From 7c988f8030fa5b779041d682c12132ab4da47d1e Mon Sep 17 00:00:00 2001
From: Yoong Kang Lim <yoongkang.lim@gmail.com>
Date: Wed, 6 May 2015 23:31:49 +1000
Subject: Use ActiveSupport::SafeBuffer when flushing content_for

Previously, when content_for is flushed, the content
was replaced directly by a new value in
ActionView::OutputFlow#set. The problem is this new
value passed to the method may not be an instance of
ActiveSupport::SafeBuffer.

This change forces the value to be set to a new
instance of ActiveSupport::SafeBuffer.
---
 actionview/CHANGELOG.md                         |  6 ++++++
 actionview/lib/action_view/flows.rb             |  2 +-
 actionview/test/template/capture_helper_test.rb | 13 +++++++++++++
 3 files changed, 20 insertions(+), 1 deletion(-)

(limited to 'actionview')

diff --git a/actionview/CHANGELOG.md b/actionview/CHANGELOG.md
index 201e118971..50c2ff499b 100644
--- a/actionview/CHANGELOG.md
+++ b/actionview/CHANGELOG.md
@@ -1,3 +1,9 @@
+*   Create a new `ActiveSupport::SafeBuffer` instance when `content_for` is flushed.
+
+    Fixes #19890
+
+    *Yoong Kang Lim*
+    
 *   Do not put partial name to `local_assigns` when rendering without
     an object or a collection.
 
diff --git a/actionview/lib/action_view/flows.rb b/actionview/lib/action_view/flows.rb
index ba24510e56..bc61920848 100644
--- a/actionview/lib/action_view/flows.rb
+++ b/actionview/lib/action_view/flows.rb
@@ -15,7 +15,7 @@ module ActionView
 
     # Called by each renderer object to set the layout contents.
     def set(key, value)
-      @content[key] = value
+      @content[key] = ActiveSupport::SafeBuffer.new(value)
     end
 
     # Called by content_for
diff --git a/actionview/test/template/capture_helper_test.rb b/actionview/test/template/capture_helper_test.rb
index 1e099d482c..7e6761e580 100644
--- a/actionview/test/template/capture_helper_test.rb
+++ b/actionview/test/template/capture_helper_test.rb
@@ -148,6 +148,19 @@ class CaptureHelperTest < ActionView::TestCase
     assert ! content_for?(:something_else)
   end
 
+  def test_content_for_should_be_html_safe_after_flush_empty
+    assert ! content_for?(:title)
+    content_for :title do
+      content_tag(:p, 'title')
+    end
+    assert content_for(:title).html_safe?
+    content_for :title, "", flush: true
+    content_for(:title) do
+      content_tag(:p, 'title')
+    end
+    assert content_for(:title).html_safe?
+  end
+
   def test_provide
     assert !content_for?(:title)
     provide :title, "hi"
-- 
cgit v1.2.3