From 25b656fefa75954cffff119a14cf7650f4f99a92 Mon Sep 17 00:00:00 2001
From: David Heinemeier Hansson <david@loudthinking.com>
Date: Sun, 6 Mar 2005 12:07:13 +0000
Subject: Fixed that single quote was not escaped in a UrlHelper#link_to
 javascript confirm #549 [Scott Barron]

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@837 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
---
 actionpack/CHANGELOG                             | 2 ++
 actionpack/lib/action_view/helpers/url_helper.rb | 2 +-
 actionpack/test/template/url_helper_test.rb      | 4 ++++
 3 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/actionpack/CHANGELOG b/actionpack/CHANGELOG
index dca6e65f46..a319ba5770 100644
--- a/actionpack/CHANGELOG
+++ b/actionpack/CHANGELOG
@@ -1,5 +1,7 @@
 *SVN*
 
+* Fixed that single quote was not escaped in a UrlHelper#link_to javascript confirm #549 [Scott Barron]
+
 * Removed the default border on link_image_to (it broke xhtml strict) -- can be specified with :border => 0 #517 [?/caleb]
 
 * Fixed that form helpers would treat string and symbol keys differently in html_options (and possibly create duplicate entries) #112 [bitsweat]
diff --git a/actionpack/lib/action_view/helpers/url_helper.rb b/actionpack/lib/action_view/helpers/url_helper.rb
index 6c5e338e54..7acfb6407a 100644
--- a/actionpack/lib/action_view/helpers/url_helper.rb
+++ b/actionpack/lib/action_view/helpers/url_helper.rb
@@ -138,7 +138,7 @@ module ActionView
       private
         def convert_confirm_option_to_javascript!(html_options)
           if confirm = html_options.delete("confirm")
-            html_options["onclick"] = "return confirm('#{confirm}');"
+            html_options["onclick"] = "return confirm('#{confirm.gsub(/'/, '\\\\\'')}');"
           end
         end
     end
diff --git a/actionpack/test/template/url_helper_test.rb b/actionpack/test/template/url_helper_test.rb
index 47241bd09f..a38a259167 100644
--- a/actionpack/test/template/url_helper_test.rb
+++ b/actionpack/test/template/url_helper_test.rb
@@ -27,6 +27,10 @@ class UrlHelperTest < Test::Unit::TestCase
       "<a href=\"http://www.world.com\" onclick=\"return confirm('Are you sure?');\">Hello</a>",
       link_to("Hello", "http://www.world.com", :confirm => "Are you sure?")
     )
+    assert_equal(
+      "<a href=\"http://www.world.com\" onclick=\"return confirm('You can\\'t possibly be sure, can you?');\">Hello</a>", 
+      link_to("Hello", "http://www.world.com", :confirm => "You can't possibly be sure, can you?")
+    )
   end
 
   def test_link_image_to
-- 
cgit v1.2.3