aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack
diff options
context:
space:
mode:
authorMichael Koziarski <michael@koziarski.com>2009-10-15 09:58:35 +1300
committerMichael Koziarski <michael@koziarski.com>2009-10-15 09:58:35 +1300
commit1d01bad3cedfd690c6d125cac6d4504baa9409e5 (patch)
tree0a5850a54e6587a9e24fb9b45323191052aeee42 /actionpack
parent5d5e34fa52183566968cb22f7c49544a7361a130 (diff)
downloadrails-1d01bad3cedfd690c6d125cac6d4504baa9409e5.tar.gz
rails-1d01bad3cedfd690c6d125cac6d4504baa9409e5.tar.bz2
rails-1d01bad3cedfd690c6d125cac6d4504baa9409e5.zip
Make sure non-escaped urls aren't considered safe
Diffstat (limited to 'actionpack')
-rw-r--r--actionpack/lib/action_view/helpers/url_helper.rb2
-rw-r--r--actionpack/test/template/url_helper_test.rb5
2 files changed, 6 insertions, 1 deletions
diff --git a/actionpack/lib/action_view/helpers/url_helper.rb b/actionpack/lib/action_view/helpers/url_helper.rb
index 44e7073227..5b136d4f54 100644
--- a/actionpack/lib/action_view/helpers/url_helper.rb
+++ b/actionpack/lib/action_view/helpers/url_helper.rb
@@ -93,7 +93,7 @@ module ActionView
polymorphic_path(options)
end
- (escape ? escape_once(url) : url).html_safe!
+ escape ? escape_once(url).html_safe! : url
end
# Creates a link tag of the given +name+ using a URL created by the set
diff --git a/actionpack/test/template/url_helper_test.rb b/actionpack/test/template/url_helper_test.rb
index cc3b2455d7..cec53e479c 100644
--- a/actionpack/test/template/url_helper_test.rb
+++ b/actionpack/test/template/url_helper_test.rb
@@ -26,6 +26,11 @@ class UrlHelperTest < ActionView::TestCase
assert_equal "http://www.example.com?a=b&amp;c=d", url_for(:a => 'b', :c => 'd', :escape => true)
assert_equal "http://www.example.com?a=b&c=d", url_for(:a => 'b', :c => 'd', :escape => false)
end
+
+ def test_url_for_escaping_is_safety_aware
+ assert url_for(:a => 'b', :c => 'd', :escape => true).html_safe?, "escaped urls should be html_safe?"
+ assert !url_for(:a => 'b', :c => 'd', :escape => false).html_safe?, "non-escaped urls shouldn't be safe"
+ end
def test_url_for_escapes_url_once
@controller.url = "http://www.example.com?a=b&amp;c=d"