truncate() should not try to produce HTML-safe output

As discussed in Lighthouse ticket #4825 and ticket #4878, the truncate()
method cannot guarantee safe output for all possible inputs/offsets, so
it is best to leave the output unsafe so that it gets escaped when used
in a view.

Signed-off-by: Santiago Pastorino <santiago@wyeworks.com>
Signed-off-by: David Heinemeier Hansson <david@loudthinking.com>

2 files changed, 8 insertions, 22 deletions

diff --git a/actionpack/lib/action_view/helpers/text_helper.rb b/actionpack/lib/action_view/helpers/text_helper.rb
index 3b37fd6b57..654f3c89f3 100644
--- a/actionpack/lib/action_view/helpers/text_helper.rb
+++ b/actionpack/lib/action_view/helpers/text_helper.rb
@@ -39,7 +39,10 @@ module ActionView
       # for a total length not exceeding <tt>:length</tt>.
       #
       # Pass a <tt>:separator</tt> to truncate +text+ at a natural break.
-      # Pass a <tt>:safe</tt> value as "true" to not to escape the content. 
+      #
+      # The result is not marked as HTML-safe, so will be subject to the default escaping when
+      # used in views, unless wrapped by <tt>raw()</tt>. Care should be taken if +text+ contains HTML tags
+      # or entities, because truncation may produce invalid HTML (such as unbalanced or incomplete tags).
       #
       # ==== Examples
       #
@@ -56,12 +59,6 @@ module ActionView
       #   # => "And they f... (continued)"
       #
       #   truncate("<p>Once upon a time in a world far far away</p>")
-      #   # => "&lt;p&gt;Once upon a time i..."
-      #
-      #   truncate("<p>Once upon a time in a world far far away</p>", :safe => true)
-      #   # => "<p>Once upon a time in a wo..."
-      #
-      #   truncate("<p>Once upon a time in a world far far away</p>".html_safe)
       #   # => "<p>Once upon a time in a wo..."
       #
       # You can still use <tt>truncate</tt> with the old API that accepts the
@@ -84,7 +81,6 @@ module ActionView
 
         options.reverse_merge!(:length => 30)
 
-        text = h(text) unless text.html_safe? || options[:safe]
         text.truncate(options.delete(:length), options) if text
       end
 
diff --git a/actionpack/test/template/text_helper_test.rb b/actionpack/test/template/text_helper_test.rb
index b0a4c2a9cc..1cd6a5941d 100644
--- a/actionpack/test/template/text_helper_test.rb
+++ b/actionpack/test/template/text_helper_test.rb
@@ -52,8 +52,8 @@ class TextHelperTest < ActionView::TestCase
     assert_equal "<p><b> test with safe string </b></p>", simple_format("<b> test with safe string </b>".html_safe)
   end
 
-  def test_truncate_should_be_html_safe
-    assert truncate("Hello World!", :length => 12).html_safe?
+  def test_truncate_should_not_be_html_safe
+    assert !truncate("Hello World!", :length => 12).html_safe?
   end
   
   def test_truncate
@@ -61,18 +61,8 @@ class TextHelperTest < ActionView::TestCase
     assert_equal "Hello Wor...", truncate("Hello World!!", :length => 12)
   end
 
-  def test_truncate_should_escape_unsafe_input
-    assert_equal "Hello &lt...", truncate("Hello <script>code!</script>World!!", :length => 12)
-  end
-
-  def test_truncate_should_not_escape_input_if_safe_option
-    assert_equal "Hello <sc...", truncate("Hello <script>code!</script>World!", :length => 12, :safe => true)
-    assert_equal "Hello <sc...", truncate("Hello <script>code!</script>World!!", :length => 12, :safe => true)
-  end
-
-  def test_truncate_should_not_escape_safe_input
-    assert_equal "Hello <sc...", truncate("Hello <script>code!</script>World!".html_safe, :length => 12)
-    assert_equal "Hello <sc...", truncate("Hello <script>code!</script>World!!".html_safe, :length => 12)
+  def test_truncate_should_not_escape_input
+    assert_equal "Hello <sc...", truncate("Hello <script>code!</script>World!!", :length => 12)
   end
 
   def test_truncate_should_use_default_length_of_30