Switch to on-by-default XSS escaping for rails.

  This consists of:

  * String#html_safe! a method to mark a string as 'safe'
  * ActionView::SafeBuffer a string subclass which escapes anything unsafe which is concatenated to it
  * Calls to String#html_safe! throughout the rails helpers
  * a 'raw' helper which lets you concatenate trusted HTML from non-safety-aware sources (e.g. presantized strings in the DB)
  * New ERB implementation based on erubis which uses a SafeBuffer instead of a String

Hat tip to Django for the inspiration.

1 files changed, 21 insertions, 0 deletions

diff --git a/actionpack/test/template/raw_output_helper_test.rb b/actionpack/test/template/raw_output_helper_test.rb
new file mode 100644
index 0000000000..598aa5b1d8
--- /dev/null
+++ b/actionpack/test/template/raw_output_helper_test.rb
@@ -0,0 +1,21 @@
+require 'abstract_unit'
+require 'testing_sandbox'
+
+class RawOutputHelperTest < ActionView::TestCase
+  tests ActionView::Helpers::RawOutputHelper
+  include TestingSandbox
+
+  def setup
+    @string = "hello"
+  end
+
+  test "raw returns the safe string" do
+    result = raw(@string)
+    assert_equal @string, result
+    assert result.html_safe?
+  end
+
+  test "raw handles nil values correctly" do
+    assert_equal "", raw(nil)
+  end
+end
\ No newline at end of file