Merge pull request #8235 from tilsammans/dont_escape_actionmailer_when_plaintext

Introduce `ActionView::Template::Handlers::ERB.escape_whitelist` Conflicts: actionpack/CHANGELOG.md actionpack/test/template/template_test.rb
2026-01-10 07:07:54 -05:00 · 2012-11-16 00:33:14 -08:00
parent f2a98a9243
commit 666a7e34f5
3 changed files with 27 additions and 1 deletions
--- a/actionpack/CHANGELOG.md
+++ b/actionpack/CHANGELOG.md
@@ -1,5 +1,12 @@
 ## Rails 3.2.10 (unreleased) ##

+*   Introduce `ActionView::Template::Handlers::ERB.escape_whitelist`. This is a list
+    of mime types where template text is not html escaped by default. It prevents `Jack & Joe`
+    from rendering as `Jack &amp; Joe` for the whitelisted mime types. The default whitelist
+    contains text/plain. Fix #7976 [Backport #8235]
+
+    *Joost Baaij*
+
 *   `BestStandardsSupport` middleware now appends it's `X-UA-Compatible` value to app's
    returned value if any. Fix #8086 [Backport #8093]

--- a/actionpack/lib/action_view/template/handlers/erb.rb
+++ b/actionpack/lib/action_view/template/handlers/erb.rb
@@ -48,6 +48,10 @@ module ActionView
        class_attribute :erb_implementation
        self.erb_implementation = Erubis

+        # Do not escape templates of these mime types.
+        class_attribute :escape_whitelist
+        self.escape_whitelist = ["text/plain"]
+
        ENCODING_TAG = Regexp.new("\\A(<%#{ENCODING_FLAG}-?%>)[ \\t]*")

        def self.call(template)
@@ -83,6 +87,7 @@ module ActionView

          self.class.erb_implementation.new(
            erb,
+            :escape => (self.class.escape_whitelist.include? template.mime_type),
            :trim => (self.class.erb_trim_mode == "-")
          ).src
        end
--- a/actionpack/test/template/template_test.rb
+++ b/actionpack/test/template/template_test.rb
@@ -25,6 +25,10 @@ class TestERBTemplate < ActiveSupport::TestCase
      "Hello"
    end

+    def apostrophe
+      "l'apostrophe"
+    end
+
    def partial
      ActionView::Template.new(
        "<%= @virtual_path %>",
@@ -47,7 +51,7 @@ class TestERBTemplate < ActiveSupport::TestCase
    end
  end

-  def new_template(body = "<%= hello %>", details = {})
+  def new_template(body = "<%= hello %>", details = { :format => :html })
    ActionView::Template.new(body, "hello template", ERBHandler, {:virtual_path => "hello"}.merge!(details))
  end

@@ -64,6 +68,16 @@ class TestERBTemplate < ActiveSupport::TestCase
    assert_equal "Hello", render
  end

+  def test_basic_template_does_html_escape
+    @template = new_template("<%= apostrophe %>")
+    assert_equal "l&#x27;apostrophe", render
+  end
+
+  def test_text_template_does_not_html_escape
+    @template = new_template("<%= apostrophe %>", :format => :text)
+    assert_equal "l'apostrophe", render
+  end
+
  def test_template_loses_its_source_after_rendering
    @template = new_template
    render