aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack
diff options
context:
space:
mode:
Diffstat (limited to 'actionpack')
-rw-r--r--actionpack/CHANGELOG.md7
-rw-r--r--actionpack/lib/action_view/template/handlers/erb.rb5
-rw-r--r--actionpack/test/template/template_test.rb16
3 files changed, 27 insertions, 1 deletions
diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md
index 292a153d25..74ae690db0 100644
--- a/actionpack/CHANGELOG.md
+++ b/actionpack/CHANGELOG.md
@@ -1,5 +1,12 @@
## Rails 3.2.10 (unreleased) ##
+* Introduce `ActionView::Template::Handlers::ERB.escape_whitelist`. This is a list
+ of mime types where template text is not html escaped by default. It prevents `Jack & Joe`
+ from rendering as `Jack & Joe` for the whitelisted mime types. The default whitelist
+ contains text/plain. Fix #7976 [Backport #8235]
+
+ *Joost Baaij*
+
* `BestStandardsSupport` middleware now appends it's `X-UA-Compatible` value to app's
returned value if any. Fix #8086 [Backport #8093]
diff --git a/actionpack/lib/action_view/template/handlers/erb.rb b/actionpack/lib/action_view/template/handlers/erb.rb
index ea495ea9ca..6cc6a8f8ed 100644
--- a/actionpack/lib/action_view/template/handlers/erb.rb
+++ b/actionpack/lib/action_view/template/handlers/erb.rb
@@ -48,6 +48,10 @@ module ActionView
class_attribute :erb_implementation
self.erb_implementation = Erubis
+ # Do not escape templates of these mime types.
+ class_attribute :escape_whitelist
+ self.escape_whitelist = ["text/plain"]
+
ENCODING_TAG = Regexp.new("\\A(<%#{ENCODING_FLAG}-?%>)[ \\t]*")
def self.call(template)
@@ -83,6 +87,7 @@ module ActionView
self.class.erb_implementation.new(
erb,
+ :escape => (self.class.escape_whitelist.include? template.mime_type),
:trim => (self.class.erb_trim_mode == "-")
).src
end
diff --git a/actionpack/test/template/template_test.rb b/actionpack/test/template/template_test.rb
index 5880eb2bd4..aa7f5b31fc 100644
--- a/actionpack/test/template/template_test.rb
+++ b/actionpack/test/template/template_test.rb
@@ -25,6 +25,10 @@ class TestERBTemplate < ActiveSupport::TestCase
"Hello"
end
+ def apostrophe
+ "l'apostrophe"
+ end
+
def partial
ActionView::Template.new(
"<%= @virtual_path %>",
@@ -47,7 +51,7 @@ class TestERBTemplate < ActiveSupport::TestCase
end
end
- def new_template(body = "<%= hello %>", details = {})
+ def new_template(body = "<%= hello %>", details = { :format => :html })
ActionView::Template.new(body, "hello template", ERBHandler, {:virtual_path => "hello"}.merge!(details))
end
@@ -64,6 +68,16 @@ class TestERBTemplate < ActiveSupport::TestCase
assert_equal "Hello", render
end
+ def test_basic_template_does_html_escape
+ @template = new_template("<%= apostrophe %>")
+ assert_equal "l&#x27;apostrophe", render
+ end
+
+ def test_text_template_does_not_html_escape
+ @template = new_template("<%= apostrophe %>", :format => :text)
+ assert_equal "l'apostrophe", render
+ end
+
def test_template_loses_its_source_after_rendering
@template = new_template
render