Comments (3)
In browsing through the rails code to see if there were a similar opportunity I found that they are using the same escape algorithm in their ERB::Util module: http://github.com/rails/rails/blob/master/activesupport/lib/active_support/core_ext/string/output_safety.rb
I noticed the only entities they escape are [&"><] whereas rack also escapes apostrophes. Does anyone know if apostrophes are necessary? If they are not, this patch removes them from escape_html bahuvrihi/rack@a35e40c764a0030367b9c7cd13bd6aff88fd016a
from rack.
Thank you, I've taken your first patch as starting point and did some benchmarking, turns out it's only around 3.5 times faster on my machine.
On 1.9 compatible Ruby it could be even faster using string.to_s.gsub(/[&<>'"]/, HASH)
, but we have to keep the code compatible with 1.8.
I'm not going to alter the set of characters being escaped, as people may rely on it already.
I pushed the change here:
http://github.com/rack/rack/commit/b4d0dc76b2d0b8b4b7160b689ecb
from rack.
You're welcome. Thanks for the 1.9 syntax -- I didn't know about that variation.
As an FYI I'm going to open another issue regarding the escaping as I found a recommendation to escape not only apostrophe but slash as well. I won't be miffed if you close it immediately; I thought it would be good to have a separate record of it for future reference.
from rack.
Related Issues (20)
- Rack::ETag, and Enumerator support HOT 7
- EOFError on multipart request HOT 1
- HTML escape of slash is not recommended by OWASP HOT 1
- Rack::Lint is incompatible with Rack::BodyProxy HOT 7
- Is a boundary delimiter-only body an invalid request? HOT 1
- How to handle (legal vis-à-vis HTTP) `OPTIONS *` requests HOT 1
- Rack::Utils.unescape doesn't respect JavaScript's `%uxxxx` notation HOT 4
- If 2 parameters share the same name & are files / attachments, convert to array with both attachments
- Rack 3 breaks deeply nested hash when inside an array HOT 3
- Rails 7, dynamically setting the session cookie by domain & subdomain
- Nested parameters parsing error in rack 3.0.8 HOT 22
- Cookie being created with [" prefixed to name versions 3.0 thru 3.0.8 HOT 7
- Support for `Partitioned` cookie attribute HOT 15
- can't rackup HOT 5
- Rack::Lint::LintError: Status must be >=100 seen as integer HOT 10
- How to manually decode a Rack::Session::Cookie 2023 HOT 1
- 3.0.8 Multipart PATCH requests fail in minitest(Rack::Multipart::EmptyContentError) HOT 1
- HTTP_VERSION vs SERVER_PROTOCOL and Rack::Lint HOT 5
- Spec ambiguity: environment instance HOT 11
- undefined method `[]' for nil:NilClass HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from rack.