Helle Cédric,
On Tue, Feb 10, 2015 at 03:16:12PM +0100, Cédric Barboiron wrote:
> def image(opts)
> opts.delete(:align)
> opts[:alt] = opts[:title]
> - img = "<img src=\"#{escape_attribute opts[:src]}\"#{pba(opts)}
> alt=\"#{escape_attribute opts[:alt].to_s}\" />"
> - img = "<a href=\"#{escape_attribute opts[:href]}\">#{img}</a>" if
> opts[:href]
> + src = escape_uri(escape_attribute(opts[:src]))
> + href = escape_uri(escape_attribute(opts[:href])) if opts[:href]
> + img = "<img src=\"#{src}\"#{pba(opts)} alt=\"#{escape_attribute
> opts[:alt].to_s}\" />"
> + img = "<a href=\"#{href}\">#{img}</a>" if href
> img
> endI just tested both iceweasel and chromium and they do *not* do anything when given img tags with a javascript: url; I would assume all browsers do the same, so this patch seems more intrusive than necessary. I have a patch of my own which I will upload soon. Anyway, thanks for your contribution! -- Antonio Terceiro <terce...@debian.org>
signature.asc
Description: Digital signature
