-
-
Save vti/dbe15cc587882a9a7f13 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
diff --git a/lib/Mojolicious/Plugin/TagHelpers.pm b/lib/Mojolicious/Plugin/TagHelpers.pm | |
index 8bf00f7..4a333a1 100644 | |
--- a/lib/Mojolicious/Plugin/TagHelpers.pm | |
+++ b/lib/Mojolicious/Plugin/TagHelpers.pm | |
@@ -221,6 +221,8 @@ sub _input { | |
# Value | |
my $p = $c->param($name); | |
+ $p = b($p)->xml_escape if defined $p; | |
+ | |
my $t = $attrs{type} || ''; | |
if (defined $p && $t ne 'submit') { | |
diff --git a/t/mojolicious/lite_app.t b/t/mojolicious/lite_app.t | |
index 0f9213e..4d0806a 100644 | |
--- a/t/mojolicious/lite_app.t | |
+++ b/t/mojolicious/lite_app.t | |
@@ -804,7 +804,7 @@ $t->get_ok('/0', {'X-Forwarded-For' => '192.168.2.2, 192.168.2.1'}) | |
$ENV{MOJO_REVERSE_PROXY} = $backup; | |
# GET /tags | |
-$t->get_ok('/tags/lala?a=b&b=0&c=2&d=3')->status_is(200)->content_is(<<EOF); | |
+$t->get_ok('/tags/lala?a=b&b=0&c=2&d=3&escaped=1%22+%222')->status_is(200)->content_is(<<EOF); | |
<foo /> | |
<foo bar="baz" /> | |
<foo one="two" three="four">Hello</foo> | |
@@ -835,6 +835,7 @@ $t->get_ok('/tags/lala?a=b&b=0&c=2&d=3')->status_is(200)->content_is(<<EOF); | |
<label for="foo">Name</label> | |
<input name="foo" /> | |
</form> | |
+<input name="escaped" value="1" "2" /> | |
<input name="a" value="b" /> | |
<input name="a" value="b" /> | |
<script src="/script.js" type="text/javascript" /> | |
@@ -878,6 +879,7 @@ $t->get_ok('/tags/lala?c=b&d=3&e=4&f=5')->status_is(200)->content_is(<<EOF); | |
<label for="foo">Name</label> | |
<input name="foo" /> | |
</form> | |
+<input name="escaped" /> | |
<input name="a" /> | |
<input name="a" value="c" /> | |
<script src="/script.js" type="text/javascript" /> | |
@@ -1651,6 +1653,7 @@ controller and action! | |
<%= label 'foo' => begin %>Name<% end %> | |
<%= input 'foo' %> | |
<% end %> | |
+<%= input 'escaped' %> | |
<%= input 'a' %> | |
<%= input 'a', value => 'c' %> | |
<%= script '/script.js' %> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment