From b4976ce91ba003942acd3f285c6b4fb308657a69 Mon Sep 17 00:00:00 2001 From: Santiago Pastorino Date: Fri, 11 Jun 2010 04:37:10 -0300 Subject: text_helper now escape the unsafe input instead of sanitizing MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: José Valim --- actionpack/lib/action_view/helpers/text_helper.rb | 8 ++++---- actionpack/test/template/text_helper_test.rb | 17 ++++++++--------- 2 files changed, 12 insertions(+), 13 deletions(-) diff --git a/actionpack/lib/action_view/helpers/text_helper.rb b/actionpack/lib/action_view/helpers/text_helper.rb index a06073ce66..700c0b9e3b 100644 --- a/actionpack/lib/action_view/helpers/text_helper.rb +++ b/actionpack/lib/action_view/helpers/text_helper.rb @@ -74,7 +74,7 @@ module ActionView options.reverse_merge!(:length => 30) - text = sanitize(text) unless text.html_safe? || options[:safe] + text = h(text) unless text.html_safe? || options[:safe] text.truncate(options.delete(:length), options) if text end @@ -106,7 +106,7 @@ module ActionView end options.reverse_merge!(:highlighter => '\1') - text = sanitize(text) unless text.html_safe? || options[:safe] + text = h(text) unless text.html_safe? || options[:safe] if text.blank? || phrases.blank? text else @@ -244,7 +244,7 @@ module ActionView def simple_format(text, html_options={}, options={}) text = '' if text.nil? start_tag = tag('p', html_options, true) - text = sanitize(text) unless text.html_safe? || options[:safe] + text = h(text) unless text.html_safe? || options[:safe] text.gsub!(/\r\n?/, "\n") # \r\n and \r -> \n text.gsub!(/\n\n+/, "

\n\n#{start_tag}") # 2+ newline -> paragraph text.gsub!(/([^\n]\n)(?=[^\n])/, '\1
') # 1 newline -> br @@ -503,7 +503,7 @@ module ActionView text.html_safe else display_text = (block_given?) ? yield(text) : text - display_text = sanitize(display_text) unless options[:safe] + display_text = h(display_text) unless options[:safe] mail_to text, display_text, html_options end end diff --git a/actionpack/test/template/text_helper_test.rb b/actionpack/test/template/text_helper_test.rb index 17fc8b6edd..108cf510ff 100644 --- a/actionpack/test/template/text_helper_test.rb +++ b/actionpack/test/template/text_helper_test.rb @@ -41,7 +41,7 @@ class TextHelperTest < ActionView::TestCase end def test_simple_format_should_sanitize_unsafe_input - assert_equal "

test with unsafe string

", simple_format(" test with unsafe string ") + assert_equal "

<b> test with unsafe string </b><script>code!</script>

", simple_format(" test with unsafe string ") end def test_simple_format_should_not_sanitize_input_if_safe_option @@ -62,8 +62,7 @@ class TextHelperTest < ActionView::TestCase end def test_truncate_should_sanitize_unsafe_input - assert_equal "Hello World!", truncate("Hello World!", :length => 12) - assert_equal "Hello Wor...", truncate("Hello World!!", :length => 12) + assert_equal "Hello <...", truncate("Hello World!!", :length => 12) end def test_truncate_should_not_sanitize_input_if_safe_option @@ -141,7 +140,7 @@ class TextHelperTest < ActionView::TestCase def test_highlight_should_sanitize_unsafe_input assert_equal( - "This is a beautiful morning", + "This is a beautiful morning<script>code!</script>", highlight("This is a beautiful morning", "beautiful") ) end @@ -190,23 +189,23 @@ class TextHelperTest < ActionView::TestCase def test_highlight_with_html assert_equal( - "

This is a beautiful morning, but also a beautiful day

", + "<p>This is a beautiful morning, but also a beautiful day</p>", highlight("

This is a beautiful morning, but also a beautiful day

", "beautiful") ) assert_equal( - "

This is a beautiful morning, but also a beautiful day

", + "<p>This is a <em>beautiful</em> morning, but also a beautiful day</p>", highlight("

This is a beautiful morning, but also a beautiful day

", "beautiful") ) assert_equal( - "

This is a beautiful morning, but also a beautiful day

", + "<p>This is a <em class="error">beautiful</em> morning, but also a beautiful <span class="last">day</span></p>", highlight("

This is a beautiful morning, but also a beautiful day

", "beautiful") ) assert_equal( - "

This is a beautiful morning, but also a beautiful day

", + "<p class="beautiful">This is a beautiful morning, but also a beautiful day</p>", highlight("

This is a beautiful morning, but also a beautiful day

", "beautiful") ) assert_equal( - "

This is a beautiful morning, but also a beautiful day

", + "<p>This is a beautiful <a href="http://example.com/beautiful#top?what=beautiful%20morning&when=now+then">morning</a>, but also a beautiful day</p>", highlight("

This is a beautiful morning, but also a beautiful day

", "beautiful") ) end -- cgit v1.2.3