Fix handling of hexadecimal escapes in escape_once

This also aligns the behavior once again with current behavior of ActionView::Helpers::TagHelper#escape_once / ERB::Util::html_escape_once, which escape_once was originally based on. Fixes #792
Shopify · Feb 22, 2024 · 697c1ec · 697c1ec
1 parent 4a4fe3c
commit 697c1ec
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 1 deletion.
diff --git a/lib/liquid/standardfilters.rb b/lib/liquid/standardfilters.rb
@@ -21,7 +21,7 @@ module StandardFilters
       '"' => '&quot;',
       "'" => '&#39;',
     }.freeze
-    HTML_ESCAPE_ONCE_REGEXP = /["><']|&(?!([a-zA-Z]+|(#\d+));)/
+    HTML_ESCAPE_ONCE_REGEXP = /["><']|&(?!([a-zA-Z]+|(#\d+)|(#[xX][\dA-Fa-f]+));)/
     STRIP_HTML_BLOCKS       = Regexp.union(
       %r{<script.*?</script>}m,
       /<!--.*?-->/m,

diff --git a/test/integration/standard_filter_test.rb b/test/integration/standard_filter_test.rb
@@ -168,6 +168,8 @@ def test_h
 
   def test_escape_once
     assert_equal('&lt;strong&gt;Hulk&lt;/strong&gt;', @filters.escape_once('&lt;strong&gt;Hulk</strong>'))
+    assert_equal("1 &lt;&gt;&amp;&quot;&#39; 2 &amp; 3", @filters.escape_once('1 <>&"\' 2 &amp; 3'))
+    assert_equal(" &#X27; &#x27; &#x03BB; &#X03bb; &quot; &#39; &lt; &gt; ", @filters.escape_once(" &#X27; &#x27; &#x03BB; &#X03bb; \" ' < > "))
   end
 
   def test_base64_encode