diff options
| author | Joost Baaij <joost@spacebabies.nl> | 2012-11-16 09:11:43 +0100 |
|---|---|---|
| committer | Joost Baaij <joost@spacebabies.nl> | 2012-11-16 09:11:43 +0100 |
| commit | 5f189f41258b83d49012ec5a0678d827327e7543 (patch) | |
| tree | a4dc887d3bd1a3bb3cb58866b2b377661eacb6fe /actionpack | |
| parent | 44f12bbba08071178ec256c03eecadacdf35dccf (diff) | |
| download | rails-5f189f41258b83d49012ec5a0678d827327e7543.tar.gz rails-5f189f41258b83d49012ec5a0678d827327e7543.tar.bz2 rails-5f189f41258b83d49012ec5a0678d827327e7543.zip | |
Introduce `ActionView::Template::Handlers::ERB.escape_whitelist`.
This is a list of mime types where template text is not html escaped
by default. It prevents `Jack & Joe` from rendering as
`Jack & Joe` for the whitelisted mime types. The default whitelist
contains text/plain.
This follows a whitelist approach where plain text templates are
not escaped, and all the others (json, xml) are. The mime type is
assumed to be set by the abstract controller.
Diffstat (limited to 'actionpack')
| -rw-r--r-- | actionpack/CHANGELOG.md | 7 | ||||
| -rw-r--r-- | actionpack/lib/action_view/template/handlers/erb.rb | 5 | ||||
| -rw-r--r-- | actionpack/test/template/template_test.rb | 16 |
3 files changed, 27 insertions, 1 deletions
diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md index e04eac739d..78ef809196 100644 --- a/actionpack/CHANGELOG.md +++ b/actionpack/CHANGELOG.md @@ -43,6 +43,13 @@ *Josh Peek* +* Introduce `ActionView::Template::Handlers::ERB.escape_whitelist`. This is a list + of mime types where template text is not html escaped by default. It prevents `Jack & Joe` + from rendering as `Jack & Joe` for the whitelisted mime types. The default whitelist + contains text/plain. Fix #7976 + + *Joost Baaij* + * `assert_template` can be used to assert on the same template with different locals Fix #3675 diff --git a/actionpack/lib/action_view/template/handlers/erb.rb b/actionpack/lib/action_view/template/handlers/erb.rb index aa8eac7846..731d8f9dab 100644 --- a/actionpack/lib/action_view/template/handlers/erb.rb +++ b/actionpack/lib/action_view/template/handlers/erb.rb @@ -47,6 +47,10 @@ module ActionView class_attribute :erb_implementation self.erb_implementation = Erubis + # Do not escape templates of these mime types. + class_attribute :escape_whitelist + self.escape_whitelist = ["text/plain"] + ENCODING_TAG = Regexp.new("\\A(<%#{ENCODING_FLAG}-?%>)[ \\t]*") def self.call(template) @@ -78,6 +82,7 @@ module ActionView self.class.erb_implementation.new( erb, + :escape => (self.class.escape_whitelist.include? template.type), :trim => (self.class.erb_trim_mode == "-") ).src end diff --git a/actionpack/test/template/template_test.rb b/actionpack/test/template/template_test.rb index ffee3f81ba..6c11ee5322 100644 --- a/actionpack/test/template/template_test.rb +++ b/actionpack/test/template/template_test.rb @@ -26,6 +26,10 @@ class TestERBTemplate < ActiveSupport::TestCase "Hello" end + def apostrophe + "l'apostrophe" + end + def partial ActionView::Template.new( "<%= @virtual_path %>", @@ -48,7 +52,7 @@ class TestERBTemplate < ActiveSupport::TestCase end end - def new_template(body = "<%= hello %>", details = {}) + def new_template(body = "<%= hello %>", details = {format: html}) ActionView::Template.new(body, "hello template", details.fetch(:handler) { ERBHandler }, {:virtual_path => "hello"}.merge!(details)) end @@ -72,6 +76,16 @@ class TestERBTemplate < ActiveSupport::TestCase assert_equal "Hello", render end + def test_basic_template_does_html_escape + @template = new_template("<%= apostrophe %>") + assert_equal "l'apostrophe", render + end + + def test_text_template_does_not_html_escape + @template = new_template("<%= apostrophe %>", format: text) + assert_equal "l'apostrophe", render + end + def test_raw_template @template = new_template("<%= hello %>", :handler => ActionView::Template::Handlers::Raw.new) assert_equal "<%= hello %>", render |