diff options
| author | José Valim <jose.valim@plataformatec.com.br> | 2012-11-16 00:33:14 -0800 |
|---|---|---|
| committer | Carlos Antonio da Silva <carlosantoniodasilva@gmail.com> | 2012-11-16 09:59:15 -0200 |
| commit | 666a7e34f553cef4c8878362eafc79c7e3f310c3 (patch) | |
| tree | 85ed6e0dd3a97e1d70ecce0b13e528c034f98046 | |
| parent | f2a98a9243a3eb078efa11b901a6b6446e89717e (diff) | |
| download | rails-666a7e34f553cef4c8878362eafc79c7e3f310c3.tar.gz rails-666a7e34f553cef4c8878362eafc79c7e3f310c3.tar.bz2 rails-666a7e34f553cef4c8878362eafc79c7e3f310c3.zip | |
Merge pull request #8235 from tilsammans/dont_escape_actionmailer_when_plaintext
Introduce `ActionView::Template::Handlers::ERB.escape_whitelist`
Conflicts:
actionpack/CHANGELOG.md
actionpack/test/template/template_test.rb
| -rw-r--r-- | actionpack/CHANGELOG.md | 7 | ||||
| -rw-r--r-- | actionpack/lib/action_view/template/handlers/erb.rb | 5 | ||||
| -rw-r--r-- | actionpack/test/template/template_test.rb | 16 |
3 files changed, 27 insertions, 1 deletions
diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md index 292a153d25..74ae690db0 100644 --- a/actionpack/CHANGELOG.md +++ b/actionpack/CHANGELOG.md @@ -1,5 +1,12 @@ ## Rails 3.2.10 (unreleased) ## +* Introduce `ActionView::Template::Handlers::ERB.escape_whitelist`. This is a list + of mime types where template text is not html escaped by default. It prevents `Jack & Joe` + from rendering as `Jack & Joe` for the whitelisted mime types. The default whitelist + contains text/plain. Fix #7976 [Backport #8235] + + *Joost Baaij* + * `BestStandardsSupport` middleware now appends it's `X-UA-Compatible` value to app's returned value if any. Fix #8086 [Backport #8093] diff --git a/actionpack/lib/action_view/template/handlers/erb.rb b/actionpack/lib/action_view/template/handlers/erb.rb index ea495ea9ca..6cc6a8f8ed 100644 --- a/actionpack/lib/action_view/template/handlers/erb.rb +++ b/actionpack/lib/action_view/template/handlers/erb.rb @@ -48,6 +48,10 @@ module ActionView class_attribute :erb_implementation self.erb_implementation = Erubis + # Do not escape templates of these mime types. + class_attribute :escape_whitelist + self.escape_whitelist = ["text/plain"] + ENCODING_TAG = Regexp.new("\\A(<%#{ENCODING_FLAG}-?%>)[ \\t]*") def self.call(template) @@ -83,6 +87,7 @@ module ActionView self.class.erb_implementation.new( erb, + :escape => (self.class.escape_whitelist.include? template.mime_type), :trim => (self.class.erb_trim_mode == "-") ).src end diff --git a/actionpack/test/template/template_test.rb b/actionpack/test/template/template_test.rb index 5880eb2bd4..aa7f5b31fc 100644 --- a/actionpack/test/template/template_test.rb +++ b/actionpack/test/template/template_test.rb @@ -25,6 +25,10 @@ class TestERBTemplate < ActiveSupport::TestCase "Hello" end + def apostrophe + "l'apostrophe" + end + def partial ActionView::Template.new( "<%= @virtual_path %>", @@ -47,7 +51,7 @@ class TestERBTemplate < ActiveSupport::TestCase end end - def new_template(body = "<%= hello %>", details = {}) + def new_template(body = "<%= hello %>", details = { :format => :html }) ActionView::Template.new(body, "hello template", ERBHandler, {:virtual_path => "hello"}.merge!(details)) end @@ -64,6 +68,16 @@ class TestERBTemplate < ActiveSupport::TestCase assert_equal "Hello", render end + def test_basic_template_does_html_escape + @template = new_template("<%= apostrophe %>") + assert_equal "l'apostrophe", render + end + + def test_text_template_does_not_html_escape + @template = new_template("<%= apostrophe %>", :format => :text) + assert_equal "l'apostrophe", render + end + def test_template_loses_its_source_after_rendering @template = new_template render |