From a424808df95c5ebe66d02f0d743e741a1864baa7 Mon Sep 17 00:00:00 2001 From: Wincent Colaiuta Date: Thu, 17 Jun 2010 08:39:13 +0200 Subject: truncate() should not try to produce HTML-safe output As discussed in Lighthouse ticket #4825 and ticket #4878, the truncate() method cannot guarantee safe output for all possible inputs/offsets, so it is best to leave the output unsafe so that it gets escaped when used in a view. Signed-off-by: Santiago Pastorino Signed-off-by: David Heinemeier Hansson --- actionpack/lib/action_view/helpers/text_helper.rb | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) (limited to 'actionpack/lib/action_view/helpers') diff --git a/actionpack/lib/action_view/helpers/text_helper.rb b/actionpack/lib/action_view/helpers/text_helper.rb index 3b37fd6b57..654f3c89f3 100644 --- a/actionpack/lib/action_view/helpers/text_helper.rb +++ b/actionpack/lib/action_view/helpers/text_helper.rb @@ -39,7 +39,10 @@ module ActionView # for a total length not exceeding :length. # # Pass a :separator to truncate +text+ at a natural break. - # Pass a :safe value as "true" to not to escape the content. + # + # The result is not marked as HTML-safe, so will be subject to the default escaping when + # used in views, unless wrapped by raw(). Care should be taken if +text+ contains HTML tags + # or entities, because truncation may produce invalid HTML (such as unbalanced or incomplete tags). # # ==== Examples # @@ -56,12 +59,6 @@ module ActionView # # => "And they f... (continued)" # # truncate("

Once upon a time in a world far far away

") - # # => "<p>Once upon a time i..." - # - # truncate("

Once upon a time in a world far far away

", :safe => true) - # # => "

Once upon a time in a wo..." - # - # truncate("

Once upon a time in a world far far away

".html_safe) # # => "

Once upon a time in a wo..." # # You can still use truncate with the old API that accepts the @@ -84,7 +81,6 @@ module ActionView options.reverse_merge!(:length => 30) - text = h(text) unless text.html_safe? || options[:safe] text.truncate(options.delete(:length), options) if text end -- cgit v1.2.3 From 84d387bc0f3f3f6641b08d0ce40e924f09105c19 Mon Sep 17 00:00:00 2001 From: Santiago Pastorino Date: Thu, 17 Jun 2010 12:56:15 -0300 Subject: Make text_helpers methods which return valid html to return it as safe and sanitize the input always unless :sanitize => false is set [#4825 state:committed] Signed-off-by: David Heinemeier Hansson --- actionpack/lib/action_view/helpers/text_helper.rb | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) (limited to 'actionpack/lib/action_view/helpers') diff --git a/actionpack/lib/action_view/helpers/text_helper.rb b/actionpack/lib/action_view/helpers/text_helper.rb index 654f3c89f3..c7f96597b9 100644 --- a/actionpack/lib/action_view/helpers/text_helper.rb +++ b/actionpack/lib/action_view/helpers/text_helper.rb @@ -112,13 +112,13 @@ module ActionView end options.reverse_merge!(:highlighter => '\1') - text = h(text) unless text.html_safe? || options[:safe] + text = sanitize(text) unless options[:sanitize] == false if text.blank? || phrases.blank? text else match = Array(phrases).map { |p| Regexp.escape(p) }.join('|') text.gsub(/(#{match})(?!(?:[^<]*?)(?:["'])[^<>]*>)/i, options[:highlighter]) - end + end.html_safe end # Extracts an excerpt from +text+ that matches the first instance of +phrase+. @@ -248,9 +248,9 @@ module ActionView # simple_format("Look ma! A class!", :class => 'description') # # => "

Look ma! A class!

" def simple_format(text, html_options={}, options={}) - text = '' if text.nil? + text = ''.html_safe if text.nil? start_tag = tag('p', html_options, true) - text = h(text) unless text.html_safe? || options[:safe] + text = sanitize(text) unless options[:sanitize] == false text.gsub!(/\r\n?/, "\n") # \r\n and \r -> \n text.gsub!(/\n\n+/, "

\n\n#{start_tag}") # 2+ newline -> paragraph text.gsub!(/([^\n]\n)(?=[^\n])/, '\1
') # 1 newline -> br @@ -494,7 +494,11 @@ module ActionView link_text = block_given?? yield(href) : href href = 'http://' + href unless scheme - content_tag(:a, link_text, link_attributes.merge('href' => href), !(options[:safe] || text.html_safe?)) + punctuation.reverse.join('') + unless options[:sanitize] == false + link_text = sanitize(link_text) + href = sanitize(href) + end + content_tag(:a, link_text, link_attributes.merge('href' => href), !!options[:sanitize]) + punctuation.reverse.join('') end end.html_safe end @@ -509,7 +513,11 @@ module ActionView text.html_safe else display_text = (block_given?) ? yield(text) : text - display_text = h(display_text) unless options[:safe] + + unless options[:sanitize] == false + text = sanitize(text) + display_text = sanitize(display_text) unless text == display_text + end mail_to text, display_text, html_options end end -- cgit v1.2.3 From a186431414de8a0f0db9f60254f421a3536cee12 Mon Sep 17 00:00:00 2001 From: David Genord II Date: Fri, 18 Jun 2010 15:40:20 -0400 Subject: form_for without :html and with :remote should not error [#4902 state:committed] Signed-off-by: Jeremy Kemper --- actionpack/lib/action_view/helpers/form_helper.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'actionpack/lib/action_view/helpers') diff --git a/actionpack/lib/action_view/helpers/form_helper.rb b/actionpack/lib/action_view/helpers/form_helper.rb index b3db3151d3..a49daab98b 100644 --- a/actionpack/lib/action_view/helpers/form_helper.rb +++ b/actionpack/lib/action_view/helpers/form_helper.rb @@ -302,7 +302,7 @@ module ActionView args.unshift object end - options[:html][:remote] = true if options.delete(:remote) + (options[:html] ||= {})[:remote] = true if options.delete(:remote) output = form_tag(options.delete(:url) || {}, options.delete(:html) || {}) output << fields_for(object_name, *(args << options), &proc) -- cgit v1.2.3 From 728b9eccad99d22028577e8b06433e8344b15d01 Mon Sep 17 00:00:00 2001 From: Wincent Colaiuta Date: Thu, 17 Jun 2010 09:17:31 +0200 Subject: option_groups_from_collection_for_select should return HTML-safe string [#4879 state:resolved] Signed-off-by: Xavier Noria --- actionpack/lib/action_view/helpers/form_options_helper.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'actionpack/lib/action_view/helpers') diff --git a/actionpack/lib/action_view/helpers/form_options_helper.rb b/actionpack/lib/action_view/helpers/form_options_helper.rb index fe71d2cdf7..e48580e0ad 100644 --- a/actionpack/lib/action_view/helpers/form_options_helper.rb +++ b/actionpack/lib/action_view/helpers/form_options_helper.rb @@ -398,7 +398,7 @@ module ActionView options_for_select += "" options_for_select += options_from_collection_for_select(eval("group.#{group_method}"), option_key_method, option_value_method, selected_key) options_for_select += '' - end + end.html_safe end # Returns a string of tags, like options_for_select, but -- cgit v1.2.3 From 5522578d1631abf1851ed6ff3079ffae3a289b53 Mon Sep 17 00:00:00 2001 From: Thibaud Guillaume-Gentil Date: Mon, 14 Jun 2010 12:17:42 +0200 Subject: Fixed date_select date_separator when discard_month and/or discard_day are true [#4856 state:resolved] MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: José Valim --- actionpack/lib/action_view/helpers/date_helper.rb | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'actionpack/lib/action_view/helpers') diff --git a/actionpack/lib/action_view/helpers/date_helper.rb b/actionpack/lib/action_view/helpers/date_helper.rb index 7d846a01dd..8a97058abb 100644 --- a/actionpack/lib/action_view/helpers/date_helper.rb +++ b/actionpack/lib/action_view/helpers/date_helper.rb @@ -894,8 +894,10 @@ module ActionView # Returns the separator for a given datetime component def separator(type) case type - when :month, :day - @options[:date_separator] + when :month + @options[:discard_month] ? "" : @options[:date_separator] + when :day + @options[:discard_day] ? "" : @options[:date_separator] when :hour (@options[:discard_year] && @options[:discard_day]) ? "" : @options[:datetime_separator] when :minute -- cgit v1.2.3