From 4b33306c704d6429e42e317802c92bc57f0de61c Mon Sep 17 00:00:00 2001 From: Jeremy Kemper Date: Mon, 24 Sep 2007 08:13:55 +0000 Subject: The tag helper may bypass escaping. git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7608 5ecf4fe2-1ee6-0310-87b1-e25e094e27de --- actionpack/lib/action_view/helpers/tag_helper.rb | 43 ++++++++++++++---------- 1 file changed, 26 insertions(+), 17 deletions(-) (limited to 'actionpack/lib/action_view/helpers') diff --git a/actionpack/lib/action_view/helpers/tag_helper.rb b/actionpack/lib/action_view/helpers/tag_helper.rb index 963f494760..999cbfb52a 100644 --- a/actionpack/lib/action_view/helpers/tag_helper.rb +++ b/actionpack/lib/action_view/helpers/tag_helper.rb @@ -11,9 +11,10 @@ module ActionView BOOLEAN_ATTRIBUTES = Set.new(%w(disabled readonly multiple)) # Returns an empty HTML tag of type +name+ which by default is XHTML - # compliant. Setting +open+ to true will create an open tag compatible + # compliant. Set +open+ to true to create an open tag compatible # with HTML 4.0 and below. Add HTML attributes by passing an attributes - # hash to +options+. + # hash to +options+. Set +escape+ to false to disable attribute value + # escaping. # # ==== Options # The +options+ hash is used with attributes with no value like (disabled and @@ -30,16 +31,20 @@ module ActionView # tag("input", { :type => 'text', :disabled => true }) # # => # - # tag("img", { :src => "open.png" }) - # # => - def tag(name, options = nil, open = false) - "<#{name}#{tag_options(options) if options}" + (open ? ">" : " />") + # tag("img", { :src => "open & shut.png" }) + # # => + # + # tag("img", { :src => "open & shut.png" }, false, false) + # # => + def tag(name, options = nil, open = false, escape = true) + "<#{name}#{tag_options(options, escape) if options}" + (open ? ">" : " />") end # Returns an HTML block tag of type +name+ surrounding the +content+. Add # HTML attributes by passing an attributes hash to +options+. # Instead of passing the content as an argument, you can also use a block # in which case, you pass your +options+ as the second parameter. + # Set escape to false to disable attribute value escaping. # # ==== Options # The +options+ hash is used with attributes with no value like (disabled and @@ -58,15 +63,15 @@ module ActionView # Hello world! # <% end -%> # # =>

Hello world!

- def content_tag(name, content_or_options_with_block = nil, options = nil, &block) + def content_tag(name, content_or_options_with_block = nil, options = nil, escape = true, &block) if block_given? options = content_or_options_with_block if content_or_options_with_block.is_a?(Hash) content = capture(&block) - content_tag = content_tag_string(name, content, options) + content_tag = content_tag_string(name, content, options, escape) block_is_within_action_view?(block) ? concat(content_tag, block.binding) : content_tag else content = content_or_options_with_block - content_tag_string(name, content, options) + content_tag_string(name, content, options, escape) end end @@ -98,19 +103,23 @@ module ActionView end private - def content_tag_string(name, content, options) - tag_options = tag_options(options) if options + def content_tag_string(name, content, options, escape = true) + tag_options = tag_options(options, escape) if options "<#{name}#{tag_options}>#{content}" end - def tag_options(options) + def tag_options(options, escape = true) unless options.blank? attrs = [] - options.each do |key, value| - next unless value - key = key.to_s - value = BOOLEAN_ATTRIBUTES.include?(key) ? key : escape_once(value) - attrs << %(#{key}="#{value}") + if escape + options.each do |key, value| + next unless value + key = key.to_s + value = BOOLEAN_ATTRIBUTES.include?(key) ? key : escape_once(value) + attrs << %(#{key}="#{value}") + end + else + attrs = options.map { |key, value| %(#{key}="#{value}") } end " #{attrs.sort * ' '}" unless attrs.empty? end -- cgit v1.2.3