diff options
Diffstat (limited to 'actionview')
-rw-r--r-- | actionview/lib/action_view/helpers/tag_helper.rb | 2 | ||||
-rw-r--r-- | actionview/test/template/tag_helper_test.rb | 10 |
2 files changed, 11 insertions, 1 deletions
diff --git a/actionview/lib/action_view/helpers/tag_helper.rb b/actionview/lib/action_view/helpers/tag_helper.rb index 030d07845b..7af26edf95 100644 --- a/actionview/lib/action_view/helpers/tag_helper.rb +++ b/actionview/lib/action_view/helpers/tag_helper.rb @@ -90,7 +90,7 @@ module ActionView else value = escape ? ERB::Util.unwrapped_html_escape(value) : value end - %(#{key}="#{value}") + %(#{key}="#{value.gsub(/"/, '"'.freeze)}") end private diff --git a/actionview/test/template/tag_helper_test.rb b/actionview/test/template/tag_helper_test.rb index 281fec7291..c7c6649657 100644 --- a/actionview/test/template/tag_helper_test.rb +++ b/actionview/test/template/tag_helper_test.rb @@ -274,6 +274,16 @@ class TagHelperTest < ActionView::TestCase assert_equal '<p class="song> play>"></p>', tag.p(class: [raw("song>"), "play>"]) end + def test_tag_does_not_honor_html_safe_double_quotes_as_attributes + assert_dom_equal '<p title=""">content</p>', + content_tag('p', "content", title: '"'.html_safe) + end + + def test_data_tag_does_not_honor_html_safe_double_quotes_as_attributes + assert_dom_equal '<p data-title=""">content</p>', + content_tag('p', "content", data: { title: '"'.html_safe }) + end + def test_skip_invalid_escaped_attributes ["&1;", "dfa3;", "& #123;"].each do |escaped| assert_equal %(<a href="#{escaped.gsub(/&/, '&')}" />), tag("a", href: escaped) |