diff options
| author | Wincent Colaiuta <win@wincent.com> | 2010-06-17 08:39:13 +0200 |
|---|---|---|
| committer | David Heinemeier Hansson <david@loudthinking.com> | 2010-06-17 09:41:04 -0500 |
| commit | a424808df95c5ebe66d02f0d743e741a1864baa7 (patch) | |
| tree | 8d42d5ea86e0fba2e04922fb233271bd903a89db /actionpack/test | |
| parent | 69bc8b26a9be246acc06eaab09063eb97f76aa00 (diff) | |
| download | rails-a424808df95c5ebe66d02f0d743e741a1864baa7.tar.gz rails-a424808df95c5ebe66d02f0d743e741a1864baa7.tar.bz2 rails-a424808df95c5ebe66d02f0d743e741a1864baa7.zip | |
truncate() should not try to produce HTML-safe output
As discussed in Lighthouse ticket #4825 and ticket #4878, the truncate()
method cannot guarantee safe output for all possible inputs/offsets, so
it is best to leave the output unsafe so that it gets escaped when used
in a view.
Signed-off-by: Santiago Pastorino <santiago@wyeworks.com>
Signed-off-by: David Heinemeier Hansson <david@loudthinking.com>
Diffstat (limited to 'actionpack/test')
| -rw-r--r-- | actionpack/test/template/text_helper_test.rb | 18 |
1 files changed, 4 insertions, 14 deletions
diff --git a/actionpack/test/template/text_helper_test.rb b/actionpack/test/template/text_helper_test.rb index b0a4c2a9cc..1cd6a5941d 100644 --- a/actionpack/test/template/text_helper_test.rb +++ b/actionpack/test/template/text_helper_test.rb @@ -52,8 +52,8 @@ class TextHelperTest < ActionView::TestCase assert_equal "<p><b> test with safe string </b></p>", simple_format("<b> test with safe string </b>".html_safe) end - def test_truncate_should_be_html_safe - assert truncate("Hello World!", :length => 12).html_safe? + def test_truncate_should_not_be_html_safe + assert !truncate("Hello World!", :length => 12).html_safe? end def test_truncate @@ -61,18 +61,8 @@ class TextHelperTest < ActionView::TestCase assert_equal "Hello Wor...", truncate("Hello World!!", :length => 12) end - def test_truncate_should_escape_unsafe_input - assert_equal "Hello <...", truncate("Hello <script>code!</script>World!!", :length => 12) - end - - def test_truncate_should_not_escape_input_if_safe_option - assert_equal "Hello <sc...", truncate("Hello <script>code!</script>World!", :length => 12, :safe => true) - assert_equal "Hello <sc...", truncate("Hello <script>code!</script>World!!", :length => 12, :safe => true) - end - - def test_truncate_should_not_escape_safe_input - assert_equal "Hello <sc...", truncate("Hello <script>code!</script>World!".html_safe, :length => 12) - assert_equal "Hello <sc...", truncate("Hello <script>code!</script>World!!".html_safe, :length => 12) + def test_truncate_should_not_escape_input + assert_equal "Hello <sc...", truncate("Hello <script>code!</script>World!!", :length => 12) end def test_truncate_should_use_default_length_of_30 |