From 19af434840802ca0feb39253241917286467a86e Mon Sep 17 00:00:00 2001 From: Paul Grayson Date: Fri, 13 Jun 2014 11:08:11 -0700 Subject: In actionview, eliminate calls to tag that use html_safe parameter values. This is generally unnecessary, since tag handles string quoting, except in one case (utf8_enforcer_tag) where we want to specify the encoding ourselves. --- actionview/lib/action_view/helpers/form_tag_helper.rb | 6 ++++-- actionview/lib/action_view/helpers/tags/text_field.rb | 1 - actionview/lib/action_view/helpers/url_helper.rb | 8 +++----- 3 files changed, 7 insertions(+), 8 deletions(-) (limited to 'actionview/lib') diff --git a/actionview/lib/action_view/helpers/form_tag_helper.rb b/actionview/lib/action_view/helpers/form_tag_helper.rb index 88b8400644..7a7ddaa41c 100644 --- a/actionview/lib/action_view/helpers/form_tag_helper.rb +++ b/actionview/lib/action_view/helpers/form_tag_helper.rb @@ -794,9 +794,11 @@ module ActionView end # Creates the hidden UTF8 enforcer tag. Override this method in a helper - # to customize the tag. + # to customize the tag. Note that we have the HTML written out + # explicitly here to avoid potential problems with including a + # unicode character in output. def utf8_enforcer_tag - tag(:input, :type => "hidden", :name => "utf8", :value => "✓".html_safe) + %{}.html_safe end private diff --git a/actionview/lib/action_view/helpers/tags/text_field.rb b/actionview/lib/action_view/helpers/tags/text_field.rb index e910879ebf..e0b80d81c2 100644 --- a/actionview/lib/action_view/helpers/tags/text_field.rb +++ b/actionview/lib/action_view/helpers/tags/text_field.rb @@ -7,7 +7,6 @@ module ActionView options["size"] = options["maxlength"] unless options.key?("size") options["type"] ||= field_type options["value"] = options.fetch("value") { value_before_type_cast(object) } unless field_type == "file" - options["value"] &&= ERB::Util.html_escape(options["value"]) add_default_name_and_id(options) tag("input", options) end diff --git a/actionview/lib/action_view/helpers/url_helper.rb b/actionview/lib/action_view/helpers/url_helper.rb index 9a9777317a..c3be47133c 100644 --- a/actionview/lib/action_view/helpers/url_helper.rb +++ b/actionview/lib/action_view/helpers/url_helper.rb @@ -462,8 +462,6 @@ module ActionView # Email me: me@domain.com # def mail_to(email_address, name = nil, html_options = {}, &block) - email_address = ERB::Util.unwrapped_html_escape(email_address) - html_options, name = name, nil if block_given? html_options = (html_options || {}).stringify_keys @@ -471,11 +469,11 @@ module ActionView option = html_options.delete(item) || next "#{item}=#{Rack::Utils.escape_path(option)}" }.compact - extras = extras.empty? ? '' : '?' + ERB::Util.unwrapped_html_escape(extras.join('&')) + extras = extras.empty? ? '' : '?' + extras.join('&') - html_options["href"] = "mailto:#{email_address}#{extras}".html_safe + html_options["href"] = "mailto:#{email_address}#{extras}" - content_tag(:a, name || email_address.html_safe, html_options, &block) + content_tag(:a, name || email_address, html_options, &block) end # True if the current request URI was generated by the given +options+. -- cgit v1.2.3