Make sure strip_tags removes tags which start with a non-printable character

gtd · NZKoz · commit bfe032858077 · 2009-11-27T10:04:22.000+13:00
Signed-off-by: Michael Koziarski &lt;michael@koziarski.com&gt;
diff --git a/actionpack/lib/action_controller/vendor/html-scanner/html/node.rb b/actionpack/lib/action_controller/vendor/html-scanner/html/node.rb
@@ -162,7 +162,7 @@ def parse(parent, line, pos, content, strict=true)
           end
           
           closing = ( scanner.scan(/\//) ? :close : nil )
-          return Text.new(parent, line, pos, content) unless name = scanner.scan(/[\w:-]+/)
+          return Text.new(parent, line, pos, content) unless name = scanner.scan(/[-:\w\x00-\x09\x0b-\x0c\x0e-\x1f]+/)
           name.downcase!
   
           unless closing
diff --git a/actionpack/test/controller/html-scanner/sanitizer_test.rb b/actionpack/test/controller/html-scanner/sanitizer_test.rb
@@ -19,6 +19,7 @@ def test_strip_tags
     assert_equal "This has a  here.", sanitizer.sanitize("This has a <!-- comment --> here.")
     assert_equal "This has a  here.", sanitizer.sanitize("This has a <![CDATA[<section>]]> here.")
     assert_equal "This has an unclosed ", sanitizer.sanitize("This has an unclosed <![CDATA[<section>]] here...")
+    assert_equal "non printable char is a tag", sanitizer.sanitize("<\x07a href='/hello'>non printable char is a tag</a>")
     [nil, '', '   '].each { |blank| assert_equal blank, sanitizer.sanitize(blank) }
   end
 
