diff --git a/actionpack/CHANGELOG b/actionpack/CHANGELOG index 9e604e37a5..8803a1dd34 100644 --- a/actionpack/CHANGELOG +++ b/actionpack/CHANGELOG @@ -1,5 +1,7 @@ *SVN* +* Change url_for to escape the resulting URLs when called from a view. [Nicholas Seckar, eddiewould@paradise.net.nz] + * Added easy support for testing file uploads with fixture_file_upload #4105 [turnip@turnipspatch.com]. Example: # Looks in Test::Unit::TestCase.fixture_path + '/files/spongebob.png' diff --git a/actionpack/lib/action_view/helpers/url_helper.rb b/actionpack/lib/action_view/helpers/url_helper.rb index de6137659e..c4c8fca98e 100644 --- a/actionpack/lib/action_view/helpers/url_helper.rb +++ b/actionpack/lib/action_view/helpers/url_helper.rb @@ -15,7 +15,7 @@ module ActionView # http://example.com/controller/action part (makes it harder to parse httpd log files) def url_for(options = {}, *parameters_for_method_reference) options = { :only_path => true }.update(options.symbolize_keys) if options.kind_of? Hash - @controller.send(:url_for, options, *parameters_for_method_reference) + html_escape(@controller.send(:url_for, options, *parameters_for_method_reference)) end # Creates a link tag of the given +name+ using an URL created by the set of +options+. See the valid options in @@ -46,8 +46,8 @@ module ActionView else tag_options = nil end - url = html_escape(options.is_a?(String) ? options : url_for(options, *parameters_for_method_reference)) - "#{name||url}" + url = options.is_a?(String) ? options : self.url_for(options, *parameters_for_method_reference) + "#{name || url}" end # Generates a form containing a sole button that submits to the @@ -104,11 +104,10 @@ module ActionView if confirm = html_options.delete("confirm") html_options["onclick"] = "return #{confirm_javascript_function(confirm)};" end - - url, name = options.is_a?(String) ? - [ options, name || options ] : - [ url_for(options), name || html_escape(url_for(options)) ] - + + url = options.is_a?(String) ? options : url_for(options) + name ||= url + html_options.merge!("type" => "submit", "value" => name) "
" + @@ -197,6 +196,7 @@ module ActionView # mail_to "me@domain.com", "My email", :cc => "ccaddress@domain.com", :bcc => "bccaddress@domain.com", :subject => "This is an example email", :body => "This is the body of the message." # => # My email def mail_to(email_address, name = nil, html_options = {}) + name = html_escape(name) if name html_options = html_options.stringify_keys encode = html_options.delete("encode") cc, bcc, subject, body = html_options.delete("cc"), html_options.delete("bcc"), html_options.delete("subject"), html_options.delete("body") diff --git a/actionpack/test/template/url_helper_test.rb b/actionpack/test/template/url_helper_test.rb index 85ce24b1c2..95b9373c7f 100644 --- a/actionpack/test/template/url_helper_test.rb +++ b/actionpack/test/template/url_helper_test.rb @@ -13,13 +13,20 @@ class UrlHelperTest < Test::Unit::TestCase def setup @controller = Class.new do + attr_accessor :url def url_for(options, *parameters_for_method_reference) - "http://www.example.com" + url end end @controller = @controller.new + @controller.url = "http://www.example.com" end - + + def test_url_for_escapes_urls + @controller.url = "http://www.example.com?a=b&c=d" + assert_equal "http://www.example.com?a=b&c=d", url_for(:a => 'b', :c => 'd') + end + # todo: missing test cases def test_button_to_with_straight_url assert_dom_equal "
", button_to("Hello", "http://www.example.com") @@ -56,17 +63,25 @@ class UrlHelperTest < Test::Unit::TestCase end def test_link_tag_with_query - assert_dom_equal "Hello", link_to("Hello", "http://www.example.com?q1=v1&q2=v2") + assert_dom_equal "Hello", link_to("Hello", "http://www.example.com?q1=v1&q2=v2") end def test_link_tag_with_query_and_no_name - assert_dom_equal "http://www.example.com?q1=v1&q2=v2", link_to(nil, "http://www.example.com?q1=v1&q2=v2") + assert_dom_equal "http://www.example.com?q1=v1&q2=v2", link_to(nil, "http://www.example.com?q1=v1&q2=v2") + end + + def test_link_tag_with_img + assert_dom_equal "", link_to("", "http://www.example.com") + end + + def test_link_with_nil_html_options + assert_dom_equal "Hello", link_to("Hello", {:action => 'myaction'}, nil) end def test_link_tag_with_custom_onclick assert_dom_equal "Hello", link_to("Hello", "http://www.example.com", :onclick => "alert('yay!')") end - + def test_link_tag_with_javascript_confirm assert_dom_equal( "Hello", @@ -147,7 +162,6 @@ class UrlHelperTest < Test::Unit::TestCase assert_equal "Showing", link_to_if(false, "Showing", :action => "show", :controller => "weblog", :id => 1) end - def xtest_link_unless_current @request = RequestMock.new("http://www.example.com") assert_equal "Showing", link_to_unless_current("Showing", :action => "show", :controller => "weblog") @@ -157,7 +171,7 @@ class UrlHelperTest < Test::Unit::TestCase @request = RequestMock.new("http://www.example.com") assert_equal "Showing", link_to_unless_current("Showing", :action => "show", :controller => "weblog", :id => 1) end - + def test_mail_to assert_dom_equal "david@loudthinking.com", mail_to("david@loudthinking.com") assert_dom_equal "David Heinemeier Hansson", mail_to("david@loudthinking.com", "David Heinemeier Hansson") @@ -191,8 +205,4 @@ class UrlHelperTest < Test::Unit::TestCase assert_dom_equal "me(at)domain(dot)com", mail_to("me@domain.com", nil, :encode => "hex", :replace_at => "(at)", :replace_dot => "(dot)") assert_dom_equal "", mail_to("me@domain.com", "My email", :encode => "javascript", :replace_at => "(at)", :replace_dot => "(dot)") end - - def test_link_with_nil_html_options - assert_dom_equal "Hello", link_to("Hello", {:action => 'myaction'}, nil) - end end