From f6ec296ad84ac7e321980cfdd8bba2ea6ce3a14b Mon Sep 17 00:00:00 2001
From: David Heinemeier Hansson <david@loudthinking.com>
Date: Thu, 1 May 2008 17:56:32 -0500
Subject: Fixed that TextHelper#text_field would corrypt when raw HTML was used
 as the value (mchenryc, Kevin Glowacz) [#80 state:resolved]

---
 actionpack/CHANGELOG                              |  2 ++
 actionpack/lib/action_view/helpers/form_helper.rb |  1 +
 actionpack/test/template/form_helper_test.rb      | 16 ++++++++++++++++
 3 files changed, 19 insertions(+)

diff --git a/actionpack/CHANGELOG b/actionpack/CHANGELOG
index 65a5934bba..54030047ba 100644
--- a/actionpack/CHANGELOG
+++ b/actionpack/CHANGELOG
@@ -1,5 +1,7 @@
 *SVN*
 
+* Fixed that TextHelper#text_field would corrypt when raw HTML was used as the value (mchenryc, Kevin Glowacz) [#80]
+
 * Added ActionController::TestCase#rescue_action_in_public! to control whether the action under test should use the regular rescue_action path instead of simply raising the exception inline (great for error testing) [DHH]
 
 * Reduce number of instance variables being copied from controller to view. [Pratik]
diff --git a/actionpack/lib/action_view/helpers/form_helper.rb b/actionpack/lib/action_view/helpers/form_helper.rb
index 4459ccbce5..65f4fb6e45 100644
--- a/actionpack/lib/action_view/helpers/form_helper.rb
+++ b/actionpack/lib/action_view/helpers/form_helper.rb
@@ -486,6 +486,7 @@ module ActionView
         end
         options["type"] = field_type
         options["value"] ||= value_before_type_cast(object) unless field_type == "file"
+        options["value"] &&= html_escape(options["value"])
         add_default_name_and_id(options)
         tag("input", options)
       end
diff --git a/actionpack/test/template/form_helper_test.rb b/actionpack/test/template/form_helper_test.rb
index b4857fcb62..204575fd89 100644
--- a/actionpack/test/template/form_helper_test.rb
+++ b/actionpack/test/template/form_helper_test.rb
@@ -104,6 +104,14 @@ class FormHelperTest < ActionView::TestCase
     )
   end
 
+  def test_text_field_with_html_entities
+    @post.title = "The HTML Entity for & is &amp;"
+    assert_dom_equal(
+      '<input id="post_title" name="post[title]" size="30" type="text" value="The HTML Entity for &amp; is &amp;amp;" />',
+      text_field("post", "title")
+    )
+  end
+
   def test_text_field_with_options
     expected = '<input id="post_title" name="post[title]" size="35" type="text" value="Hello World" />'
     assert_dom_equal expected, text_field("post", "title", "size" => 35)
@@ -227,6 +235,14 @@ class FormHelperTest < ActionView::TestCase
     )
   end
 
+  def test_text_area_with_html_entities
+    @post.body        = "The HTML Entity for & is &amp;"
+    assert_dom_equal(
+      '<textarea cols="40" id="post_body" name="post[body]" rows="20">The HTML Entity for &amp; is &amp;amp;</textarea>',
+      text_area("post", "body")
+    )
+  end
+
   def test_text_area_with_size_option
     assert_dom_equal(
       '<textarea cols="183" id="post_body" name="post[body]" rows="820">Back to the hill and over it again!</textarea>',
-- 
cgit v1.2.3