Whoops!

In some circumstances, the new Sanitizer was double-escaping text nodes.
Fixed (with unit test).

lib/sanitizer.rb

@@ -149,7 +149,7 @@ module Sanitizer
                     end
                     node.attributes.each do |attr,val|
                       if String === val
-                         node.attributes[attr] = CGI.escapeHTML(CGI.unescapeHTML(val))
+                         node.attributes[attr] = val.unescapeHTML.escapeHTML
                       else
                         node.attributes.delete attr
                       end

lib/stringsupport.rb

@@ -2214,7 +2214,9 @@ class String
     def escapeHTML
             self.gsub( /&/, "&" ).
              gsub( /</, "&lt;" ).
-             gsub( />/, "&gt;" )
+             gsub( />/, "&gt;" ).
+             gsub(/'/, "&apos;" ).
+             gsub(/"/, "&quot;" )
     end
     
     def unescapeHTML
@@ -2224,6 +2226,8 @@ class String
       when /\Aamp\z/ni           then '&'
       when /\Agt\z/ni            then '>'
       when /\Alt\z/ni            then '<'
+      when /\Aquot\z/ni            then '"'
+      when /\Aapos\z/ni            then "'"
       when /\A#0*(\d+)\z/n       then
         if Integer($1) < 256
           Integer($1).chr

test/sanitizer.dat

@@ -3,14 +3,14 @@
     "name": "IE_Comments",
     "input": "<!--[if gte IE 4]><script>alert('XSS');</script><![endif]-->",
     "output": "",
-    "xhtml": "&lt;!--[if gte IE 4]&gt;&lt;script&gt;alert('XSS');&lt;/script&gt;&lt;![endif]--&gt;"
+    "xhtml": "&lt;!--[if gte IE 4]&gt;&lt;script&gt;alert(&apos;XSS&apos;);&lt;/script&gt;&lt;![endif]--&gt;"
   },
 
   {
     "name": "IE_Comments_2",
     "input": "<![if !IE 5]><script>alert('XSS');</script><![endif]>",
     "output": "&lt;script&gt;alert('XSS');&lt;/script&gt;",
-    "xhtml": "&lt;![if !IE 5]&gt;&lt;script&gt;alert('XSS');&lt;/script&gt;&lt;![endif]&gt;",
+    "xhtml": "&lt;![if !IE 5]&gt;&lt;script&gt;alert(&apos;XSS&apos;);&lt;/script&gt;&lt;![endif]&gt;",
     "rexml": "Ill-formed XHTML!"
   },
 
@@ -359,7 +359,7 @@
     "name": "should_sanitize_script_tag_with_multiple_open_brackets",
     "input": "<<script>alert(\"XSS\");//<</script>",
     "output": "&lt;&lt;script&gt;alert(\"XSS\");//&lt;&lt;/script&gt;",
-    "xhtml": "&lt;&lt;script&gt;alert(\"XSS\");//&lt;&lt;/script&gt;",
+    "xhtml": "&lt;&lt;script&gt;alert(&quot;XSS&quot;);//&lt;&lt;/script&gt;",
     "rexml": "Ill-formed XHTML!"
   },
 
@@ -375,7 +375,7 @@
     "name": "should_sanitize_tag_broken_up_by_null",
     "input": "<scr\u0000ipt>alert(\"XSS\")</scr\u0000ipt>",
     "output": "&lt;scr\ufffdipt&gt;alert(\"XSS\")&lt;/scr\ufffdipt&gt;",
-    "xhtml": "&lt;scr&gt;alert(\"XSS\")&lt;/scr&gt;",
+    "xhtml": "&lt;scr&gt;alert(&quot;XSS&quot;)&lt;/scr&gt;",
     "rexml": "Ill-formed XHTML!"
   },
 

test/unit/page_renderer_test.rb

@@ -101,6 +101,13 @@ class PageRendererTest < Test::Unit::TestCase
         %{<p>This is a code block:</p>\n\n<pre><code>def a_method(arg)\n} +
         %{return ThatWay</code></pre>\n\n<p>Nice!</p>}, 
         code_block)
+        
+        assert_markup_parsed_as(%{<p>You then needed to edit (or create) a user.js file in} +
+          %{ your Mozilla profile, which read either (<span class='newWikiWord'>Mac OSX<a h} +
+          %{ref='../show/MacOSX'>?</a></span>)</p>\n\n<pre><code>  user_pref(&quot;font.mat} +
+          %{hfont-family&quot;, &quot;Math1,Math2,Math4,Symbol&quot;);</code></pre>},
+        %{You then needed to edit (or create) a user.js file in your Mozilla profile, whic} +
+          %{h read either (MacOSX)\n\n      user_pref("font.mathfont-family", "Math1,Math2,Math4,Symbol");})
 
     assert_markup_parsed_as(
         %{<p><math class='maruku-mathml' } +
@@ -299,7 +306,7 @@ class PageRendererTest < Test::Unit::TestCase
   
   def test_sanitize_nowiki_tag
     assert_markup_parsed_as(
-      '<p>[[test]]&amp;<a href=\'a&amp;b\'>shebang</a> &lt;script&gt;alert("xss!");&lt;/script&gt; *foo*</p>',
+      '<p>[[test]]&amp;<a href=\'a&amp;b\'>shebang</a> &lt;script&gt;alert(&quot;xss!&quot;);&lt;/script&gt; *foo*</p>',
       '<nowiki>[[test]]&<a href="a&b">shebang</a> <script>alert("xss!");</script> *foo*</nowiki>')
   end
 
@@ -349,7 +356,7 @@ class PageRendererTest < Test::Unit::TestCase
   
   def test_difficult_wiki_words
     @revision.content = "[[It's just awesome GUI!]]"
-    assert_equal "<p><span class='newWikiWord'>It's just awesome GUI!" +
+    assert_equal "<p><span class='newWikiWord'>It&apos;s just awesome GUI!" +
         "<a href='../show/It%27s+just+awesome+GUI%21'>?</a></span></p>", 
         test_renderer(@revision).display_content
   end
@@ -366,7 +373,7 @@ class PageRendererTest < Test::Unit::TestCase
   
   def test_nowiki_sanitization
     assert_markup_parsed_as('<p>This sentence contains <span>a &amp; b</span> ' +
-     '&lt;script&gt;alert("XSS!");&lt;/script&gt;. Do not touch!</p>',
+     '&lt;script&gt;alert(&quot;XSS!&quot;);&lt;/script&gt;. Do not touch!</p>',
       'This sentence contains <nowiki><span>a & b</span> <script>alert("XSS!");' +
       '</script></nowiki>. Do not touch!')
   end