diff options
Diffstat (limited to 'actionview')
| -rw-r--r-- | actionview/CHANGELOG.md | 9 | ||||
| -rw-r--r-- | actionview/lib/action_view/helpers/number_helper.rb | 19 | ||||
| -rw-r--r-- | actionview/lib/action_view/helpers/rendering_helper.rb | 7 | ||||
| -rw-r--r-- | actionview/lib/action_view/layouts.rb | 2 | ||||
| -rw-r--r-- | actionview/lib/action_view/renderer/template_renderer.rb | 10 | ||||
| -rw-r--r-- | actionview/lib/action_view/rendering.rb | 7 | ||||
| -rw-r--r-- | actionview/lib/action_view/template.rb | 1 | ||||
| -rw-r--r-- | actionview/lib/action_view/template/html.rb | 34 | ||||
| -rw-r--r-- | actionview/lib/action_view/template/text.rb | 2 | ||||
| -rw-r--r-- | actionview/lib/action_view/version.rb | 2 | ||||
| -rw-r--r-- | actionview/test/template/html_test.rb | 17 | ||||
| -rw-r--r-- | actionview/test/template/number_helper_test.rb | 39 | ||||
| -rw-r--r-- | actionview/test/template/render_test.rb | 2 | ||||
| -rw-r--r-- | actionview/test/template/text_test.rb | 17 |
14 files changed, 156 insertions, 12 deletions
diff --git a/actionview/CHANGELOG.md b/actionview/CHANGELOG.md index a0f298a6b1..c05ed10263 100644 --- a/actionview/CHANGELOG.md +++ b/actionview/CHANGELOG.md @@ -1,3 +1,8 @@ +* Added `:plain`, `:html` and `:body` option for `render` method. Please see + Action Pack's release note for more detail. + + *Prem Sichanugrist* + * Date select helpers accept a format string for the months selector via the new option `:month_format_string`. @@ -40,6 +45,10 @@ *Kuldeep Aggarwal* +* Escape format, negative_format and units options of number helpers + + Fixes: CVE-2014-0081 + * A Cycle object should accept an array and cycle through it as it would with a set of comma-separated objects. diff --git a/actionview/lib/action_view/helpers/number_helper.rb b/actionview/lib/action_view/helpers/number_helper.rb index ad825cd1f1..7157a95146 100644 --- a/actionview/lib/action_view/helpers/number_helper.rb +++ b/actionview/lib/action_view/helpers/number_helper.rb @@ -384,20 +384,29 @@ module ActionView def delegate_number_helper_method(method, number, options) return unless number - options = escape_unsafe_delimiters_and_separators(options.symbolize_keys) + options = escape_unsafe_options(options.symbolize_keys) wrap_with_output_safety_handling(number, options.delete(:raise)) { ActiveSupport::NumberHelper.public_send(method, number, options) } end - def escape_unsafe_delimiters_and_separators(options) - options[:separator] = ERB::Util.html_escape(options[:separator]) if options[:separator] && !options[:separator].html_safe? - options[:delimiter] = ERB::Util.html_escape(options[:delimiter]) if options[:delimiter] && !options[:delimiter].html_safe? - options[:unit] = ERB::Util.html_escape(options[:unit]) if options[:unit] && !options[:unit].html_safe? + def escape_unsafe_options(options) + options[:format] = ERB::Util.html_escape(options[:format]) if options[:format] + options[:negative_format] = ERB::Util.html_escape(options[:negative_format]) if options[:negative_format] + options[:separator] = ERB::Util.html_escape(options[:separator]) if options[:separator] + options[:delimiter] = ERB::Util.html_escape(options[:delimiter]) if options[:delimiter] + options[:unit] = ERB::Util.html_escape(options[:unit]) if options[:unit] && !options[:unit].html_safe? + options[:units] = escape_units(options[:units]) if options[:units] && Hash === options[:units] options end + def escape_units(units) + Hash[units.map do |k, v| + [k, ERB::Util.html_escape(v)] + end] + end + def wrap_with_output_safety_handling(number, raise_on_invalid, &block) valid_float = valid_float?(number) raise InvalidNumberError, number if raise_on_invalid && !valid_float diff --git a/actionview/lib/action_view/helpers/rendering_helper.rb b/actionview/lib/action_view/helpers/rendering_helper.rb index 458086de96..15b88bcda6 100644 --- a/actionview/lib/action_view/helpers/rendering_helper.rb +++ b/actionview/lib/action_view/helpers/rendering_helper.rb @@ -12,6 +12,13 @@ module ActionView # * <tt>:file</tt> - Renders an explicit template file (this used to be the old default), add :locals to pass in those. # * <tt>:inline</tt> - Renders an inline template similar to how it's done in the controller. # * <tt>:text</tt> - Renders the text passed in out. + # * <tt>:plain</tt> - Renders the text passed in out. Setting the content + # type as <tt>text/plain</tt>. + # * <tt>:html</tt> - Renders the html safe string passed in out, otherwise + # performs html escape on the string first. Setting the content type as + # <tt>text/html</tt>. + # * <tt>:body</tt> - Renders the text passed in, and does not set content + # type in the response. # # If no options hash is passed or :update specified, the default is to render a partial and use the second parameter # as the locals hash. diff --git a/actionview/lib/action_view/layouts.rb b/actionview/lib/action_view/layouts.rb index ffa67649da..9ee05bd816 100644 --- a/actionview/lib/action_view/layouts.rb +++ b/actionview/lib/action_view/layouts.rb @@ -420,7 +420,7 @@ module ActionView end def _include_layout?(options) - (options.keys & [:text, :inline, :partial]).empty? || options.key?(:layout) + (options.keys & [:body, :text, :plain, :html, :inline, :partial]).empty? || options.key?(:layout) end end end diff --git a/actionview/lib/action_view/renderer/template_renderer.rb b/actionview/lib/action_view/renderer/template_renderer.rb index 668831dff3..be17097428 100644 --- a/actionview/lib/action_view/renderer/template_renderer.rb +++ b/actionview/lib/action_view/renderer/template_renderer.rb @@ -21,8 +21,14 @@ module ActionView def determine_template(options) #:nodoc: keys = options.fetch(:locals, {}).keys - if options.key?(:text) + if options.key?(:body) + Template::Text.new(options[:body]) + elsif options.key?(:text) Template::Text.new(options[:text], formats.first) + elsif options.key?(:plain) + Template::Text.new(options[:plain]) + elsif options.key?(:html) + Template::HTML.new(options[:html], formats.first) elsif options.key?(:file) with_fallbacks { find_template(options[:file], nil, false, keys, @details) } elsif options.key?(:inline) @@ -35,7 +41,7 @@ module ActionView find_template(options[:template], options[:prefixes], false, keys, @details) end else - raise ArgumentError, "You invoked render but did not give any of :partial, :template, :inline, :file or :text option." + raise ArgumentError, "You invoked render but did not give any of :partial, :template, :inline, :file, :plain, :text or :body option." end end diff --git a/actionview/lib/action_view/rendering.rb b/actionview/lib/action_view/rendering.rb index 7c17220d14..f96587c816 100644 --- a/actionview/lib/action_view/rendering.rb +++ b/actionview/lib/action_view/rendering.rb @@ -100,8 +100,13 @@ module ActionView end # Assign the rendered format to lookup context. - def _process_format(format) #:nodoc: + def _process_format(format, options = {}) #:nodoc: super + + if options[:body] + self.no_content_type = true + end + lookup_context.formats = [format.to_sym] lookup_context.rendered_format = lookup_context.formats.first end diff --git a/actionview/lib/action_view/template.rb b/actionview/lib/action_view/template.rb index 9b0619f1aa..961a969b6e 100644 --- a/actionview/lib/action_view/template.rb +++ b/actionview/lib/action_view/template.rb @@ -90,6 +90,7 @@ module ActionView eager_autoload do autoload :Error autoload :Handlers + autoload :HTML autoload :Text autoload :Types end diff --git a/actionview/lib/action_view/template/html.rb b/actionview/lib/action_view/template/html.rb new file mode 100644 index 0000000000..0321f819b5 --- /dev/null +++ b/actionview/lib/action_view/template/html.rb @@ -0,0 +1,34 @@ +module ActionView #:nodoc: + # = Action View HTML Template + class Template + class HTML #:nodoc: + attr_accessor :type + + def initialize(string, type = nil) + @string = string.to_s + @type = Types[type] || type if type + @type ||= Types[:html] + end + + def identifier + 'html template' + end + + def inspect + 'html template' + end + + def to_str + ERB::Util.h(@string) + end + + def render(*args) + to_str + end + + def formats + [@type.respond_to?(:ref) ? @type.ref : @type.to_s] + end + end + end +end diff --git a/actionview/lib/action_view/template/text.rb b/actionview/lib/action_view/template/text.rb index 859c7bc3ce..04f5b8d17a 100644 --- a/actionview/lib/action_view/template/text.rb +++ b/actionview/lib/action_view/template/text.rb @@ -27,7 +27,7 @@ module ActionView #:nodoc: end def formats - [@type.to_sym] + [@type.respond_to?(:ref) ? @type.ref : @type.to_s] end end end diff --git a/actionview/lib/action_view/version.rb b/actionview/lib/action_view/version.rb index edb6d8f116..3d5d6c9be1 100644 --- a/actionview/lib/action_view/version.rb +++ b/actionview/lib/action_view/version.rb @@ -1,7 +1,7 @@ module ActionView # Returns the version of the currently loaded ActionView as a Gem::Version def self.version - Gem::Version.new "4.1.0.beta1" + Gem::Version.new "4.1.0.beta2" end module VERSION #:nodoc: diff --git a/actionview/test/template/html_test.rb b/actionview/test/template/html_test.rb new file mode 100644 index 0000000000..549c12c88c --- /dev/null +++ b/actionview/test/template/html_test.rb @@ -0,0 +1,17 @@ +require 'abstract_unit' + +class HTMLTest < ActiveSupport::TestCase + test 'formats returns symbol for recognized MIME type' do + assert_equal [:html], ActionView::Template::HTML.new('', :html).formats + end + + test 'formats returns string for recognized MIME type when MIME does not have symbol' do + foo = Mime::Type.lookup("foo") + assert_nil foo.to_sym + assert_equal ['foo'], ActionView::Template::HTML.new('', foo).formats + end + + test 'formats returns string for unknown MIME type' do + assert_equal ['foo'], ActionView::Template::HTML.new('', 'foo').formats + end +end diff --git a/actionview/test/template/number_helper_test.rb b/actionview/test/template/number_helper_test.rb index be336ea3fb..11bc978324 100644 --- a/actionview/test/template/number_helper_test.rb +++ b/actionview/test/template/number_helper_test.rb @@ -8,6 +8,8 @@ class NumberHelperTest < ActionView::TestCase assert_equal "555-1234", number_to_phone(5551234) assert_equal "(800) 555-1212 x 123", number_to_phone(8005551212, area_code: true, extension: 123) assert_equal "+18005551212", number_to_phone(8005551212, country_code: 1, delimiter: "") + assert_equal "+<script></script>8005551212", number_to_phone(8005551212, country_code: "<script></script>", delimiter: "") + assert_equal "8005551212 x <script></script>", number_to_phone(8005551212, extension: "<script></script>", delimiter: "") end def test_number_to_currency @@ -16,11 +18,17 @@ class NumberHelperTest < ActionView::TestCase assert_equal "$1,234,567,892", number_to_currency(1234567891.50, precision: 0) assert_equal "1,234,567,890.50 - Kč", number_to_currency("-1234567890.50", unit: raw("Kč"), format: "%n %u", negative_format: "%n - %u") assert_equal "&pound;1,234,567,890.50", number_to_currency("1234567890.50", unit: "£") + assert_equal "<b>1,234,567,890.50</b> $", number_to_currency("1234567890.50", format: "<b>%n</b> %u") + assert_equal "<b>1,234,567,890.50</b> $", number_to_currency("-1234567890.50", negative_format: "<b>%n</b> %u") + assert_equal "<b>1,234,567,890.50</b> $", number_to_currency("-1234567890.50", 'negative_format' => "<b>%n</b> %u") end def test_number_to_percentage assert_equal nil, number_to_percentage(nil) assert_equal "100.000%", number_to_percentage(100) + assert_equal "100.000 %", number_to_percentage(100, format: '%n %') + assert_equal "<b>100.000</b> %", number_to_percentage(100, format: '<b>%n</b> %') + assert_equal "<b>100.000</b> %", number_to_percentage(100, format: raw('<b>%n</b> %')) assert_equal "100%", number_to_percentage(100, precision: 0) assert_equal "123.4%", number_to_percentage(123.400, precision: 3, strip_insignificant_zeros: true) assert_equal "1.000,000%", number_to_percentage(1000, delimiter: ".", separator: ",") @@ -52,6 +60,31 @@ class NumberHelperTest < ActionView::TestCase assert_equal "489.0 Thousand", number_to_human(489000, precision: 4, strip_insignificant_zeros: false) end + def test_number_to_human_escape_units + volume = { unit: "<b>ml</b>", thousand: "<b>lt</b>", million: "<b>m3</b>", trillion: "<b>km3</b>", quadrillion: "<b>Pl</b>" } + assert_equal '123 <b>lt</b>', number_to_human(123456, :units => volume) + assert_equal '12 <b>ml</b>', number_to_human(12, :units => volume) + assert_equal '1.23 <b>m3</b>', number_to_human(1234567, :units => volume) + assert_equal '1.23 <b>km3</b>', number_to_human(1_234_567_000_000, :units => volume) + assert_equal '1.23 <b>Pl</b>', number_to_human(1_234_567_000_000_000, :units => volume) + + #Including fractionals + distance = { mili: "<b>mm</b>", centi: "<b>cm</b>", deci: "<b>dm</b>", unit: "<b>m</b>", + ten: "<b>dam</b>", hundred: "<b>hm</b>", thousand: "<b>km</b>", + micro: "<b>um</b>", nano: "<b>nm</b>", pico: "<b>pm</b>", femto: "<b>fm</b>"} + assert_equal '1.23 <b>mm</b>', number_to_human(0.00123, :units => distance) + assert_equal '1.23 <b>cm</b>', number_to_human(0.0123, :units => distance) + assert_equal '1.23 <b>dm</b>', number_to_human(0.123, :units => distance) + assert_equal '1.23 <b>m</b>', number_to_human(1.23, :units => distance) + assert_equal '1.23 <b>dam</b>', number_to_human(12.3, :units => distance) + assert_equal '1.23 <b>hm</b>', number_to_human(123, :units => distance) + assert_equal '1.23 <b>km</b>', number_to_human(1230, :units => distance) + assert_equal '1.23 <b>um</b>', number_to_human(0.00000123, :units => distance) + assert_equal '1.23 <b>nm</b>', number_to_human(0.00000000123, :units => distance) + assert_equal '1.23 <b>pm</b>', number_to_human(0.00000000000123, :units => distance) + assert_equal '1.23 <b>fm</b>', number_to_human(0.00000000000000123, :units => distance) + end + def test_number_helpers_escape_delimiter_and_separator assert_equal "111<script></script>111<script></script>1111", number_to_phone(1111111111, delimiter: "<script></script>") @@ -73,6 +106,12 @@ class NumberHelperTest < ActionView::TestCase assert_equal "100<script></script>000 Quadrillion", number_to_human(10**20, delimiter: "<script></script>") end + def test_number_to_human_with_custom_translation_scope + I18n.backend.store_translations 'ts', + :custom_units_for_number_to_human => {:mili => "mm", :centi => "cm", :deci => "dm", :unit => "m", :ten => "dam", :hundred => "hm", :thousand => "km"} + assert_equal "1.01 cm", number_to_human(0.0101, :locale => 'ts', :units => :custom_units_for_number_to_human) + end + def test_number_helpers_outputs_are_html_safe assert number_to_human(1).html_safe? assert !number_to_human("<script></script>").html_safe? diff --git a/actionview/test/template/render_test.rb b/actionview/test/template/render_test.rb index db5d99755c..ca508abfb8 100644 --- a/actionview/test/template/render_test.rb +++ b/actionview/test/template/render_test.rb @@ -22,7 +22,7 @@ module RenderTestCases def test_render_without_options e = assert_raises(ArgumentError) { @view.render() } - assert_match "You invoked render but did not give any of :partial, :template, :inline, :file or :text option.", e.message + assert_match(/You invoked render but did not give any of (.+) option./, e.message) end def test_render_file diff --git a/actionview/test/template/text_test.rb b/actionview/test/template/text_test.rb new file mode 100644 index 0000000000..d899d54589 --- /dev/null +++ b/actionview/test/template/text_test.rb @@ -0,0 +1,17 @@ +require 'abstract_unit' + +class TextTest < ActiveSupport::TestCase + test 'formats returns symbol for recognized MIME type' do + assert_equal [:text], ActionView::Template::Text.new('', :text).formats + end + + test 'formats returns string for recognized MIME type when MIME does not have symbol' do + foo = Mime::Type.lookup("foo") + assert_nil foo.to_sym + assert_equal ['foo'], ActionView::Template::Text.new('', foo).formats + end + + test 'formats returns string for unknown MIME type' do + assert_equal ['foo'], ActionView::Template::Text.new('', 'foo').formats + end +end |