Merge pull request #591 from kdmsnr/fix-589

Escape html correctly, Fix #589
kmuto · Apr 24, 2016 · e2e5fd8 · e2e5fd8
2 parents 5d9561f + f035393
commit e2e5fd8
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 5 deletions.
diff --git a/lib/review/htmlbuilder.rb b/lib/review/htmlbuilder.rb
@@ -1162,7 +1162,7 @@ def nofunc_text(str)
 
     def compile_href(url, label)
       if @book.config["externallink"]
-        %Q(<a href="#{url}" class="link">#{label.nil? ? escape_html(url) : escape_html(label)}</a>)
+        %Q(<a href="#{escape_html(url)}" class="link">#{label.nil? ? escape_html(url) : escape_html(label)}</a>)
       else
         label.nil? ? escape_html(url) : I18n.t('external_link', [escape_html(label), escape_html(url)])
       end

diff --git a/test/test_htmlbuilder.rb b/test/test_htmlbuilder.rb
@@ -183,10 +183,10 @@ def test_inline_href
     @book.config["epubmaker"] ||= {}
     @book.config["epubmaker"]["externallink"] = false
     actual = compile_inline("@<href>{http://github.com&q=1,Git\\,Hub}")
-    assert_equal %Q|<a href="http://github.com&q=1" class="link">Git,Hub</a>|, actual
+    assert_equal %Q|<a href="http://github.com&amp;q=1" class="link">Git,Hub</a>|, actual
 
     actual = compile_inline("@<href>{http://github.com&q=1}")
-    assert_equal %Q|<a href="http://github.com&q=1" class="link">http://github.com&amp;q=1</a>|, actual
+    assert_equal %Q|<a href="http://github.com&amp;q=1" class="link">http://github.com&amp;q=1</a>|, actual
   end
 
   def test_inline_href_epubmaker
@@ -204,9 +204,9 @@ def test_inline_href_epubmaker
 
     @book.config["epubmaker"]["externallink"] = true
     actual = compile_inline("@<href>{http://github.com&q=1,Git\\,Hub}")
-    assert_equal %Q|<a href="http://github.com&q=1" class="link">Git,Hub</a>|, actual
+    assert_equal %Q|<a href="http://github.com&amp;q=1" class="link">Git,Hub</a>|, actual
     actual = compile_inline("@<href>{http://github.com&q=1}")
-    assert_equal %Q|<a href="http://github.com&q=1" class="link">http://github.com&amp;q=1</a>|, actual
+    assert_equal %Q|<a href="http://github.com&amp;q=1" class="link">http://github.com&amp;q=1</a>|, actual
   end
 
   def test_inline_raw