add json_escape ERB util to escape html entities in json strings that are output in HTML pages. [rick]

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@9241 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
2026-04-04 03:00:58 -04:00 · 2008-04-08 04:52:01 +00:00
parent 0bea3f8391
commit 0ff7a2d89f
3 changed files with 30 additions and 14 deletions
--- a/actionpack/CHANGELOG
+++ b/actionpack/CHANGELOG
@@ -1,5 +1,7 @@
 *SVN*

+* add json_escape ERB util to escape html entities in json strings that are output in HTML pages. [rick]
+
 * Provide a helper proxy to access helper methods from outside views. Closes #10839 [Josh Peek]
  e.g. ApplicationController.helpers.simple_format(text)

--- a/actionpack/lib/action_view/template_handlers/erb.rb
+++ b/actionpack/lib/action_view/template_handlers/erb.rb
@@ -2,7 +2,8 @@ require 'erb'

 class ERB
  module Util
-    HTML_ESCAPE = { '&' => '&amp;', '"' => '&quot;', '>' => '&gt;', '<' => '&lt;' }
+    HTML_ESCAPE = { '&' => '&amp;',  '>' => '&gt;',   '<' => '&lt;', '"' => '&quot;' }
+    JSON_ESCAPE = { '&' => '\u0026', '>' => '\u003E', '<' => '\u003C'}

    # A utility method for escaping HTML tag characters.
    # This method is also aliased as <tt>h</tt>.
@@ -16,6 +17,23 @@ class ERB
    def html_escape(s)
      s.to_s.gsub(/[&"><]/) { |special| HTML_ESCAPE[special] }
    end
+
+    # A utility method for escaping HTML entities in JSON strings.
+    # This method is also aliased as <tt>j</tt>.
+    #
+    # In your ERb templates, use this method to escape any HTML entities:
+    #   <%=j @person.to_json %>
+    #
+    # ==== Example:
+    #   puts json_escape("is a > 0 & a < 10?")
+    #   # => is a \u003E 0 \u0026 a \u003C 10?
+    def json_escape(s)
+      s.to_s.gsub(/[&"><]/) { |special| JSON_ESCAPE[special] }
+    end
+
+    alias j json_escape
+    module_function :j
+    module_function :json_escape
  end
 end

--- a/actionpack/test/template/erb_util_test.rb
+++ b/actionpack/test/template/erb_util_test.rb
@@ -2,21 +2,17 @@ require 'abstract_unit'

 class ErbUtilTest < Test::Unit::TestCase
  include ERB::Util
-  
-  def test_amp
-    assert_equal '&amp;', html_escape('&')
-  end
-  
-  def test_quot
-    assert_equal '&quot;', html_escape('"')
-  end

-  def test_lt
-    assert_equal '&lt;', html_escape('<')
-  end
+  ERB::Util::HTML_ESCAPE.each do |given, expected|
+    define_method "test_html_escape_#{expected.gsub /\W/, ''}" do
+      assert_equal expected, html_escape(given)
+    end

-  def test_gt
-    assert_equal '&gt;', html_escape('>')
+    unless given == '"'
+      define_method "test_json_escape_#{expected.gsub /\W/, ''}" do
+        assert_equal ERB::Util::JSON_ESCAPE[given], json_escape(given)
+      end
+    end
  end
  
  def test_rest_in_ascii