Applying strip_html filter to escaped html will unescape the string

[ugenl]

Encountered this on liqp 0.9, though it could go further back.

Ex.
{{ "<em>test</em>" | escape }} --> <em>test</em>

{{ "<em>test</em>" | escape | strip_html }} --> <em>test</em>

[msangel]

This happened because we use Jsoup library for stripping html, while the Ruby's implementation is simple and naive:

    STRIP_HTML_BLOCKS = Regexp.union(
      /<script.*?<\/script>/m,
      /<!--.*?-->/m,
      /<style.*?<\/style>/m
    )
    STRIP_HTML_TAGS = /<.*?>/m

    def strip_html(input)
      empty  = ''
      result = input.to_s.gsub(STRIP_HTML_BLOCKS, empty)
      result.gsub!(STRIP_HTML_TAGS, empty)
      result
    end

And we probably should go naive implementation too

[msangel]

Will it be safer?
No.
Will it be more compatible?
Yes.

[msangel]

Fixed in 0.9.1.0. Side effect - jsoup dependency removed as not in use. If someone used it as transitive dependency in own projects, must add that back manually:

    <dependency>
      <groupId>org.jsoup</groupId>
      <artifactId>jsoup</artifactId>
      <version>1.15.3</version>
    </dependency>

As for this library the Jsoup has single use here.

[ugenl]

very much appreciate the fix here! Now that the fix is in place though, is there any other way to unescape strings at this point?

[msangel]

@ugenl probably not. as unescaping is destructive operation - you never know which symbol before unescaping was represented via escape sequence and which not.

[ugenl]

yeah, fair enough - and people can directly substitute via replace if necessary anyway. Sounds good