github/rails
1
1
Fork 0
mirror of https://github.com/github/rails.git synced 2026-01-30 00:38:00 -05:00
Code Issues Packages Projects Releases Wiki Activity

Add <%= escape_once html %> to escape html while leaving any currently escaped entities alone. Fix button_to double-escaping issue. [Rick]

Browse Source 
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@5322 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
This commit is contained in:
Rick Olson
2006-10-18 16:42:19 +00:00
parent 02358c83b7
commit dbd0bd5e5c
5 changed files with 22 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
actionpack/CHANGELOG
View File

@@ -1,5 +1,7 @@
*SVN*
* Add <%= escape_once html %> to escape html while leaving any currently escaped entities alone. Fix button_to double-escaping issue. [Rick]
* Fix double-escaped entities, such as &amp;amp;, &amp;#123;, etc. [Rick]
* Fix deprecation warnings when rendering the template error template. [Nicholas Seckar]

11
actionpack/lib/action_view/helpers/tag_helper.rb
View File

@@ -31,10 +31,19 @@ module ActionView
"<![CDATA[#{content}]]>"
end
# Escapes a given string, while leaving any currently escaped entities alone.
#
# escape_once("1 > 2 &amp; 3")
# # => "1 &lt; 2 &amp; 3"
#
def escape_once(html)
fix_double_escape(html_escape(html.to_s))
end
private
def tag_options(options)
cleaned_options = convert_booleans(options.stringify_keys.reject {|key, value| value.nil?})
' ' + cleaned_options.map {|key, value| %(#{key}="#{fix_double_escape(html_escape(value.to_s))}")}.sort * ' ' unless cleaned_options.empty?
' ' + cleaned_options.map {|key, value| %(#{key}="#{escape_once(value)}")}.sort * ' ' unless cleaned_options.empty?
end
def convert_booleans(options)

4
actionpack/lib/action_view/helpers/url_helper.rb
View File

@@ -131,8 +131,8 @@ module ActionView
name ||= url
html_options.merge!("type" => "submit", "value" => name)
"<form method=\"#{form_method}\" action=\"#{h url}\" class=\"button-to\"><div>" +
"<form method=\"#{form_method}\" action=\"#{escape_once url}\" class=\"button-to\"><div>" +
method_tag + tag("input", html_options) + "</div></form>"
end

4
actionpack/test/template/tag_helper_test.rb
View File

@@ -39,6 +39,10 @@ class TagHelperTest < Test::Unit::TestCase
assert_equal "<![CDATA[<hello world>]]>", cdata_section("<hello world>")
end
def test_escape_once
assert_equal '1 &lt; 2 &amp; 3', escape_once('1 < 2 &amp; 3')
end
def test_double_escaping_attributes
['1&amp;2', '1 &lt; 2', '&#8220;test&#8220;'].each do |escaped|
assert_equal %(<a href="#{escaped}" />), tag('a', :href => escaped)

4
actionpack/test/template/url_helper_test.rb
View File

@@ -38,6 +38,10 @@ class UrlHelperTest < Test::Unit::TestCase
assert_dom_equal "<form method=\"post\" action=\"http://www.example.com/q1=v1&amp;q2=v2\" class=\"button-to\"><div><input type=\"submit\" value=\"Hello\" /></div></form>", button_to("Hello", "http://www.example.com/q1=v1&q2=v2")
end
def test_button_to_with_escaped_query
assert_dom_equal "<form method=\"post\" action=\"http://www.example.com/q1=v1&amp;q2=v2\" class=\"button-to\"><div><input type=\"submit\" value=\"Hello\" /></div></form>", button_to("Hello", "http://www.example.com/q1=v1&amp;q2=v2")
end
def test_button_to_with_query_and_no_name
assert_dom_equal "<form method=\"post\" action=\"http://www.example.com?q1=v1&amp;q2=v2\" class=\"button-to\"><div><input type=\"submit\" value=\"http://www.example.com?q1=v1&amp;q2=v2\" /></div></form>", button_to(nil, "http://www.example.com?q1=v1&q2=v2")
end