Change url_for to escape the resulting URLs when called from a view. Closes #4202

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@3953 5ecf4fe2-1ee6-0310-87b1-e25e094e27de

3 files changed, 31 insertions, 19 deletions

diff --git a/actionpack/CHANGELOG b/actionpack/CHANGELOG
index 9e604e37a5..8803a1dd34 100644
--- a/actionpack/CHANGELOG
+++ b/actionpack/CHANGELOG
@@ -1,5 +1,7 @@
 *SVN*
 
+* Change url_for to escape the resulting URLs when called from a view. [Nicholas Seckar, eddiewould@paradise.net.nz]
+
 * Added easy support for testing file uploads with fixture_file_upload #4105 [turnip@turnipspatch.com]. Example:
 
     # Looks in Test::Unit::TestCase.fixture_path + '/files/spongebob.png'
diff --git a/actionpack/lib/action_view/helpers/url_helper.rb b/actionpack/lib/action_view/helpers/url_helper.rb
index de6137659e..c4c8fca98e 100644
--- a/actionpack/lib/action_view/helpers/url_helper.rb
+++ b/actionpack/lib/action_view/helpers/url_helper.rb
@@ -15,7 +15,7 @@ module ActionView
       # http://example.com/controller/action part (makes it harder to parse httpd log files)
       def url_for(options = {}, *parameters_for_method_reference)
         options = { :only_path => true }.update(options.symbolize_keys) if options.kind_of? Hash
-        @controller.send(:url_for, options, *parameters_for_method_reference)
+        html_escape(@controller.send(:url_for, options, *parameters_for_method_reference))
       end
 
       # Creates a link tag of the given +name+ using an URL created by the set of +options+. See the valid options in
@@ -46,8 +46,8 @@ module ActionView
         else
           tag_options = nil
         end
-        url = html_escape(options.is_a?(String) ? options : url_for(options, *parameters_for_method_reference))
-        "<a href=\"#{url}\"#{tag_options}>#{name||url}</a>"
+        url = options.is_a?(String) ? options : self.url_for(options, *parameters_for_method_reference)
+        "<a href=\"#{url}\"#{tag_options}>#{name || url}</a>"
       end
 
       # Generates a form containing a sole button that submits to the
@@ -104,11 +104,10 @@ module ActionView
         if confirm = html_options.delete("confirm")
           html_options["onclick"] = "return #{confirm_javascript_function(confirm)};"
         end
-
-        url, name = options.is_a?(String) ?
-          [ options,  name || options ] :
-          [ url_for(options), name || html_escape(url_for(options)) ]
-
+        
+        url = options.is_a?(String) ? options : url_for(options)
+        name ||= url
+        
         html_options.merge!("type" => "submit", "value" => name)
 
         "<form method=\"post\" action=\"#{h url}\" class=\"button-to\"><div>" +
@@ -197,6 +196,7 @@ module ActionView
       #   mail_to "me@domain.com", "My email", :cc => "ccaddress@domain.com", :bcc => "bccaddress@domain.com", :subject => "This is an example email", :body => "This is the body of the message."   # =>
       #     <a href="mailto:me@domain.com?cc="ccaddress@domain.com"&bcc="bccaddress@domain.com"&body="This%20is%20the%20body%20of%20the%20message."&subject="This%20is%20an%20example%20email">My email</a>
       def mail_to(email_address, name = nil, html_options = {})
+        name = html_escape(name) if name
         html_options = html_options.stringify_keys
         encode = html_options.delete("encode")
         cc, bcc, subject, body = html_options.delete("cc"), html_options.delete("bcc"), html_options.delete("subject"), html_options.delete("body")
diff --git a/actionpack/test/template/url_helper_test.rb b/actionpack/test/template/url_helper_test.rb
index 85ce24b1c2..95b9373c7f 100644
--- a/actionpack/test/template/url_helper_test.rb
+++ b/actionpack/test/template/url_helper_test.rb
@@ -13,13 +13,20 @@ class UrlHelperTest < Test::Unit::TestCase
 
   def setup
     @controller = Class.new do
+      attr_accessor :url
       def url_for(options, *parameters_for_method_reference)
-        "http://www.example.com"
+        url
       end
     end
     @controller = @controller.new
+    @controller.url = "http://www.example.com"
   end
-
+  
+  def test_url_for_escapes_urls
+    @controller.url = "http://www.example.com?a=b&c=d"
+    assert_equal "http://www.example.com?a=b&amp;c=d", url_for(:a => 'b', :c => 'd')
+  end
+  
   # todo: missing test cases
   def test_button_to_with_straight_url
     assert_dom_equal "<form method=\"post\" action=\"http://www.example.com\" class=\"button-to\"><div><input type=\"submit\" value=\"Hello\" /></div></form>", button_to("Hello", "http://www.example.com")
@@ -56,17 +63,25 @@ class UrlHelperTest < Test::Unit::TestCase
   end
 
   def test_link_tag_with_query
-    assert_dom_equal "<a href=\"http://www.example.com?q1=v1&amp;q2=v2\">Hello</a>", link_to("Hello", "http://www.example.com?q1=v1&q2=v2")
+    assert_dom_equal "<a href=\"http://www.example.com?q1=v1&amp;q2=v2\">Hello</a>", link_to("Hello", "http://www.example.com?q1=v1&amp;q2=v2")
   end
 
   def test_link_tag_with_query_and_no_name
-    assert_dom_equal "<a href=\"http://www.example.com?q1=v1&amp;q2=v2\">http://www.example.com?q1=v1&amp;q2=v2</a>", link_to(nil, "http://www.example.com?q1=v1&q2=v2")
+    assert_dom_equal "<a href=\"http://www.example.com?q1=v1&amp;q2=v2\">http://www.example.com?q1=v1&amp;q2=v2</a>", link_to(nil, "http://www.example.com?q1=v1&amp;q2=v2")
+  end
+
+  def test_link_tag_with_img
+    assert_dom_equal "<a href=\"http://www.example.com\"><img src='/favicon.jpg' /></a>", link_to("<img src='/favicon.jpg' />", "http://www.example.com")
+  end
+
+  def test_link_with_nil_html_options
+    assert_dom_equal "<a href=\"http://www.example.com\">Hello</a>", link_to("Hello", {:action => 'myaction'}, nil)
   end
 
   def test_link_tag_with_custom_onclick
     assert_dom_equal "<a href=\"http://www.example.com\" onclick=\"alert('yay!')\">Hello</a>", link_to("Hello", "http://www.example.com", :onclick => "alert('yay!')")
   end
-
+  
   def test_link_tag_with_javascript_confirm
     assert_dom_equal(
       "<a href=\"http://www.example.com\" onclick=\"return confirm('Are you sure?');\">Hello</a>",
@@ -147,7 +162,6 @@ class UrlHelperTest < Test::Unit::TestCase
     assert_equal "Showing", link_to_if(false, "Showing", :action => "show", :controller => "weblog", :id => 1)
   end
 
-
   def xtest_link_unless_current
     @request = RequestMock.new("http://www.example.com")
     assert_equal "Showing", link_to_unless_current("Showing", :action => "show", :controller => "weblog")
@@ -157,7 +171,7 @@ class UrlHelperTest < Test::Unit::TestCase
     @request = RequestMock.new("http://www.example.com")
     assert_equal "Showing", link_to_unless_current("Showing", :action => "show", :controller => "weblog", :id => 1)
   end
-
+  
   def test_mail_to
     assert_dom_equal "<a href=\"mailto:david@loudthinking.com\">david@loudthinking.com</a>", mail_to("david@loudthinking.com")
     assert_dom_equal "<a href=\"mailto:david@loudthinking.com\">David Heinemeier Hansson</a>", mail_to("david@loudthinking.com", "David Heinemeier Hansson")
@@ -191,8 +205,4 @@ class UrlHelperTest < Test::Unit::TestCase
     assert_dom_equal "<a href=\"mailto:%6d%65@%64%6f%6d%61%69%6e.%63%6f%6d\">me(at)domain(dot)com</a>", mail_to("me@domain.com", nil, :encode => "hex", :replace_at => "(at)", :replace_dot => "(dot)")
     assert_dom_equal "<script type=\"text/javascript\">eval(unescape('%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%61%20%68%72%65%66%3d%22%6d%61%69%6c%74%6f%3a%6d%65%40%64%6f%6d%61%69%6e%2e%63%6f%6d%22%3e%4d%79%20%65%6d%61%69%6c%3c%2f%61%3e%27%29%3b'))</script>", mail_to("me@domain.com", "My email", :encode => "javascript", :replace_at => "(at)", :replace_dot => "(dot)")
   end
-
-  def test_link_with_nil_html_options
-    assert_dom_equal "<a href=\"http://www.example.com\">Hello</a>", link_to("Hello", {:action => 'myaction'}, nil)
-  end
 end