diff options
author | Michael Koziarski <michael@koziarski.com> | 2011-06-08 09:31:03 +1200 |
---|---|---|
committer | Aaron Patterson <aaron.patterson@gmail.com> | 2011-06-07 17:02:48 -0700 |
commit | 1300c034775a5d52ad9141fdf5bbdbb9159df96a (patch) | |
tree | 6a41fa33ea8c6ab4ce27d4b8c045b7b2bcddff8d | |
parent | 7d1782a2c15094224986e60eb15e864f8ea18e37 (diff) | |
download | rails-1300c034775a5d52ad9141fdf5bbdbb9159df96a.tar.gz rails-1300c034775a5d52ad9141fdf5bbdbb9159df96a.tar.bz2 rails-1300c034775a5d52ad9141fdf5bbdbb9159df96a.zip |
Ensure that the strings returned by SafeBuffer#gsub and friends aren't considered html_safe?
Also make sure that the versions of those methods which modify a string in place such as gsub! can't be called on safe buffers at all.
Conflicts:
activesupport/test/safe_buffer_test.rb
-rw-r--r-- | activesupport/lib/active_support/core_ext/string/output_safety.rb | 13 | ||||
-rw-r--r-- | activesupport/test/safe_buffer_test.rb | 12 |
2 files changed, 25 insertions, 0 deletions
diff --git a/activesupport/lib/active_support/core_ext/string/output_safety.rb b/activesupport/lib/active_support/core_ext/string/output_safety.rb index c27cbc37c5..6df987eb14 100644 --- a/activesupport/lib/active_support/core_ext/string/output_safety.rb +++ b/activesupport/lib/active_support/core_ext/string/output_safety.rb @@ -74,6 +74,7 @@ end module ActiveSupport #:nodoc: class SafeBuffer < String + UNSAFE_STRING_METHODS = ["capitalize", "chomp", "chop", "delete", "downcase", "gsub", "lstrip", "next", "reverse", "rstrip", "slice", "squeeze", "strip", "sub", "succ", "swapcase", "tr", "tr_s", "upcase"].freeze alias safe_concat concat def concat(value) @@ -110,6 +111,18 @@ module ActiveSupport #:nodoc: to_str.to_yaml(*args) end + + for unsafe_method in UNSAFE_STRING_METHODS + class_eval <<-EOT, __FILE__, __LINE__ + def #{unsafe_method}(*args) + super.to_str + end + + def #{unsafe_method}!(*args) + raise TypeError, "Cannot modify SafeBuffer in place" + end + EOT + end end end diff --git a/activesupport/test/safe_buffer_test.rb b/activesupport/test/safe_buffer_test.rb index a4e2acbb32..3a9854358c 100644 --- a/activesupport/test/safe_buffer_test.rb +++ b/activesupport/test/safe_buffer_test.rb @@ -60,4 +60,16 @@ class SafeBufferTest < ActiveSupport::TestCase yaml = YAML.dump data assert_equal({'str' => str}, YAML.load(yaml)) end + + test "Should not return safe buffer from gsub" do + altered_buffer = @buffer.gsub('', 'asdf') + assert_equal 'asdf', altered_buffer + assert !altered_buffer.html_safe? + end + + test "Should not allow gsub! on safe buffers" do + assert_raise TypeError do + @buffer.gsub!('', 'asdf') + end + end end |