Fix double-escaped entities, such as &, {, etc. [Rick]

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@5321 5ecf4fe2-1ee6-0310-87b1-e25e094e27de

actionpack/CHANGELOG

@@ -1,5 +1,7 @@
 *SVN*
 
+* Fix double-escaped entities, such as &, {, etc. [Rick]
+
 * Fix deprecation warnings when rendering the template error template. [Nicholas Seckar]
 
 * Fix routing to correctly determine when generation fails. Closes #6300. [psross].

actionpack/lib/action_view/helpers/tag_helper.rb

@@ -34,7 +34,7 @@ module ActionView
       private
         def tag_options(options)
           cleaned_options = convert_booleans(options.stringify_keys.reject {|key, value| value.nil?})
-          ' ' + cleaned_options.map {|key, value| %(#{key}="#{html_escape(value.to_s)}")}.sort * ' ' unless cleaned_options.empty?
+          ' ' + cleaned_options.map {|key, value| %(#{key}="#{fix_double_escape(html_escape(value.to_s))}")}.sort * ' ' unless cleaned_options.empty?
         end
 
         def convert_booleans(options)
@@ -45,6 +45,11 @@ module ActionView
         def boolean_attribute(options, attribute)
           options[attribute] ? options[attribute] = attribute : options.delete(attribute)
         end
+        
+        # Fix double-escaped entities, such as &, {, etc.
+        def fix_double_escape(escaped)
+          escaped.gsub(/&([a-z]+|(#\d+));/i) { "&#{$1};" }
+        end
     end
   end
 end

actionpack/test/template/tag_helper_test.rb

@@ -38,4 +38,16 @@ class TagHelperTest < Test::Unit::TestCase
   def test_cdata_section
     assert_equal "<![CDATA[<hello world>]]>", cdata_section("<hello world>")
   end
+  
+  def test_double_escaping_attributes
+    ['1&amp;2', '1 &lt; 2', '&#8220;test&#8220;'].each do |escaped|
+      assert_equal %(<a href="#{escaped}" />), tag('a', :href => escaped)
+    end
+  end
+  
+  def test_skip_invalid_escaped_attributes
+    ['&1;', '&#1dfa3;', '& #123;'].each do |escaped|
+      assert_equal %(<a href="#{escaped.gsub /&/, '&amp;'}" />), tag('a', :href => escaped)
+    end
+  end
 end