diff options
| author | Santiago Pastorino <santiago@wyeworks.com> | 2010-06-11 04:37:10 -0300 |
|---|---|---|
| committer | José Valim <jose.valim@gmail.com> | 2010-06-11 16:34:53 +0200 |
| commit | b4976ce91ba003942acd3f285c6b4fb308657a69 (patch) | |
| tree | 5655d0d8cafc5731327ecf430761d7f3734b8dd8 /actionpack | |
| parent | 51ad68367a5ea67aee586c6bd9b4017088a093ce (diff) | |
| download | rails-b4976ce91ba003942acd3f285c6b4fb308657a69.tar.gz rails-b4976ce91ba003942acd3f285c6b4fb308657a69.tar.bz2 rails-b4976ce91ba003942acd3f285c6b4fb308657a69.zip | |
text_helper now escape the unsafe input instead of sanitizing
Signed-off-by: José Valim <jose.valim@gmail.com>
Diffstat (limited to 'actionpack')
| -rw-r--r-- | actionpack/lib/action_view/helpers/text_helper.rb | 8 | ||||
| -rw-r--r-- | actionpack/test/template/text_helper_test.rb | 17 |
2 files changed, 12 insertions, 13 deletions
diff --git a/actionpack/lib/action_view/helpers/text_helper.rb b/actionpack/lib/action_view/helpers/text_helper.rb index a06073ce66..700c0b9e3b 100644 --- a/actionpack/lib/action_view/helpers/text_helper.rb +++ b/actionpack/lib/action_view/helpers/text_helper.rb @@ -74,7 +74,7 @@ module ActionView options.reverse_merge!(:length => 30) - text = sanitize(text) unless text.html_safe? || options[:safe] + text = h(text) unless text.html_safe? || options[:safe] text.truncate(options.delete(:length), options) if text end @@ -106,7 +106,7 @@ module ActionView end options.reverse_merge!(:highlighter => '<strong class="highlight">\1</strong>') - text = sanitize(text) unless text.html_safe? || options[:safe] + text = h(text) unless text.html_safe? || options[:safe] if text.blank? || phrases.blank? text else @@ -244,7 +244,7 @@ module ActionView def simple_format(text, html_options={}, options={}) text = '' if text.nil? start_tag = tag('p', html_options, true) - text = sanitize(text) unless text.html_safe? || options[:safe] + text = h(text) unless text.html_safe? || options[:safe] text.gsub!(/\r\n?/, "\n") # \r\n and \r -> \n text.gsub!(/\n\n+/, "</p>\n\n#{start_tag}") # 2+ newline -> paragraph text.gsub!(/([^\n]\n)(?=[^\n])/, '\1<br />') # 1 newline -> br @@ -503,7 +503,7 @@ module ActionView text.html_safe else display_text = (block_given?) ? yield(text) : text - display_text = sanitize(display_text) unless options[:safe] + display_text = h(display_text) unless options[:safe] mail_to text, display_text, html_options end end diff --git a/actionpack/test/template/text_helper_test.rb b/actionpack/test/template/text_helper_test.rb index 17fc8b6edd..108cf510ff 100644 --- a/actionpack/test/template/text_helper_test.rb +++ b/actionpack/test/template/text_helper_test.rb @@ -41,7 +41,7 @@ class TextHelperTest < ActionView::TestCase end def test_simple_format_should_sanitize_unsafe_input - assert_equal "<p><b> test with unsafe string </b></p>", simple_format("<b> test with unsafe string </b><script>code!</script>") + assert_equal "<p><b> test with unsafe string </b><script>code!</script></p>", simple_format("<b> test with unsafe string </b><script>code!</script>") end def test_simple_format_should_not_sanitize_input_if_safe_option @@ -62,8 +62,7 @@ class TextHelperTest < ActionView::TestCase end def test_truncate_should_sanitize_unsafe_input - assert_equal "Hello World!", truncate("Hello <script>code!</script>World!", :length => 12) - assert_equal "Hello Wor...", truncate("Hello <script>code!</script>World!!", :length => 12) + assert_equal "Hello <...", truncate("Hello <script>code!</script>World!!", :length => 12) end def test_truncate_should_not_sanitize_input_if_safe_option @@ -141,7 +140,7 @@ class TextHelperTest < ActionView::TestCase def test_highlight_should_sanitize_unsafe_input assert_equal( - "This is a <strong class=\"highlight\">beautiful</strong> morning", + "This is a <strong class=\"highlight\">beautiful</strong> morning<script>code!</script>", highlight("This is a beautiful morning<script>code!</script>", "beautiful") ) end @@ -190,23 +189,23 @@ class TextHelperTest < ActionView::TestCase def test_highlight_with_html assert_equal( - "<p>This is a <strong class=\"highlight\">beautiful</strong> morning, but also a <strong class=\"highlight\">beautiful</strong> day</p>", + "<p>This is a <strong class=\"highlight\">beautiful</strong> morning, but also a <strong class=\"highlight\">beautiful</strong> day</p>", highlight("<p>This is a beautiful morning, but also a beautiful day</p>", "beautiful") ) assert_equal( - "<p>This is a <em><strong class=\"highlight\">beautiful</strong></em> morning, but also a <strong class=\"highlight\">beautiful</strong> day</p>", + "<p>This is a <em><strong class=\"highlight\">beautiful</strong></em> morning, but also a <strong class=\"highlight\">beautiful</strong> day</p>", highlight("<p>This is a <em>beautiful</em> morning, but also a beautiful day</p>", "beautiful") ) assert_equal( - "<p>This is a <em class=\"error\"><strong class=\"highlight\">beautiful</strong></em> morning, but also a <strong class=\"highlight\">beautiful</strong> <span class=\"last\">day</span></p>", + "<p>This is a <em class="error"><strong class=\"highlight\">beautiful</strong></em> morning, but also a <strong class=\"highlight\">beautiful</strong> <span class="last">day</span></p>", highlight("<p>This is a <em class=\"error\">beautiful</em> morning, but also a beautiful <span class=\"last\">day</span></p>", "beautiful") ) assert_equal( - "<p class=\"beautiful\">This is a <strong class=\"highlight\">beautiful</strong> morning, but also a <strong class=\"highlight\">beautiful</strong> day</p>", + "<p class="<strong class=\"highlight\">beautiful</strong>">This is a <strong class=\"highlight\">beautiful</strong> morning, but also a <strong class=\"highlight\">beautiful</strong> day</p>", highlight("<p class=\"beautiful\">This is a beautiful morning, but also a beautiful day</p>", "beautiful") ) assert_equal( - "<p>This is a <strong class=\"highlight\">beautiful</strong> <a href=\"http://example.com/beautiful\#top?what=beautiful%20morning&when=now+then\">morning</a>, but also a <strong class=\"highlight\">beautiful</strong> day</p>", + "<p>This is a <strong class=\"highlight\">beautiful</strong> <a href="http://example.com/<strong class=\"highlight\">beautiful</strong>#top?what=<strong class=\"highlight\">beautiful</strong>%20morning&when=now+then">morning</a>, but also a <strong class=\"highlight\">beautiful</strong> day</p>", highlight("<p>This is a beautiful <a href=\"http://example.com/beautiful\#top?what=beautiful%20morning&when=now+then\">morning</a>, but also a beautiful day</p>", "beautiful") ) end |