From cba1460a2fe2bbe1153620582a66e03cec9ba7a5 Mon Sep 17 00:00:00 2001
From: Xavier Noria <fxn@hashref.com>
Date: Tue, 29 Jun 2010 19:55:57 +0200
Subject: url_for no longer escapes HTML, the :escape option is also gone

Rationale: url_for is just a path/URL generator, it is the responsability of the caller to escape conveniently HTML needs it, JavaScript needs different escaping, a text mail needs no escaping at all, etc.
---
 actionpack/lib/action_view/helpers/form_tag_helper.rb | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'actionpack/lib/action_view/helpers/form_tag_helper.rb')

diff --git a/actionpack/lib/action_view/helpers/form_tag_helper.rb b/actionpack/lib/action_view/helpers/form_tag_helper.rb
index efa1446d96..7fea5eb055 100644
--- a/actionpack/lib/action_view/helpers/form_tag_helper.rb
+++ b/actionpack/lib/action_view/helpers/form_tag_helper.rb
@@ -529,6 +529,8 @@ module ActionView
         def html_options_for_form(url_for_options, options, *parameters_for_url)
           returning options.stringify_keys do |html_options|
             html_options["enctype"] = "multipart/form-data" if html_options.delete("multipart")
+            # The following URL is unescaped, this is just a hash of options, and it is the
+            # responsability of the caller to escape all the values.
             html_options["action"]  = url_for(url_for_options, *parameters_for_url)
             html_options["accept-charset"] = "UTF-8"
             html_options["data-remote"] = true if html_options.delete("remote")
-- 
cgit v1.2.3