From 4cbb9db0a5ff65b0a626a5b043331abefd89e717 Mon Sep 17 00:00:00 2001 From: Yehuda Katz Date: Sun, 31 Jan 2010 19:17:42 -0800 Subject: For performance reasons, you can no longer call html_safe! on Strings. Instead, all Strings are always not html_safe?. Instead, you can get a SafeBuffer from a String by calling #html_safe, which will SafeBuffer.new(self). * Additionally, instead of doing concat("".html_safe), you can do safe_concat(""), which will skip both the flag set, and the flag check. * For the first pass, I converted virtually all #html_safe!s to #html_safe, and the tests pass. A further optimization would be to try to use #safe_concat as much as possible, reducing the performance impact if we know up front that a String is safe. --- activesupport/lib/active_support.rb | 1 + .../core_ext/string/output_safety.rb | 106 +++++++++++++++++---- activesupport/test/core_ext/string_ext_test.rb | 67 ++++++------- 3 files changed, 120 insertions(+), 54 deletions(-) (limited to 'activesupport') diff --git a/activesupport/lib/active_support.rb b/activesupport/lib/active_support.rb index 833ae351b9..ae31d191c0 100644 --- a/activesupport/lib/active_support.rb +++ b/activesupport/lib/active_support.rb @@ -67,5 +67,6 @@ module ActiveSupport autoload :XmlMini end + autoload :SafeBuffer, "active_support/core_ext/string/output_safety" autoload :TestCase end diff --git a/activesupport/lib/active_support/core_ext/string/output_safety.rb b/activesupport/lib/active_support/core_ext/string/output_safety.rb index ceed90ce79..3977971e8d 100644 --- a/activesupport/lib/active_support/core_ext/string/output_safety.rb +++ b/activesupport/lib/active_support/core_ext/string/output_safety.rb @@ -1,3 +1,53 @@ +require "erb" + +class ERB + module Util + HTML_ESCAPE = { '&' => '&', '>' => '>', '<' => '<', '"' => '"' } + JSON_ESCAPE = { '&' => '\u0026', '>' => '\u003E', '<' => '\u003C' } + + # A utility method for escaping HTML tag characters. + # This method is also aliased as h. + # + # In your ERb templates, use this method to escape any unsafe content. For example: + # <%=h @person.name %> + # + # ==== Example: + # puts html_escape("is a > 0 & a < 10?") + # # => is a > 0 & a < 10? + def html_escape(s) + s = s.to_s + if s.html_safe? + s + else + s.gsub(/[&"><]/) { |special| HTML_ESCAPE[special] }.html_safe + end + end + + undef :h + alias h html_escape + + module_function :html_escape + module_function :h + + # A utility method for escaping HTML entities in JSON strings. + # This method is also aliased as j. + # + # In your ERb templates, use this method to escape any HTML entities: + # <%=j @person.to_json %> + # + # ==== Example: + # puts json_escape("is a > 0 & a < 10?") + # # => is a \u003E 0 \u0026 a \u003C 10? + def json_escape(s) + s.to_s.gsub(/[&"><]/) { |special| JSON_ESCAPE[special] } + end + + alias j json_escape + module_function :j + module_function :json_escape + end +end + class Object def html_safe? false @@ -10,32 +60,46 @@ class Fixnum end end -class String - attr_accessor :_rails_html_safe - alias html_safe? _rails_html_safe +module ActiveSupport #:nodoc: + class SafeBuffer < String + alias safe_concat concat - def html_safe! - @_rails_html_safe = true - self - end + def concat(value) + if value.html_safe? + super(value) + else + super(ERB::Util.h(value)) + end + end - def html_safe - dup.html_safe! - end + def +(other) + dup.concat(other) + end + + def <<(value) + self.concat(value) + end + + def html_safe? + true + end + + def html_safe + self + end - alias original_plus + - def +(other) - result = original_plus(other) - result._rails_html_safe = html_safe? && other.html_safe? - result + def to_s + self + end end +end - alias original_concat << - alias safe_concat << - def <<(other) - @_rails_html_safe = false unless other.html_safe? - result = original_concat(other) +class String + def html_safe! + raise "You can't call html_safe! on a String" end - alias concat << + def html_safe + ActiveSupport::SafeBuffer.new(self) + end end \ No newline at end of file diff --git a/activesupport/test/core_ext/string_ext_test.rb b/activesupport/test/core_ext/string_ext_test.rb index 9a805bc010..ca26f91e8c 100644 --- a/activesupport/test/core_ext/string_ext_test.rb +++ b/activesupport/test/core_ext/string_ext_test.rb @@ -342,12 +342,12 @@ class OutputSafetyTest < ActiveSupport::TestCase end test "A string can be marked safe" do - @string.html_safe! - assert @string.html_safe? + string = @string.html_safe + assert string.html_safe? end test "Marking a string safe returns the string" do - assert_equal @string, @string.html_safe! + assert_equal @string, @string.html_safe end test "A fixnum is safe by default" do @@ -361,7 +361,7 @@ class OutputSafetyTest < ActiveSupport::TestCase end end - @string.html_safe! + @string.html_safe @string << klass.new assert_equal "helloother", @string @@ -369,44 +369,44 @@ class OutputSafetyTest < ActiveSupport::TestCase end test "Adding a safe string to another safe string returns a safe string" do - @other_string = "other".html_safe! - @string.html_safe! - @combination = @other_string + @string + @other_string = "other".html_safe + string = @string.html_safe + @combination = @other_string + string assert_equal "otherhello", @combination assert @combination.html_safe? end - test "Adding an unsafe string to a safe string returns an unsafe string" do - @other_string = "other".html_safe! - @combination = @other_string + @string - @other_combination = @string + @other_string + test "Adding an unsafe string to a safe string escapes it and returns a safe string" do + @other_string = "other".html_safe + @combination = @other_string + "" + @other_combination = @string + "" - assert_equal "otherhello", @combination - assert_equal "helloother", @other_combination + assert_equal "other<foo>", @combination + assert_equal "hello", @other_combination - assert !@combination.html_safe? + assert @combination.html_safe? assert !@other_combination.html_safe? end test "Concatting safe onto unsafe yields unsafe" do @other_string = "other" - @string.html_safe! + @string.html_safe @other_string.concat(@string) assert !@other_string.html_safe? end - test "Concatting unsafe onto safe yields unsafe" do - @other_string = "other".html_safe! - - @other_string.concat(@string) - assert !@other_string.html_safe? + test "Concatting unsafe onto safe yields escaped safe" do + @other_string = "other".html_safe + string = @other_string.concat("") + assert_equal "other<foo>", string + assert string.html_safe? end test "Concatting safe onto safe yields safe" do - @other_string = "other".html_safe! - @string.html_safe! + @other_string = "other".html_safe + @string.html_safe @other_string.concat(@string) assert @other_string.html_safe? @@ -414,31 +414,32 @@ class OutputSafetyTest < ActiveSupport::TestCase test "Concatting safe onto unsafe with << yields unsafe" do @other_string = "other" - @string.html_safe! + @string.html_safe @other_string << @string assert !@other_string.html_safe? end - test "Concatting unsafe onto safe with << yields unsafe" do - @other_string = "other".html_safe! - - @other_string << @string - assert !@other_string.html_safe? + test "Concatting unsafe onto safe with << yields escaped safe" do + @other_string = "other".html_safe + string = @other_string << "" + assert_equal "other<foo>", string + assert string.html_safe? end test "Concatting safe onto safe with << yields safe" do - @other_string = "other".html_safe! - @string.html_safe! + @other_string = "other".html_safe + @string.html_safe @other_string << @string assert @other_string.html_safe? end test "Concatting a fixnum to safe always yields safe" do - @string.html_safe! - @string.concat(13) - assert @string.html_safe? + string = @string.html_safe + string = string.concat(13) + assert_equal "hello".concat(13), string + assert string.html_safe? end end -- cgit v1.2.3