aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack
diff options
context:
space:
mode:
authorWincent Colaiuta <win@wincent.com>2010-06-17 08:39:13 +0200
committerDavid Heinemeier Hansson <david@loudthinking.com>2010-06-17 09:41:04 -0500
commita424808df95c5ebe66d02f0d743e741a1864baa7 (patch)
tree8d42d5ea86e0fba2e04922fb233271bd903a89db /actionpack
parent69bc8b26a9be246acc06eaab09063eb97f76aa00 (diff)
downloadrails-a424808df95c5ebe66d02f0d743e741a1864baa7.tar.gz
rails-a424808df95c5ebe66d02f0d743e741a1864baa7.tar.bz2
rails-a424808df95c5ebe66d02f0d743e741a1864baa7.zip
truncate() should not try to produce HTML-safe output
As discussed in Lighthouse ticket #4825 and ticket #4878, the truncate() method cannot guarantee safe output for all possible inputs/offsets, so it is best to leave the output unsafe so that it gets escaped when used in a view. Signed-off-by: Santiago Pastorino <santiago@wyeworks.com> Signed-off-by: David Heinemeier Hansson <david@loudthinking.com>
Diffstat (limited to 'actionpack')
-rw-r--r--actionpack/lib/action_view/helpers/text_helper.rb12
-rw-r--r--actionpack/test/template/text_helper_test.rb18
2 files changed, 8 insertions, 22 deletions
diff --git a/actionpack/lib/action_view/helpers/text_helper.rb b/actionpack/lib/action_view/helpers/text_helper.rb
index 3b37fd6b57..654f3c89f3 100644
--- a/actionpack/lib/action_view/helpers/text_helper.rb
+++ b/actionpack/lib/action_view/helpers/text_helper.rb
@@ -39,7 +39,10 @@ module ActionView
# for a total length not exceeding <tt>:length</tt>.
#
# Pass a <tt>:separator</tt> to truncate +text+ at a natural break.
- # Pass a <tt>:safe</tt> value as "true" to not to escape the content.
+ #
+ # The result is not marked as HTML-safe, so will be subject to the default escaping when
+ # used in views, unless wrapped by <tt>raw()</tt>. Care should be taken if +text+ contains HTML tags
+ # or entities, because truncation may produce invalid HTML (such as unbalanced or incomplete tags).
#
# ==== Examples
#
@@ -56,12 +59,6 @@ module ActionView
# # => "And they f... (continued)"
#
# truncate("<p>Once upon a time in a world far far away</p>")
- # # => "&lt;p&gt;Once upon a time i..."
- #
- # truncate("<p>Once upon a time in a world far far away</p>", :safe => true)
- # # => "<p>Once upon a time in a wo..."
- #
- # truncate("<p>Once upon a time in a world far far away</p>".html_safe)
# # => "<p>Once upon a time in a wo..."
#
# You can still use <tt>truncate</tt> with the old API that accepts the
@@ -84,7 +81,6 @@ module ActionView
options.reverse_merge!(:length => 30)
- text = h(text) unless text.html_safe? || options[:safe]
text.truncate(options.delete(:length), options) if text
end
diff --git a/actionpack/test/template/text_helper_test.rb b/actionpack/test/template/text_helper_test.rb
index b0a4c2a9cc..1cd6a5941d 100644
--- a/actionpack/test/template/text_helper_test.rb
+++ b/actionpack/test/template/text_helper_test.rb
@@ -52,8 +52,8 @@ class TextHelperTest < ActionView::TestCase
assert_equal "<p><b> test with safe string </b></p>", simple_format("<b> test with safe string </b>".html_safe)
end
- def test_truncate_should_be_html_safe
- assert truncate("Hello World!", :length => 12).html_safe?
+ def test_truncate_should_not_be_html_safe
+ assert !truncate("Hello World!", :length => 12).html_safe?
end
def test_truncate
@@ -61,18 +61,8 @@ class TextHelperTest < ActionView::TestCase
assert_equal "Hello Wor...", truncate("Hello World!!", :length => 12)
end
- def test_truncate_should_escape_unsafe_input
- assert_equal "Hello &lt...", truncate("Hello <script>code!</script>World!!", :length => 12)
- end
-
- def test_truncate_should_not_escape_input_if_safe_option
- assert_equal "Hello <sc...", truncate("Hello <script>code!</script>World!", :length => 12, :safe => true)
- assert_equal "Hello <sc...", truncate("Hello <script>code!</script>World!!", :length => 12, :safe => true)
- end
-
- def test_truncate_should_not_escape_safe_input
- assert_equal "Hello <sc...", truncate("Hello <script>code!</script>World!".html_safe, :length => 12)
- assert_equal "Hello <sc...", truncate("Hello <script>code!</script>World!!".html_safe, :length => 12)
+ def test_truncate_should_not_escape_input
+ assert_equal "Hello <sc...", truncate("Hello <script>code!</script>World!!", :length => 12)
end
def test_truncate_should_use_default_length_of_30