Introduce `ActionView::Template::Handlers::ERB.escape_whitelist`.

This is a list of mime types where template text is not html escaped
by default. It prevents `Jack & Joe` from rendering as
`Jack & Joe` for the whitelisted mime types. The default whitelist
contains text/plain.

This follows a whitelist approach where plain text templates are
not escaped, and all the others (json, xml) are. The mime type is
assumed to be set by the abstract controller.

1 files changed, 15 insertions, 1 deletions

diff --git a/actionpack/test/template/template_test.rb b/actionpack/test/template/template_test.rb
index ffee3f81ba..6c11ee5322 100644
--- a/actionpack/test/template/template_test.rb
+++ b/actionpack/test/template/template_test.rb
@@ -26,6 +26,10 @@ class TestERBTemplate < ActiveSupport::TestCase
       "Hello"
     end
 
+    def apostrophe
+      "l'apostrophe"
+    end
+
     def partial
       ActionView::Template.new(
         "<%= @virtual_path %>",
@@ -48,7 +52,7 @@ class TestERBTemplate < ActiveSupport::TestCase
     end
   end
 
-  def new_template(body = "<%= hello %>", details = {})
+  def new_template(body = "<%= hello %>", details = {format: html})
     ActionView::Template.new(body, "hello template", details.fetch(:handler) { ERBHandler }, {:virtual_path => "hello"}.merge!(details))
   end
 
@@ -72,6 +76,16 @@ class TestERBTemplate < ActiveSupport::TestCase
     assert_equal "Hello", render
   end
 
+  def test_basic_template_does_html_escape
+    @template = new_template("<%= apostrophe %>")
+    assert_equal "l&#39;apostrophe", render
+  end
+
+  def test_text_template_does_not_html_escape
+    @template = new_template("<%= apostrophe %>", format: text)
+    assert_equal "l'apostrophe", render
+  end
+
   def test_raw_template
     @template = new_template("<%= hello %>", :handler => ActionView::Template::Handlers::Raw.new)
     assert_equal "<%= hello %>", render