diff options
Diffstat (limited to 'actionpack')
| -rw-r--r-- | actionpack/lib/action_view/template/handlers/erb.rb | 11 | ||||
| -rw-r--r-- | actionpack/test/controller/new_base/render_template_test.rb | 10 | ||||
| -rw-r--r-- | actionpack/test/template/template_test.rb | 4 |
3 files changed, 21 insertions, 4 deletions
diff --git a/actionpack/lib/action_view/template/handlers/erb.rb b/actionpack/lib/action_view/template/handlers/erb.rb index 731d8f9dab..afbbece90f 100644 --- a/actionpack/lib/action_view/template/handlers/erb.rb +++ b/actionpack/lib/action_view/template/handlers/erb.rb @@ -14,6 +14,17 @@ module ActionView src << "@output_buffer.safe_concat('" << escape_text(text) << "');" end + # Erubis toggles <%= and <%== behavior when escaping is enabled. + # We override to always treat <%== as escaped. + def add_expr(src, code, indicator) + case indicator + when '==' + add_expr_escaped(src, code) + else + super + end + end + BLOCK_EXPR = /\s+(do|\{)(\s*\|[^|]*\|)?\s*\Z/ def add_expr_literal(src, code) diff --git a/actionpack/test/controller/new_base/render_template_test.rb b/actionpack/test/controller/new_base/render_template_test.rb index d0be4f66d1..6b2ae2b2a9 100644 --- a/actionpack/test/controller/new_base/render_template_test.rb +++ b/actionpack/test/controller/new_base/render_template_test.rb @@ -9,7 +9,8 @@ module RenderTemplate "locals.html.erb" => "The secret is <%= secret %>", "xml_template.xml.builder" => "xml.html do\n xml.p 'Hello'\nend", "with_raw.html.erb" => "Hello <%=raw '<strong>this is raw</strong>' %>", - "with_implicit_raw.html.erb" => "Hello <%== '<strong>this is also raw</strong>' %>", + "with_implicit_raw.html.erb" => "Hello <%== '<strong>this is also raw</strong>' %> in a html template", + "with_implicit_raw.text.erb" => "Hello <%== '<strong>this is also raw</strong>' %> in a text template", "test/with_json.html.erb" => "<%= render :template => 'test/with_json', :formats => [:json] %>", "test/with_json.json.erb" => "<%= render :template => 'test/final', :formats => [:json] %>", "test/final.json.erb" => "{ final: json }", @@ -113,7 +114,12 @@ module RenderTemplate get :with_implicit_raw - assert_body "Hello <strong>this is also raw</strong>" + assert_body "Hello <strong>this is also raw</strong> in a html template" + assert_status 200 + + get :with_implicit_raw, format: 'text' + + assert_body "Hello <strong>this is also raw</strong> in a text template" assert_status 200 end diff --git a/actionpack/test/template/template_test.rb b/actionpack/test/template/template_test.rb index ed9d303158..8d32205fb8 100644 --- a/actionpack/test/template/template_test.rb +++ b/actionpack/test/template/template_test.rb @@ -82,8 +82,8 @@ class TestERBTemplate < ActiveSupport::TestCase end def test_text_template_does_not_html_escape - @template = new_template("<%= apostrophe %>", format: :text) - assert_equal "l'apostrophe", render + @template = new_template("<%= apostrophe %> <%== apostrophe %>", format: :text) + assert_equal "l'apostrophe l'apostrophe", render end def test_raw_template |