aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack
diff options
context:
space:
mode:
authorJamis Buck <jamis@37signals.com>2006-06-05 14:51:27 +0000
committerJamis Buck <jamis@37signals.com>2006-06-05 14:51:27 +0000
commit2ffc84d23ff8f78bf43b277d64a4bcda51e932fc (patch)
tree83deb19800270a95aa41ad6a5ede5e66bdc1b4a3 /actionpack
parent332fcfaf6bee6b3ae0911e9bbe24ded9af757868 (diff)
downloadrails-2ffc84d23ff8f78bf43b277d64a4bcda51e932fc.tar.gz
rails-2ffc84d23ff8f78bf43b277d64a4bcda51e932fc.tar.bz2
rails-2ffc84d23ff8f78bf43b277d64a4bcda51e932fc.zip
Make sure :id and friends are properly unescaped (closes #5275).
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@4435 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
Diffstat (limited to 'actionpack')
-rw-r--r--actionpack/CHANGELOG2
-rw-r--r--actionpack/lib/action_controller/routing.rb4
-rw-r--r--actionpack/test/controller/routing_test.rb17
3 files changed, 22 insertions, 1 deletions
diff --git a/actionpack/CHANGELOG b/actionpack/CHANGELOG
index 4e8dc42889..f80caa8266 100644
--- a/actionpack/CHANGELOG
+++ b/actionpack/CHANGELOG
@@ -1,5 +1,7 @@
*SVN*
+* Make sure :id and friends are unescaped properly. #5275 [me@julik.nl]
+
* Fix documentation for with_routing to reflect new reality. #5281 [rramdas@gmail.com]
* Rewind readable CGI params so others may reread them (such as CGI::Session when passing the session id in a multipart form). #210 [mklame@atxeu.com, matthew@walker.wattle.id.au]
diff --git a/actionpack/lib/action_controller/routing.rb b/actionpack/lib/action_controller/routing.rb
index 9628c1f0ad..e1ad27fc3a 100644
--- a/actionpack/lib/action_controller/routing.rb
+++ b/actionpack/lib/action_controller/routing.rb
@@ -500,7 +500,9 @@ module ActionController
end
def match_extraction(next_capture)
hangon = (default ? "|| #{default.inspect}" : "if match[#{next_capture}]")
- "params[:#{key}] = match[#{next_capture}] #{hangon}"
+
+ # All non code-related keys (such as :id, :slug) have to be unescaped as other CGI params
+ "params[:#{key}] = match[#{next_capture}] && CGI.unescape(match[#{next_capture}]) #{hangon}"
end
def optionality_implied?
diff --git a/actionpack/test/controller/routing_test.rb b/actionpack/test/controller/routing_test.rb
index 6388c6af03..acbf226a8c 100644
--- a/actionpack/test/controller/routing_test.rb
+++ b/actionpack/test/controller/routing_test.rb
@@ -241,6 +241,23 @@ class LegacyRouteSetTests < Test::Unit::TestCase
assert_equal({:controller => "content", :action => 'show_page', :id => '10'}, rs.recognize_path("/page/10"))
end
+ # For newer revision
+ def test_route_with_text_default
+ rs.draw do |map|
+ map.connect 'page/:id', :controller => 'content', :action => 'show_page', :id => 1
+ map.connect ':controller/:action/:id'
+ end
+
+ assert_equal '/page/foo', rs.generate(:controller => 'content', :action => 'show_page', :id => 'foo')
+ assert_equal({:controller => "content", :action => 'show_page', :id => 'foo'}, rs.recognize_path("/page/foo"))
+
+ token = "\321\202\320\265\320\272\321\201\321\202" # 'text' in russian
+ escaped_token = CGI::escape(token)
+
+ assert_equal '/page/' + escaped_token, rs.generate(:controller => 'content', :action => 'show_page', :id => token)
+ assert_equal({:controller => "content", :action => 'show_page', :id => token}, rs.recognize_path("/page/#{escaped_token}"))
+ end
+
def test_action_expiry
assert_equal '/content', rs.generate({:controller => 'content'}, {:controller => 'content', :action => 'show'})
end