Use html_escape method instead of gsub

This commit is contained in:
riking 2015-02-09 15:02:49 -08:00
parent 7e79daf9af
commit 83b51875bb
1 changed files with 1 additions and 7 deletions

View File

@ -249,13 +249,7 @@ class Topic < ActiveRecord::Base
end end
def fancy_title def fancy_title
sanitized_title = title.gsub(/['&\"<>]/, { sanitized_title = ERB::Util.html_escape(title)
"'" => '&#39;',
'&' => '&amp;',
'"' => '&quot;',
'<' => '&lt;',
'>' => '&gt;',
})
return unless sanitized_title return unless sanitized_title
return sanitized_title unless SiteSetting.title_fancy_entities? return sanitized_title unless SiteSetting.title_fancy_entities?