content_tag should escape its input

Signed-off-by: Yehuda Katz <yehudakatz@YK.local>
author: Bruno Michel <bmichel@menfin.info> 2010-02-13 19:53:26 -0200
committer: Yehuda Katz <yehudakatz@YK.local> 2010-02-14 12:03:28 -0800
commit: f86421fb282ff2d209914db736ca64380dab044d (patch)
tree: d539bc4dac34268b5ed973bcfc9f80744d059c88 /actionpack/lib/action_view
parent: 411c15ed5220cb07cfb1989d32be956f94a7478f (diff)
download: rails-f86421fb282ff2d209914db736ca64380dab044d.tar.gz
rails-f86421fb282ff2d209914db736ca64380dab044d.tar.bz2
rails-f86421fb282ff2d209914db736ca64380dab044d.zip
7 files changed, 14 insertions, 15 deletions
diff --git a/actionpack/lib/action_view/helpers/active_model_helper.rb b/actionpack/lib/action_view/helpers/active_model_helper.rb
index e106bb0897..c87e216c32 100644
--- a/actionpack/lib/action_view/helpers/active_model_helper.rb
+++ b/actionpack/lib/action_view/helpers/active_model_helper.rb
@@ -127,7 +127,7 @@ module ActionView
         if (obj = (object.respond_to?(:errors) ? object : instance_variable_get("@#{object}"))) &&
           (errors = obj.errors[method])
           content_tag("div",
-            "#{options[:prepend_text]}#{ERB::Util.html_escape(errors.first)}#{options[:append_text]}",
+            "#{options[:prepend_text]}#{ERB::Util.html_escape(errors.first)}#{options[:append_text]}".html_safe,
             :class => options[:css_class]
           )
         else
@@ -228,14 +228,14 @@ module ActionView
               object.errors.full_messages.map do |msg|
                 content_tag(:li, ERB::Util.html_escape(msg))
               end
-            end.join
+            end.join.html_safe
 
             contents = ''
             contents << content_tag(options[:header_tag] || :h2, header_message) unless header_message.blank?
             contents << content_tag(:p, message) unless message.blank?
             contents << content_tag(:ul, error_messages)
 
-            content_tag(:div, contents, html)
+            content_tag(:div, contents.html_safe, html)
           end
         else
           ''
diff --git a/actionpack/lib/action_view/helpers/date_helper.rb b/actionpack/lib/action_view/helpers/date_helper.rb
index 8be2f76bd6..c2810b3190 100644
--- a/actionpack/lib/action_view/helpers/date_helper.rb
+++ b/actionpack/lib/action_view/helpers/date_helper.rb
@@ -815,7 +815,7 @@ module ActionView
             tag_options[:selected] = "selected" if selected == i
             select_options << content_tag(:option, value, tag_options)
           end
-          select_options.join("\n") + "\n"
+          (select_options.join("\n") + "\n").html_safe
         end
 
         # Builds select tag from date type and html select options
@@ -833,9 +833,9 @@ module ActionView
           select_html = "\n"
           select_html << content_tag(:option, '', :value => '') + "\n" if @options[:include_blank]
           select_html << prompt_option_tag(type, @options[:prompt]) + "\n" if @options[:prompt]
-          select_html << select_options_as_html.to_s
+          select_html << select_options_as_html
 
-          (content_tag(:select, select_html, select_options) + "\n").html_safe
+          (content_tag(:select, select_html.html_safe, select_options) + "\n").html_safe
         end
 
         # Builds a prompt option tag with supplied options or from default options
diff --git a/actionpack/lib/action_view/helpers/form_options_helper.rb b/actionpack/lib/action_view/helpers/form_options_helper.rb
index 0ffe770f5f..7f74be27cb 100644
--- a/actionpack/lib/action_view/helpers/form_options_helper.rb
+++ b/actionpack/lib/action_view/helpers/form_options_helper.rb
@@ -572,10 +572,9 @@ module ActionView
           end
           if value.blank? && options[:prompt]
             prompt = options[:prompt].kind_of?(String) ? options[:prompt] : I18n.translate('helpers.select.prompt', :default => 'Please select')
-            "<option value=\"\">#{prompt}</option>\n" + option_tags
-          else
-            option_tags
+            option_tags = "<option value=\"\">#{prompt}</option>\n" + option_tags
           end
+          option_tags.html_safe
         end
     end
 
diff --git a/actionpack/lib/action_view/helpers/form_tag_helper.rb b/actionpack/lib/action_view/helpers/form_tag_helper.rb
index 6ed6c3101b..7dcaee7e34 100644
--- a/actionpack/lib/action_view/helpers/form_tag_helper.rb
+++ b/actionpack/lib/action_view/helpers/form_tag_helper.rb
@@ -90,9 +90,9 @@ module ActionView
         html_name = (options[:multiple] == true && !name.to_s.ends_with?("[]")) ? "#{name}[]" : name
         if blank = options.delete(:include_blank)
           if blank.kind_of?(String)
-            option_tags = "<option value=\"\">#{blank}</option>" + option_tags
+            option_tags = "<option value=\"\">#{blank}</option>".html_safe + option_tags
           else
-            option_tags = "<option value=\"\"></option>" + option_tags
+            option_tags = "<option value=\"\"></option>".html_safe + option_tags
           end
         end
         content_tag :select, option_tags, { "name" => html_name, "id" => sanitize_to_id(name) }.update(options.stringify_keys)
@@ -279,7 +279,7 @@ module ActionView
         escape = options.key?("escape") ? options.delete("escape") : true
         content = html_escape(content) if escape
 
-        content_tag :textarea, content, { "name" => name, "id" => sanitize_to_id(name) }.update(options)
+        content_tag :textarea, content.html_safe, { "name" => name, "id" => sanitize_to_id(name) }.update(options)
       end
 
       # Creates a check box form input tag.
diff --git a/actionpack/lib/action_view/helpers/javascript_helper.rb b/actionpack/lib/action_view/helpers/javascript_helper.rb
index 8fdaa8cf8d..2c73ff88f7 100644
--- a/actionpack/lib/action_view/helpers/javascript_helper.rb
+++ b/actionpack/lib/action_view/helpers/javascript_helper.rb
@@ -93,7 +93,7 @@ module ActionView
       end
 
       def javascript_cdata_section(content) #:nodoc:
-        "\n//#{cdata_section("\n#{content}\n//")}\n"
+        "\n//#{cdata_section("\n#{content}\n//")}\n".html_safe
       end
     end
   end
diff --git a/actionpack/lib/action_view/helpers/tag_helper.rb b/actionpack/lib/action_view/helpers/tag_helper.rb
index a3a8185f40..1c3eb20e19 100644
--- a/actionpack/lib/action_view/helpers/tag_helper.rb
+++ b/actionpack/lib/action_view/helpers/tag_helper.rb
@@ -127,7 +127,7 @@ module ActionView
 
         def content_tag_string(name, content, options, escape = true)
           tag_options = tag_options(options, escape) if options
-          "<#{name}#{tag_options}>#{content}</#{name}>".html_safe
+          "<#{name}#{tag_options}>#{ERB::Util.h content}</#{name}>".html_safe
         end
 
         def tag_options(options, escape = true)
diff --git a/actionpack/lib/action_view/helpers/url_helper.rb b/actionpack/lib/action_view/helpers/url_helper.rb
index 168a3bdbc0..88ce2a2c0c 100644
--- a/actionpack/lib/action_view/helpers/url_helper.rb
+++ b/actionpack/lib/action_view/helpers/url_helper.rb
@@ -493,7 +493,7 @@ module ActionView
             char = c.chr
             string << (char =~ /\w/ ? sprintf("%%%x", c) : char)
           end
-          content_tag "a", name || email_address_encoded, html_options.merge({ "href" => "#{string}#{extras}" })
+          content_tag "a", name || email_address_encoded.html_safe, html_options.merge({ "href" => "#{string}#{extras}" })
         else
           content_tag "a", name || email_address_obfuscated, html_options.merge({ "href" => "mailto:#{email_address}#{extras}" })
         end
author	Bruno Michel <bmichel@menfin.info>	2010-02-13 19:53:26 -0200
committer	Yehuda Katz <yehudakatz@YK.local>	2010-02-14 12:03:28 -0800
commit	f86421fb282ff2d209914db736ca64380dab044d (patch)
tree	d539bc4dac34268b5ed973bcfc9f80744d059c88 /actionpack/lib/action_view
parent	411c15ed5220cb07cfb1989d32be956f94a7478f (diff)
download	rails-f86421fb282ff2d209914db736ca64380dab044d.tar.gz rails-f86421fb282ff2d209914db736ca64380dab044d.tar.bz2 rails-f86421fb282ff2d209914db736ca64380dab044d.zip