From 1d01bad3cedfd690c6d125cac6d4504baa9409e5 Mon Sep 17 00:00:00 2001
From: Michael Koziarski <michael@koziarski.com>
Date: Thu, 15 Oct 2009 09:58:35 +1300
Subject: Make sure non-escaped urls aren't considered safe

---
 actionpack/lib/action_view/helpers/url_helper.rb | 2 +-
 actionpack/test/template/url_helper_test.rb      | 5 +++++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/actionpack/lib/action_view/helpers/url_helper.rb b/actionpack/lib/action_view/helpers/url_helper.rb
index 44e7073227..5b136d4f54 100644
--- a/actionpack/lib/action_view/helpers/url_helper.rb
+++ b/actionpack/lib/action_view/helpers/url_helper.rb
@@ -93,7 +93,7 @@ module ActionView
           polymorphic_path(options)
         end
 
-        (escape ? escape_once(url) : url).html_safe!
+        escape ? escape_once(url).html_safe! : url
       end
 
       # Creates a link tag of the given +name+ using a URL created by the set
diff --git a/actionpack/test/template/url_helper_test.rb b/actionpack/test/template/url_helper_test.rb
index cc3b2455d7..cec53e479c 100644
--- a/actionpack/test/template/url_helper_test.rb
+++ b/actionpack/test/template/url_helper_test.rb
@@ -26,6 +26,11 @@ class UrlHelperTest < ActionView::TestCase
     assert_equal "http://www.example.com?a=b&amp;c=d", url_for(:a => 'b', :c => 'd', :escape => true)
     assert_equal "http://www.example.com?a=b&c=d", url_for(:a => 'b', :c => 'd', :escape => false)
   end
+  
+  def test_url_for_escaping_is_safety_aware
+    assert url_for(:a => 'b', :c => 'd', :escape => true).html_safe?, "escaped urls should be html_safe?"
+    assert !url_for(:a => 'b', :c => 'd', :escape => false).html_safe?, "non-escaped urls shouldn't be safe"
+  end
 
   def test_url_for_escapes_url_once
     @controller.url = "http://www.example.com?a=b&amp;c=d"
-- 
cgit v1.2.3