diff options
| author | Joost Baaij <joost@spacebabies.nl> | 2012-11-16 09:11:43 +0100 |
|---|---|---|
| committer | Joost Baaij <joost@spacebabies.nl> | 2012-11-16 09:11:43 +0100 |
| commit | 5f189f41258b83d49012ec5a0678d827327e7543 (patch) | |
| tree | a4dc887d3bd1a3bb3cb58866b2b377661eacb6fe /actionpack/lib/action_view/template | |
| parent | 44f12bbba08071178ec256c03eecadacdf35dccf (diff) | |
| download | rails-5f189f41258b83d49012ec5a0678d827327e7543.tar.gz rails-5f189f41258b83d49012ec5a0678d827327e7543.tar.bz2 rails-5f189f41258b83d49012ec5a0678d827327e7543.zip | |
Introduce `ActionView::Template::Handlers::ERB.escape_whitelist`.
This is a list of mime types where template text is not html escaped
by default. It prevents `Jack & Joe` from rendering as
`Jack & Joe` for the whitelisted mime types. The default whitelist
contains text/plain.
This follows a whitelist approach where plain text templates are
not escaped, and all the others (json, xml) are. The mime type is
assumed to be set by the abstract controller.
Diffstat (limited to 'actionpack/lib/action_view/template')
| -rw-r--r-- | actionpack/lib/action_view/template/handlers/erb.rb | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/actionpack/lib/action_view/template/handlers/erb.rb b/actionpack/lib/action_view/template/handlers/erb.rb index aa8eac7846..731d8f9dab 100644 --- a/actionpack/lib/action_view/template/handlers/erb.rb +++ b/actionpack/lib/action_view/template/handlers/erb.rb @@ -47,6 +47,10 @@ module ActionView class_attribute :erb_implementation self.erb_implementation = Erubis + # Do not escape templates of these mime types. + class_attribute :escape_whitelist + self.escape_whitelist = ["text/plain"] + ENCODING_TAG = Regexp.new("\\A(<%#{ENCODING_FLAG}-?%>)[ \\t]*") def self.call(template) @@ -78,6 +82,7 @@ module ActionView self.class.erb_implementation.new( erb, + :escape => (self.class.escape_whitelist.include? template.type), :trim => (self.class.erb_trim_mode == "-") ).src end |