Merge branch 'ref-filter-html' into 'master'

Escape all the things. See merge request !2209
author: Robert Speicher <robert@gitlab.com> 2015-12-25 01:19:36 +0300
committer: Robert Speicher <rspeicher@gmail.com> 2015-12-25 01:20:02 +0300
commit: 476f6238b9b8f6541304c952a5b4250b1573380e (patch)
tree: ea341ee86d909c04f8996d5215a8b2cb439e78f3 /lib/banzai/filter/reference_filter.rb
parent: 8c208a90eb84e44ff30b1c1ddf5234edf22d62fa (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/lib/banzai/filter/reference_filter.rb b/lib/banzai/filter/reference_filter.rb
index 33457a3f361..a22a7a7afd3 100644
--- a/lib/banzai/filter/reference_filter.rb
+++ b/lib/banzai/filter/reference_filter.rb
@@ -44,11 +44,11 @@ module Banzai
       # Returns a String
       def data_attribute(attributes = {})
         attributes[:reference_filter] = self.class.name.demodulize
-        attributes.map { |key, value| %Q(data-#{key.to_s.dasherize}="#{value}") }.join(" ")
+        attributes.map { |key, value| %Q(data-#{key.to_s.dasherize}="#{escape_once(value)}") }.join(" ")
       end
 
       def escape_once(html)
-        ERB::Util.html_escape_once(html)
+        html.html_safe? ? html : ERB::Util.html_escape_once(html)
       end
 
       def ignore_parents
author	Robert Speicher <robert@gitlab.com>	2015-12-25 01:19:36 +0300
committer	Robert Speicher <rspeicher@gmail.com>	2015-12-25 01:20:02 +0300
commit	476f6238b9b8f6541304c952a5b4250b1573380e (patch)
tree	ea341ee86d909c04f8996d5215a8b2cb439e78f3 /lib/banzai/filter/reference_filter.rb
parent	8c208a90eb84e44ff30b1c1ddf5234edf22d62fa (diff)