Commits

Mike Orr committed e56c961

Escape nl2hr() argument to prevent stray HTML from passing through.

  • Participants
  • Parent commits 8565a3a

Comments (0)

Files changed (2)

tests/test_converters.py

 def test_nl2br():
     eq_(u'A B<br />\nC D<br />\n<br />\nE F', nl2br("A B\nC D\r\n\r\nE F"))
 
+def test_nl2br2():
+    eq_(u'&lt;strike&gt;W&lt;/strike&gt;<br />\nThe W', nl2br("<strike>W</strike>\nThe W"))
+
+def test_nl2br3():
+    eq_(u'<strike>W</strike><br />\nThe W', nl2br(literal("<strike>W</strike>\nThe W")))
+
 def test_format_paragraphs1():
     eq_(u"<p>crazy\n cross\n platform linebreaks</p>", format_paragraphs("crazy\r\n cross\r platform linebreaks"))
 

webhelpers/html/converters.py

     if text is None:
         return literal("")
     text = _universal_newline_rx.sub("\n", text)
-    text = text.replace("\n", br)
+    text = HTML(text).replace("\n", br)
     return text
 
 def format_paragraphs(text, preserve_lines=False):