diff options
author | Andrew White <andyw@pixeltrix.co.uk> | 2014-04-20 10:08:32 +0100 |
---|---|---|
committer | Andrew White <andyw@pixeltrix.co.uk> | 2014-04-20 10:11:38 +0100 |
commit | 5460591f0226a9d248b7b4f89186bd5553e7768f (patch) | |
tree | 95a96328aee8a38aec6e219b382e370c3a64a880 /actionpack/lib/action_dispatch/journey/router/utils.rb | |
parent | a61792574d9c8904590895f7a2f56803e02a6c52 (diff) | |
download | rails-5460591f0226a9d248b7b4f89186bd5553e7768f.tar.gz rails-5460591f0226a9d248b7b4f89186bd5553e7768f.tar.bz2 rails-5460591f0226a9d248b7b4f89186bd5553e7768f.zip |
Make URL escaping more consistent
1. Escape '%' characters in URLs - only unescaped data
should be passed to URL helpers
2. Add an `escape_segment` helper to `Router::Utils`
that escapes '/' characters
3. Use `escape_segment` rather than `escape_fragment`
in optimized URL generation
4. Use `escape_segment` rather than `escape_path`
in URL generation
For point 4 there are two exceptions. Firstly, when a route uses wildcard
segments (e.g. *foo) then we use `escape_path` as the value may contain '/'
characters. This means that wildcard routes can't be optimized. Secondly,
if a `:controller` segment is used in the path then this uses `escape_path`
as the controller may be namespaced.
Fixes #14629, #14636 and #14070.
Diffstat (limited to 'actionpack/lib/action_dispatch/journey/router/utils.rb')
-rw-r--r-- | actionpack/lib/action_dispatch/journey/router/utils.rb | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/actionpack/lib/action_dispatch/journey/router/utils.rb b/actionpack/lib/action_dispatch/journey/router/utils.rb index 246d91da01..ac4ecb1e65 100644 --- a/actionpack/lib/action_dispatch/journey/router/utils.rb +++ b/actionpack/lib/action_dispatch/journey/router/utils.rb @@ -37,6 +37,7 @@ module ActionDispatch ESCAPED = /%[a-zA-Z0-9]{2}/.freeze FRAGMENT = /[^#{UNRESERVED}#{SUB_DELIMS}:@\/\?]/.freeze + SEGMENT = /[^#{UNRESERVED}#{SUB_DELIMS}:@]/.freeze PATH = /[^#{UNRESERVED}#{SUB_DELIMS}:@\/]/.freeze def escape_fragment(fragment) @@ -47,6 +48,10 @@ module ActionDispatch escape(path, PATH) end + def escape_segment(segment) + escape(segment, SEGMENT) + end + def unescape_uri(uri) uri.gsub(ESCAPED) { [$&[1, 2].hex].pack('C') }.force_encoding(uri.encoding) end @@ -69,6 +74,10 @@ module ActionDispatch ENCODER.escape_path(path.to_s) end + def self.escape_segment(segment) + ENCODER.escape_segment(segment.to_s) + end + def self.escape_fragment(fragment) ENCODER.escape_fragment(fragment.to_s) end |