diff options
-rw-r--r-- | actionpack/lib/action_controller/metal/parameter_encoding.rb | 1 | ||||
-rw-r--r-- | actionview/lib/action_view/helpers/tag_helper.rb | 2 | ||||
-rw-r--r-- | actionview/test/template/tag_helper_test.rb | 10 | ||||
-rw-r--r-- | activerecord/test/cases/scoping/relation_scoping_test.rb | 2 | ||||
-rw-r--r-- | activerecord/test/cases/validations_test.rb | 6 | ||||
-rw-r--r-- | railties/test/json_params_parsing_test.rb | 47 |
6 files changed, 62 insertions, 6 deletions
diff --git a/actionpack/lib/action_controller/metal/parameter_encoding.rb b/actionpack/lib/action_controller/metal/parameter_encoding.rb index f5d3dabb45..75d92087a8 100644 --- a/actionpack/lib/action_controller/metal/parameter_encoding.rb +++ b/actionpack/lib/action_controller/metal/parameter_encoding.rb @@ -1,4 +1,5 @@ module ActionController + # Allows encoding to be specified per parameter per action. module ParameterEncoding extend ActiveSupport::Concern diff --git a/actionview/lib/action_view/helpers/tag_helper.rb b/actionview/lib/action_view/helpers/tag_helper.rb index 030d07845b..7af26edf95 100644 --- a/actionview/lib/action_view/helpers/tag_helper.rb +++ b/actionview/lib/action_view/helpers/tag_helper.rb @@ -90,7 +90,7 @@ module ActionView else value = escape ? ERB::Util.unwrapped_html_escape(value) : value end - %(#{key}="#{value}") + %(#{key}="#{value.gsub(/"/, '"'.freeze)}") end private diff --git a/actionview/test/template/tag_helper_test.rb b/actionview/test/template/tag_helper_test.rb index 281fec7291..c7c6649657 100644 --- a/actionview/test/template/tag_helper_test.rb +++ b/actionview/test/template/tag_helper_test.rb @@ -274,6 +274,16 @@ class TagHelperTest < ActionView::TestCase assert_equal '<p class="song> play>"></p>', tag.p(class: [raw("song>"), "play>"]) end + def test_tag_does_not_honor_html_safe_double_quotes_as_attributes + assert_dom_equal '<p title=""">content</p>', + content_tag('p', "content", title: '"'.html_safe) + end + + def test_data_tag_does_not_honor_html_safe_double_quotes_as_attributes + assert_dom_equal '<p data-title=""">content</p>', + content_tag('p', "content", data: { title: '"'.html_safe }) + end + def test_skip_invalid_escaped_attributes ["&1;", "dfa3;", "& #123;"].each do |escaped| assert_equal %(<a href="#{escaped.gsub(/&/, '&')}" />), tag("a", href: escaped) diff --git a/activerecord/test/cases/scoping/relation_scoping_test.rb b/activerecord/test/cases/scoping/relation_scoping_test.rb index 13007e2e73..a46123f451 100644 --- a/activerecord/test/cases/scoping/relation_scoping_test.rb +++ b/activerecord/test/cases/scoping/relation_scoping_test.rb @@ -246,7 +246,7 @@ class NestedRelationScopingTest < ActiveRecord::TestCase devs = Developer.all sql = devs.to_sql assert_match "(salary = 80000)", sql - assert_match /LIMIT 10|ROWNUM <= 10|FETCH FIRST 10 ROWS ONLY/, sql + assert_match(/LIMIT 10|ROWNUM <= 10|FETCH FIRST 10 ROWS ONLY/, sql) end end end diff --git a/activerecord/test/cases/validations_test.rb b/activerecord/test/cases/validations_test.rb index 76510cb80d..5d9aa99497 100644 --- a/activerecord/test/cases/validations_test.rb +++ b/activerecord/test/cases/validations_test.rb @@ -156,17 +156,15 @@ class ValidationsTest < ActiveRecord::TestCase end def test_numericality_validation_with_mutation - Topic.class_eval do + klass = Class.new(Topic) do attribute :wibble, :string validates_numericality_of :wibble, only_integer: true end - topic = Topic.new(wibble: "123-4567") + topic = klass.new(wibble: "123-4567") topic.wibble.gsub!("-", "") assert topic.valid? - ensure - Topic.reset_column_information end def test_acceptance_validator_doesnt_require_db_connection diff --git a/railties/test/json_params_parsing_test.rb b/railties/test/json_params_parsing_test.rb new file mode 100644 index 0000000000..eac731a942 --- /dev/null +++ b/railties/test/json_params_parsing_test.rb @@ -0,0 +1,47 @@ +require "abstract_unit" +require "action_dispatch" +require "active_record" + +class JsonParamsParsingTest < ActionDispatch::IntegrationTest + test "prevent null query" do + # Make sure we have data to find + klass = Class.new(ActiveRecord::Base) do + def self.name; 'Foo'; end + establish_connection adapter: "sqlite3", database: ":memory:" + connection.create_table "foos" do |t| + t.string :title + t.timestamps null: false + end + end + klass.create + assert klass.first + + app = ->(env) { + request = ActionDispatch::Request.new env + params = ActionController::Parameters.new request.parameters + if params[:t] + klass.find_by_title(params[:t]) + else + nil + end + } + + assert_nil app.call(make_env({ 't' => nil })) + assert_nil app.call(make_env({ 't' => [nil] })) + + [[[nil]], [[[nil]]]].each do |data| + assert_nil app.call(make_env({ 't' => data })) + end + end + + private + def make_env json + data = JSON.dump json + content_length = data.length + { + 'CONTENT_LENGTH' => content_length, + 'CONTENT_TYPE' => 'application/json', + 'rack.input' => StringIO.new(data) + } + end +end |