, they become de-escaped:

> Rails::Html::FullSanitizer.new.sanitize("Read more&hellip;")
=> "Read more…"
> Rails::Html::FullSanitizer.new.sanitize("Save&nbsp;8&euro; &amp; 5&cent;")
=> "Save 8€ &amp; 5¢"

Is this intended behavior? Thanks!

Answer 1 · 2017-06-16T08:02:51.000Z

Yes, it is rails/rails#25996 (comment)

Answer 2 · 2017-06-16T15:46:16.000Z

@kaspth The problem I'm having is that it's de-escaping some HTML entities.

& gets escaped and becomes &, and & gets left alone, but … e.g. gets de-escaped and becomes …. Why do & and … behave differently?

Answer 3 · 2017-06-17T05:49:07.000Z

Not sure. I'd check with the Loofah or Nokogiri folks. 😊