From 9b3068c15d57c2ba8a125941f09dc904f0b6d181 Mon Sep 17 00:00:00 2001
From: Ben Balter <ben.balter@github.com>
Date: Mon, 6 Jan 2014 19:50:59 -0500
Subject: [PATCH] url escape before sanitizing

Signed-off-by: Parker Moore <parkrmoore@gmail.com>
---
 lib/jekyll/url.rb | 9 +++++++--
 test/test_post.rb | 2 +-
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/lib/jekyll/url.rb b/lib/jekyll/url.rb
index 10e1cb5d..f2318ae0 100644
--- a/lib/jekyll/url.rb
+++ b/lib/jekyll/url.rb
@@ -50,8 +50,12 @@ module Jekyll
 
     # Returns a sanitized String URL
     def sanitize_url(in_url)
+
+      # prevent escaped periods from bypassing sanitization
+      url = URI.unescape(in_url)
+
       # Remove all double slashes
-      url = in_url.gsub(/\/\//, "/")
+      url = url.gsub(/\/\//, "/")
 
       # Remove every URL segment that consists solely of dots
       url = url.split('/').reject{ |part| part =~ /^\.+$/ }.join('/')
@@ -61,7 +65,8 @@ module Jekyll
 
       # Always add a leading slash
       url.gsub!(/\A([^\/])/, '/\1')
-      url
+
+      URI.escape url
     end
   end
 end
diff --git a/test/test_post.rb b/test/test_post.rb
index 580f0065..9cac2984 100644
--- a/test/test_post.rb
+++ b/test/test_post.rb
@@ -109,7 +109,7 @@ class TestPost < Test::Unit::TestCase
         post.write(dest_dir)
 
         assert !File.exist?(File.expand_path("../baddie.html", dest_dir))
-        assert File.exist(File.expand_path("/baddie.html", dest_dir))
+        assert File.exist?(File.expand_path("baddie.html", dest_dir))
       end
 
       context "with CRLF linebreaks" do