-
-
Save anonymous/fab5c45b1830dc5db482 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
diff --git a/lib/Mojo/DOM/HTML.pm b/lib/Mojo/DOM/HTML.pm | |
index cb55275..7fddb0c 100644 | |
--- a/lib/Mojo/DOM/HTML.pm | |
+++ b/lib/Mojo/DOM/HTML.pm | |
@@ -1,7 +1,7 @@ | |
package Mojo::DOM::HTML; | |
use Mojo::Base -base; | |
-use Mojo::Util qw(html_unescape xml_escape); | |
+use Mojo::Util qw(html_unescape xss_escape); | |
use Scalar::Util 'weaken'; | |
has tree => sub { ['root'] }; | |
@@ -195,7 +195,7 @@ sub _render { | |
# Text (escaped) | |
my $type = $tree->[0]; | |
- return xml_escape $tree->[1] if $type eq 'text'; | |
+ return xss_escape $tree->[1] if $type eq 'text'; | |
# Raw text | |
return $tree->[1] if $type eq 'raw'; | |
@@ -224,7 +224,7 @@ sub _render { | |
for my $key (sort keys %{$tree->[2]}) { | |
my $value = $tree->[2]{$key}; | |
$result .= $xml ? qq{ $key="$key"} : " $key" and next unless defined $value; | |
- $result .= qq{ $key="} . xml_escape($value) . '"'; | |
+ $result .= qq{ $key="} . xss_escape($value) . '"'; | |
} | |
# No children | |
diff --git a/lib/Mojo/Util.pm b/lib/Mojo/Util.pm | |
index 3519705..6d2657e 100644 | |
--- a/lib/Mojo/Util.pm | |
+++ b/lib/Mojo/Util.pm | |
@@ -342,7 +342,7 @@ sub xor_encode { | |
sub xss_escape { | |
no warnings 'uninitialized'; | |
- ref $_[0] eq 'Mojo::ByteStream' ? $_[0] : xml_escape("$_[0]"); | |
+ length(ref $_[0]) && ref $_[0] eq 'Mojo::ByteStream' ? $_[0] : xml_escape("$_[0]"); | |
} | |
sub _adapt { |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment