diff options
| author | Jamis Buck <jamis@37signals.com> | 2005-08-14 08:43:07 +0000 |
|---|---|---|
| committer | Jamis Buck <jamis@37signals.com> | 2005-08-14 08:43:07 +0000 |
| commit | 8910de6a54324b38b6a20ab93c870e3146fd3a37 (patch) | |
| tree | 10284c7ff7a372e68bc23b2a559992009182ef34 /actionpack | |
| parent | 85c603fc9ea94aae98255bb5bd8e20212441ff2e (diff) | |
| download | rails-8910de6a54324b38b6a20ab93c870e3146fd3a37.tar.gz rails-8910de6a54324b38b6a20ab93c870e3146fd3a37.tar.bz2 rails-8910de6a54324b38b6a20ab93c870e3146fd3a37.zip | |
Make link_to escape the javascript in the confirm option #1964 [nicolas.pouillard@gmail.com]
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@2009 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
Diffstat (limited to 'actionpack')
| -rw-r--r-- | actionpack/CHANGELOG | 2 | ||||
| -rw-r--r-- | actionpack/lib/action_view/helpers/url_helper.rb | 6 | ||||
| -rw-r--r-- | actionpack/test/template/url_helper_test.rb | 4 |
3 files changed, 11 insertions, 1 deletions
diff --git a/actionpack/CHANGELOG b/actionpack/CHANGELOG index c55df53302..941538018c 100644 --- a/actionpack/CHANGELOG +++ b/actionpack/CHANGELOG @@ -1,5 +1,7 @@ *SVN* +* Make link_to escape the javascript in the confirm option #1964 [nicolas.pouillard@gmail.com] + * Make assert_redirected_to properly check URL's passed as strings #1910 [Scott Barron] * Make sure :layout => false is always used when rendering inside a layout diff --git a/actionpack/lib/action_view/helpers/url_helper.rb b/actionpack/lib/action_view/helpers/url_helper.rb index 4864e253a8..5bcfb5e75d 100644 --- a/actionpack/lib/action_view/helpers/url_helper.rb +++ b/actionpack/lib/action_view/helpers/url_helper.rb @@ -1,3 +1,5 @@ +require File.dirname(__FILE__) + '/javascript_helper' + module ActionView module Helpers # Provides a set of methods for making easy links and getting urls that depend on the controller and action. This means that @@ -5,6 +7,8 @@ module ActionView # synchronously, so link_to uses that same url as is generated by url_for, which again is the same url used for # redirection in redirect_to. module UrlHelper + include JavaScriptHelper + # Returns the URL for the set of +options+ provided. This takes the same options # as url_for. For a list, see the url_for documentation in link:classes/ActionController/Base.html#M000079. def url_for(options = {}, *parameters_for_method_reference) @@ -219,7 +223,7 @@ module ActionView private def convert_confirm_option_to_javascript!(html_options) if confirm = html_options.delete("confirm") - html_options["onclick"] = "return confirm('#{confirm.gsub(/'/, '\\\\\'')}');" + html_options["onclick"] = "return confirm('#{escape_javascript(confirm)}');" end end diff --git a/actionpack/test/template/url_helper_test.rb b/actionpack/test/template/url_helper_test.rb index 0b75528176..8367108fab 100644 --- a/actionpack/test/template/url_helper_test.rb +++ b/actionpack/test/template/url_helper_test.rb @@ -56,6 +56,10 @@ class UrlHelperTest < Test::Unit::TestCase "<a href=\"http://www.example.com\" onclick=\"return confirm('You can\\'t possibly be sure, can you?');\">Hello</a>", link_to("Hello", "http://www.example.com", :confirm => "You can't possibly be sure, can you?") ) + assert_equal( + "<a href=\"http://www.example.com\" onclick=\"return confirm('You can\\'t possibly be sure,\\n can you?');\">Hello</a>", + link_to("Hello", "http://www.example.com", :confirm => "You can't possibly be sure,\n can you?") + ) end def test_link_to_unless |