aboutsummaryrefslogtreecommitdiffstats
path: root/activesupport
diff options
context:
space:
mode:
authorYehuda Katz <wycats@Yehuda-Katz.local>2010-01-31 19:17:42 -0800
committerYehuda Katz <wycats@Yehuda-Katz.local>2010-01-31 19:39:13 -0800
commit4cbb9db0a5ff65b0a626a5b043331abefd89e717 (patch)
treea112ce55f5521ff31abf0e4357afcc170fc0a143 /activesupport
parent1c83fd2eff3fd174e1aba0512aa2dd8ecdadb2c7 (diff)
downloadrails-4cbb9db0a5ff65b0a626a5b043331abefd89e717.tar.gz
rails-4cbb9db0a5ff65b0a626a5b043331abefd89e717.tar.bz2
rails-4cbb9db0a5ff65b0a626a5b043331abefd89e717.zip
For performance reasons, you can no longer call html_safe! on Strings. Instead, all Strings are always not html_safe?. Instead, you can get a SafeBuffer from a String by calling #html_safe, which will SafeBuffer.new(self).
* Additionally, instead of doing concat("</form>".html_safe), you can do safe_concat("</form>"), which will skip both the flag set, and the flag check. * For the first pass, I converted virtually all #html_safe!s to #html_safe, and the tests pass. A further optimization would be to try to use #safe_concat as much as possible, reducing the performance impact if we know up front that a String is safe.
Diffstat (limited to 'activesupport')
-rw-r--r--activesupport/lib/active_support.rb1
-rw-r--r--activesupport/lib/active_support/core_ext/string/output_safety.rb106
-rw-r--r--activesupport/test/core_ext/string_ext_test.rb67
3 files changed, 120 insertions, 54 deletions
diff --git a/activesupport/lib/active_support.rb b/activesupport/lib/active_support.rb
index 833ae351b9..ae31d191c0 100644
--- a/activesupport/lib/active_support.rb
+++ b/activesupport/lib/active_support.rb
@@ -67,5 +67,6 @@ module ActiveSupport
autoload :XmlMini
end
+ autoload :SafeBuffer, "active_support/core_ext/string/output_safety"
autoload :TestCase
end
diff --git a/activesupport/lib/active_support/core_ext/string/output_safety.rb b/activesupport/lib/active_support/core_ext/string/output_safety.rb
index ceed90ce79..3977971e8d 100644
--- a/activesupport/lib/active_support/core_ext/string/output_safety.rb
+++ b/activesupport/lib/active_support/core_ext/string/output_safety.rb
@@ -1,3 +1,53 @@
+require "erb"
+
+class ERB
+ module Util
+ HTML_ESCAPE = { '&' => '&amp;', '>' => '&gt;', '<' => '&lt;', '"' => '&quot;' }
+ JSON_ESCAPE = { '&' => '\u0026', '>' => '\u003E', '<' => '\u003C' }
+
+ # A utility method for escaping HTML tag characters.
+ # This method is also aliased as <tt>h</tt>.
+ #
+ # In your ERb templates, use this method to escape any unsafe content. For example:
+ # <%=h @person.name %>
+ #
+ # ==== Example:
+ # puts html_escape("is a > 0 & a < 10?")
+ # # => is a &gt; 0 &amp; a &lt; 10?
+ def html_escape(s)
+ s = s.to_s
+ if s.html_safe?
+ s
+ else
+ s.gsub(/[&"><]/) { |special| HTML_ESCAPE[special] }.html_safe
+ end
+ end
+
+ undef :h
+ alias h html_escape
+
+ module_function :html_escape
+ module_function :h
+
+ # A utility method for escaping HTML entities in JSON strings.
+ # This method is also aliased as <tt>j</tt>.
+ #
+ # In your ERb templates, use this method to escape any HTML entities:
+ # <%=j @person.to_json %>
+ #
+ # ==== Example:
+ # puts json_escape("is a > 0 & a < 10?")
+ # # => is a \u003E 0 \u0026 a \u003C 10?
+ def json_escape(s)
+ s.to_s.gsub(/[&"><]/) { |special| JSON_ESCAPE[special] }
+ end
+
+ alias j json_escape
+ module_function :j
+ module_function :json_escape
+ end
+end
+
class Object
def html_safe?
false
@@ -10,32 +60,46 @@ class Fixnum
end
end
-class String
- attr_accessor :_rails_html_safe
- alias html_safe? _rails_html_safe
+module ActiveSupport #:nodoc:
+ class SafeBuffer < String
+ alias safe_concat concat
- def html_safe!
- @_rails_html_safe = true
- self
- end
+ def concat(value)
+ if value.html_safe?
+ super(value)
+ else
+ super(ERB::Util.h(value))
+ end
+ end
- def html_safe
- dup.html_safe!
- end
+ def +(other)
+ dup.concat(other)
+ end
+
+ def <<(value)
+ self.concat(value)
+ end
+
+ def html_safe?
+ true
+ end
+
+ def html_safe
+ self
+ end
- alias original_plus +
- def +(other)
- result = original_plus(other)
- result._rails_html_safe = html_safe? && other.html_safe?
- result
+ def to_s
+ self
+ end
end
+end
- alias original_concat <<
- alias safe_concat <<
- def <<(other)
- @_rails_html_safe = false unless other.html_safe?
- result = original_concat(other)
+class String
+ def html_safe!
+ raise "You can't call html_safe! on a String"
end
- alias concat <<
+ def html_safe
+ ActiveSupport::SafeBuffer.new(self)
+ end
end \ No newline at end of file
diff --git a/activesupport/test/core_ext/string_ext_test.rb b/activesupport/test/core_ext/string_ext_test.rb
index 9a805bc010..ca26f91e8c 100644
--- a/activesupport/test/core_ext/string_ext_test.rb
+++ b/activesupport/test/core_ext/string_ext_test.rb
@@ -342,12 +342,12 @@ class OutputSafetyTest < ActiveSupport::TestCase
end
test "A string can be marked safe" do
- @string.html_safe!
- assert @string.html_safe?
+ string = @string.html_safe
+ assert string.html_safe?
end
test "Marking a string safe returns the string" do
- assert_equal @string, @string.html_safe!
+ assert_equal @string, @string.html_safe
end
test "A fixnum is safe by default" do
@@ -361,7 +361,7 @@ class OutputSafetyTest < ActiveSupport::TestCase
end
end
- @string.html_safe!
+ @string.html_safe
@string << klass.new
assert_equal "helloother", @string
@@ -369,44 +369,44 @@ class OutputSafetyTest < ActiveSupport::TestCase
end
test "Adding a safe string to another safe string returns a safe string" do
- @other_string = "other".html_safe!
- @string.html_safe!
- @combination = @other_string + @string
+ @other_string = "other".html_safe
+ string = @string.html_safe
+ @combination = @other_string + string
assert_equal "otherhello", @combination
assert @combination.html_safe?
end
- test "Adding an unsafe string to a safe string returns an unsafe string" do
- @other_string = "other".html_safe!
- @combination = @other_string + @string
- @other_combination = @string + @other_string
+ test "Adding an unsafe string to a safe string escapes it and returns a safe string" do
+ @other_string = "other".html_safe
+ @combination = @other_string + "<foo>"
+ @other_combination = @string + "<foo>"
- assert_equal "otherhello", @combination
- assert_equal "helloother", @other_combination
+ assert_equal "other&lt;foo&gt;", @combination
+ assert_equal "hello<foo>", @other_combination
- assert !@combination.html_safe?
+ assert @combination.html_safe?
assert !@other_combination.html_safe?
end
test "Concatting safe onto unsafe yields unsafe" do
@other_string = "other"
- @string.html_safe!
+ @string.html_safe
@other_string.concat(@string)
assert !@other_string.html_safe?
end
- test "Concatting unsafe onto safe yields unsafe" do
- @other_string = "other".html_safe!
-
- @other_string.concat(@string)
- assert !@other_string.html_safe?
+ test "Concatting unsafe onto safe yields escaped safe" do
+ @other_string = "other".html_safe
+ string = @other_string.concat("<foo>")
+ assert_equal "other&lt;foo&gt;", string
+ assert string.html_safe?
end
test "Concatting safe onto safe yields safe" do
- @other_string = "other".html_safe!
- @string.html_safe!
+ @other_string = "other".html_safe
+ @string.html_safe
@other_string.concat(@string)
assert @other_string.html_safe?
@@ -414,31 +414,32 @@ class OutputSafetyTest < ActiveSupport::TestCase
test "Concatting safe onto unsafe with << yields unsafe" do
@other_string = "other"
- @string.html_safe!
+ @string.html_safe
@other_string << @string
assert !@other_string.html_safe?
end
- test "Concatting unsafe onto safe with << yields unsafe" do
- @other_string = "other".html_safe!
-
- @other_string << @string
- assert !@other_string.html_safe?
+ test "Concatting unsafe onto safe with << yields escaped safe" do
+ @other_string = "other".html_safe
+ string = @other_string << "<foo>"
+ assert_equal "other&lt;foo&gt;", string
+ assert string.html_safe?
end
test "Concatting safe onto safe with << yields safe" do
- @other_string = "other".html_safe!
- @string.html_safe!
+ @other_string = "other".html_safe
+ @string.html_safe
@other_string << @string
assert @other_string.html_safe?
end
test "Concatting a fixnum to safe always yields safe" do
- @string.html_safe!
- @string.concat(13)
- assert @string.html_safe?
+ string = @string.html_safe
+ string = string.concat(13)
+ assert_equal "hello".concat(13), string
+ assert string.html_safe?
end
end