diff options
| -rw-r--r-- | actionview/CHANGELOG.md | 11 | ||||
| -rw-r--r-- | actionview/lib/action_view/template/handlers/raw.rb | 2 | ||||
| -rw-r--r-- | actionview/test/template/render_test.rb | 7 |
3 files changed, 19 insertions, 1 deletions
diff --git a/actionview/CHANGELOG.md b/actionview/CHANGELOG.md index 9d669c7cd8..eb426ab7cd 100644 --- a/actionview/CHANGELOG.md +++ b/actionview/CHANGELOG.md @@ -1,3 +1,14 @@ +* Raw template handler (which is also the default template handler in Rails 5) now outputs + HTML-safe strings. + + In Rails 5 the default template handler was changed to the raw template handler. Because + the ERB template handler escaped strings by default this broke some applications that + expected plain JS or HTML files to be rendered unescaped. This fixes the issue caused + by changing the default handler by changing the Raw template handler to output HTML-safe + strings. + + *Eileen M. Uchitelle* + * `select_tag`'s `include_blank` option for generation for blank option tag, now adds an empty space label, when the value as well as content for option tag are empty, so that we confirm with html specification. Ref: https://www.w3.org/TR/html5/forms.html#the-option-element. diff --git a/actionview/lib/action_view/template/handlers/raw.rb b/actionview/lib/action_view/template/handlers/raw.rb index 760f517431..e7519e94f9 100644 --- a/actionview/lib/action_view/template/handlers/raw.rb +++ b/actionview/lib/action_view/template/handlers/raw.rb @@ -2,7 +2,7 @@ module ActionView module Template::Handlers class Raw def call(template) - "#{template.source.inspect};" + "#{template.source.inspect}.html_safe;" end end end diff --git a/actionview/test/template/render_test.rb b/actionview/test/template/render_test.rb index ad93236d32..25b21850b1 100644 --- a/actionview/test/template/render_test.rb +++ b/actionview/test/template/render_test.rb @@ -100,6 +100,13 @@ module RenderTestCases assert_equal %q;Here are some characters: !@#$%^&*()-="'}{`; + "\n", @view.render(:template => "plain_text_with_characters") end + def test_render_raw_is_html_safe_and_does_not_escape_output + buffer = ActiveSupport::SafeBuffer.new + buffer << @view.render(file: "plain_text") + assert_equal true, buffer.html_safe? + assert_equal buffer, "<%= hello_world %>\n" + end + def test_render_ruby_template_with_handlers assert_equal "Hello from Ruby code", @view.render(:template => "ruby_template") end |