From 881a2cc9071a3447d562ba358ccd1cf370124617 Mon Sep 17 00:00:00 2001
From: pseidemann <paul.seidemann@gmail.com>
Date: Fri, 8 Nov 2013 17:13:59 +0100
Subject: fix simple_format escapes own output when sanitize is set to true

---
 actionview/CHANGELOG.md                           | 6 +++++-
 actionview/lib/action_view/helpers/text_helper.rb | 2 +-
 actionview/test/template/text_helper_test.rb      | 5 +++++
 3 files changed, 11 insertions(+), 2 deletions(-)

(limited to 'actionview')

diff --git a/actionview/CHANGELOG.md b/actionview/CHANGELOG.md
index 4adf1dbd8f..7d2fedbf2a 100644
--- a/actionview/CHANGELOG.md
+++ b/actionview/CHANGELOG.md
@@ -1,6 +1,10 @@
+*   Fix `simple_format` escapes own output when passing `sanitize: true`
+
+    *Paul Seidemann*
+
 *   Ensure ActionView::Digestor.cache is correctly cleaned up when
     combining recursive templates with ActionView::Resolver.caching = false
-    
+
     *wyaeld*
 
 *   Fix `collection_check_boxes` generated hidden input to use the name attribute provided
diff --git a/actionview/lib/action_view/helpers/text_helper.rb b/actionview/lib/action_view/helpers/text_helper.rb
index c23d605c5f..b0e4aa3cd3 100644
--- a/actionview/lib/action_view/helpers/text_helper.rb
+++ b/actionview/lib/action_view/helpers/text_helper.rb
@@ -268,7 +268,7 @@ module ActionView
           content_tag(wrapper_tag, nil, html_options)
         else
           paragraphs.map! { |paragraph|
-            content_tag(wrapper_tag, paragraph, html_options, options[:sanitize])
+            content_tag(wrapper_tag, paragraph, html_options, false)
           }.join("\n\n").html_safe
         end
       end
diff --git a/actionview/test/template/text_helper_test.rb b/actionview/test/template/text_helper_test.rb
index c2999fcb85..c624326683 100644
--- a/actionview/test/template/text_helper_test.rb
+++ b/actionview/test/template/text_helper_test.rb
@@ -42,6 +42,11 @@ class TextHelperTest < ActionView::TestCase
     assert_equal "<p><b> test with unsafe string </b></p>", simple_format("<b> test with unsafe string </b><script>code!</script>")
   end
 
+  def test_simple_format_should_sanitize_input_when_sanitize_option_is_true
+    assert_equal '<p><b> test with unsafe string </b></p>',
+      simple_format('<b> test with unsafe string </b><script>code!</script>', {}, sanitize: true)
+  end
+
   def test_simple_format_should_not_sanitize_input_when_sanitize_option_is_false
     assert_equal "<p><b> test with unsafe string </b><script>code!</script></p>", simple_format("<b> test with unsafe string </b><script>code!</script>", {}, :sanitize => false)
   end
-- 
cgit v1.2.3