diff options
| author | José Valim <jose.valim@plataformatec.com.br> | 2012-11-16 00:33:14 -0800 |
|---|---|---|
| committer | José Valim <jose.valim@plataformatec.com.br> | 2012-11-16 00:33:14 -0800 |
| commit | 4a4de567b45ff28035419bc2d92f9b206e3c0a66 (patch) | |
| tree | a4dc887d3bd1a3bb3cb58866b2b377661eacb6fe | |
| parent | 44f12bbba08071178ec256c03eecadacdf35dccf (diff) | |
| parent | 5f189f41258b83d49012ec5a0678d827327e7543 (diff) | |
| download | rails-4a4de567b45ff28035419bc2d92f9b206e3c0a66.tar.gz rails-4a4de567b45ff28035419bc2d92f9b206e3c0a66.tar.bz2 rails-4a4de567b45ff28035419bc2d92f9b206e3c0a66.zip | |
Merge pull request #8235 from tilsammans/dont_escape_actionmailer_when_plaintext
Introduce `ActionView::Template::Handlers::ERB.escape_whitelist`
| -rw-r--r-- | actionpack/CHANGELOG.md | 7 | ||||
| -rw-r--r-- | actionpack/lib/action_view/template/handlers/erb.rb | 5 | ||||
| -rw-r--r-- | actionpack/test/template/template_test.rb | 16 |
3 files changed, 27 insertions, 1 deletions
diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md index e04eac739d..78ef809196 100644 --- a/actionpack/CHANGELOG.md +++ b/actionpack/CHANGELOG.md @@ -43,6 +43,13 @@ *Josh Peek* +* Introduce `ActionView::Template::Handlers::ERB.escape_whitelist`. This is a list + of mime types where template text is not html escaped by default. It prevents `Jack & Joe` + from rendering as `Jack & Joe` for the whitelisted mime types. The default whitelist + contains text/plain. Fix #7976 + + *Joost Baaij* + * `assert_template` can be used to assert on the same template with different locals Fix #3675 diff --git a/actionpack/lib/action_view/template/handlers/erb.rb b/actionpack/lib/action_view/template/handlers/erb.rb index aa8eac7846..731d8f9dab 100644 --- a/actionpack/lib/action_view/template/handlers/erb.rb +++ b/actionpack/lib/action_view/template/handlers/erb.rb @@ -47,6 +47,10 @@ module ActionView class_attribute :erb_implementation self.erb_implementation = Erubis + # Do not escape templates of these mime types. + class_attribute :escape_whitelist + self.escape_whitelist = ["text/plain"] + ENCODING_TAG = Regexp.new("\\A(<%#{ENCODING_FLAG}-?%>)[ \\t]*") def self.call(template) @@ -78,6 +82,7 @@ module ActionView self.class.erb_implementation.new( erb, + :escape => (self.class.escape_whitelist.include? template.type), :trim => (self.class.erb_trim_mode == "-") ).src end diff --git a/actionpack/test/template/template_test.rb b/actionpack/test/template/template_test.rb index ffee3f81ba..6c11ee5322 100644 --- a/actionpack/test/template/template_test.rb +++ b/actionpack/test/template/template_test.rb @@ -26,6 +26,10 @@ class TestERBTemplate < ActiveSupport::TestCase "Hello" end + def apostrophe + "l'apostrophe" + end + def partial ActionView::Template.new( "<%= @virtual_path %>", @@ -48,7 +52,7 @@ class TestERBTemplate < ActiveSupport::TestCase end end - def new_template(body = "<%= hello %>", details = {}) + def new_template(body = "<%= hello %>", details = {format: html}) ActionView::Template.new(body, "hello template", details.fetch(:handler) { ERBHandler }, {:virtual_path => "hello"}.merge!(details)) end @@ -72,6 +76,16 @@ class TestERBTemplate < ActiveSupport::TestCase assert_equal "Hello", render end + def test_basic_template_does_html_escape + @template = new_template("<%= apostrophe %>") + assert_equal "l'apostrophe", render + end + + def test_text_template_does_not_html_escape + @template = new_template("<%= apostrophe %>", format: text) + assert_equal "l'apostrophe", render + end + def test_raw_template @template = new_template("<%= hello %>", :handler => ActionView::Template::Handlers::Raw.new) assert_equal "<%= hello %>", render |