diff options
| author | Rick Olson <technoweenie@gmail.com> | 2006-10-18 16:42:19 +0000 |
|---|---|---|
| committer | Rick Olson <technoweenie@gmail.com> | 2006-10-18 16:42:19 +0000 |
| commit | dbd0bd5e5c9946ffb48bf8651f81ebc6dd9b52e5 (patch) | |
| tree | 0b285eb84a3a651e3b1ba59b64010644bc7fcc45 /actionpack | |
| parent | 02358c83b76f9fc56b6cabaee24b244d17d08cff (diff) | |
| download | rails-dbd0bd5e5c9946ffb48bf8651f81ebc6dd9b52e5.tar.gz rails-dbd0bd5e5c9946ffb48bf8651f81ebc6dd9b52e5.tar.bz2 rails-dbd0bd5e5c9946ffb48bf8651f81ebc6dd9b52e5.zip | |
Add <%= escape_once html %> to escape html while leaving any currently escaped entities alone. Fix button_to double-escaping issue. [Rick]
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@5322 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
Diffstat (limited to 'actionpack')
| -rw-r--r-- | actionpack/CHANGELOG | 2 | ||||
| -rw-r--r-- | actionpack/lib/action_view/helpers/tag_helper.rb | 11 | ||||
| -rw-r--r-- | actionpack/lib/action_view/helpers/url_helper.rb | 4 | ||||
| -rw-r--r-- | actionpack/test/template/tag_helper_test.rb | 4 | ||||
| -rw-r--r-- | actionpack/test/template/url_helper_test.rb | 4 |
5 files changed, 22 insertions, 3 deletions
diff --git a/actionpack/CHANGELOG b/actionpack/CHANGELOG index 1993fcf41c..05f2328f7d 100644 --- a/actionpack/CHANGELOG +++ b/actionpack/CHANGELOG @@ -1,5 +1,7 @@ *SVN* +* Add <%= escape_once html %> to escape html while leaving any currently escaped entities alone. Fix button_to double-escaping issue. [Rick] + * Fix double-escaped entities, such as &amp;, &#123;, etc. [Rick] * Fix deprecation warnings when rendering the template error template. [Nicholas Seckar] diff --git a/actionpack/lib/action_view/helpers/tag_helper.rb b/actionpack/lib/action_view/helpers/tag_helper.rb index 6001b21e63..f913c99abb 100644 --- a/actionpack/lib/action_view/helpers/tag_helper.rb +++ b/actionpack/lib/action_view/helpers/tag_helper.rb @@ -31,10 +31,19 @@ module ActionView "<![CDATA[#{content}]]>" end + # Escapes a given string, while leaving any currently escaped entities alone. + # + # escape_once("1 > 2 & 3") + # # => "1 < 2 & 3" + # + def escape_once(html) + fix_double_escape(html_escape(html.to_s)) + end + private def tag_options(options) cleaned_options = convert_booleans(options.stringify_keys.reject {|key, value| value.nil?}) - ' ' + cleaned_options.map {|key, value| %(#{key}="#{fix_double_escape(html_escape(value.to_s))}")}.sort * ' ' unless cleaned_options.empty? + ' ' + cleaned_options.map {|key, value| %(#{key}="#{escape_once(value)}")}.sort * ' ' unless cleaned_options.empty? end def convert_booleans(options) diff --git a/actionpack/lib/action_view/helpers/url_helper.rb b/actionpack/lib/action_view/helpers/url_helper.rb index 42c28335d5..4f52a018a7 100644 --- a/actionpack/lib/action_view/helpers/url_helper.rb +++ b/actionpack/lib/action_view/helpers/url_helper.rb @@ -131,8 +131,8 @@ module ActionView name ||= url html_options.merge!("type" => "submit", "value" => name) - - "<form method=\"#{form_method}\" action=\"#{h url}\" class=\"button-to\"><div>" + + + "<form method=\"#{form_method}\" action=\"#{escape_once url}\" class=\"button-to\"><div>" + method_tag + tag("input", html_options) + "</div></form>" end diff --git a/actionpack/test/template/tag_helper_test.rb b/actionpack/test/template/tag_helper_test.rb index 8611f4c9bd..bda57c4e9b 100644 --- a/actionpack/test/template/tag_helper_test.rb +++ b/actionpack/test/template/tag_helper_test.rb @@ -39,6 +39,10 @@ class TagHelperTest < Test::Unit::TestCase assert_equal "<![CDATA[<hello world>]]>", cdata_section("<hello world>") end + def test_escape_once + assert_equal '1 < 2 & 3', escape_once('1 < 2 & 3') + end + def test_double_escaping_attributes ['1&2', '1 < 2', '“test“'].each do |escaped| assert_equal %(<a href="#{escaped}" />), tag('a', :href => escaped) diff --git a/actionpack/test/template/url_helper_test.rb b/actionpack/test/template/url_helper_test.rb index 77ca8094f7..ba813f72ce 100644 --- a/actionpack/test/template/url_helper_test.rb +++ b/actionpack/test/template/url_helper_test.rb @@ -38,6 +38,10 @@ class UrlHelperTest < Test::Unit::TestCase assert_dom_equal "<form method=\"post\" action=\"http://www.example.com/q1=v1&q2=v2\" class=\"button-to\"><div><input type=\"submit\" value=\"Hello\" /></div></form>", button_to("Hello", "http://www.example.com/q1=v1&q2=v2") end + def test_button_to_with_escaped_query + assert_dom_equal "<form method=\"post\" action=\"http://www.example.com/q1=v1&q2=v2\" class=\"button-to\"><div><input type=\"submit\" value=\"Hello\" /></div></form>", button_to("Hello", "http://www.example.com/q1=v1&q2=v2") + end + def test_button_to_with_query_and_no_name assert_dom_equal "<form method=\"post\" action=\"http://www.example.com?q1=v1&q2=v2\" class=\"button-to\"><div><input type=\"submit\" value=\"http://www.example.com?q1=v1&q2=v2\" /></div></form>", button_to(nil, "http://www.example.com?q1=v1&q2=v2") end |