github/rails
1
1
Fork 0
mirror of https://github.com/github/rails.git synced 2026-04-26 03:00:59 -04:00
Code Issues Packages Projects Releases Wiki Activity

content_tag should escape its input

Browse Source 
Signed-off-by: Yehuda Katz <yehudakatz@YK.local>
This commit is contained in:
Bruno Michel
2010-02-13 19:53:26 -02:00
committed by Yehuda Katz
parent 411c15ed52
commit f86421fb28
10 changed files with 25 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
actionpack/lib/action_view/helpers/active_model_helper.rb
View File

@@ -127,7 +127,7 @@ module ActionView
if (obj = (object.respond_to?(:errors) ? object : instance_variable_get("@#{object}"))) &&
(errors = obj.errors[method])
content_tag("div",
"#{options[:prepend_text]}#{ERB::Util.html_escape(errors.first)}#{options[:append_text]}",
"#{options[:prepend_text]}#{ERB::Util.html_escape(errors.first)}#{options[:append_text]}".html_safe,
:class => options[:css_class]
)
else
@@ -228,14 +228,14 @@ module ActionView
object.errors.full_messages.map do |msg|
content_tag(:li, ERB::Util.html_escape(msg))
end
end.join
end.join.html_safe
contents = ''
contents << content_tag(options[:header_tag] || :h2, header_message) unless header_message.blank?
contents << content_tag(:p, message) unless message.blank?
contents << content_tag(:ul, error_messages)
content_tag(:div, contents, html)
content_tag(:div, contents.html_safe, html)
end
else
''

6
actionpack/lib/action_view/helpers/date_helper.rb
View File

@@ -815,7 +815,7 @@ module ActionView
tag_options[:selected] = "selected" if selected == i
select_options << content_tag(:option, value, tag_options)
end
select_options.join("\n") + "\n"
(select_options.join("\n") + "\n").html_safe
end
# Builds select tag from date type and html select options
@@ -833,9 +833,9 @@ module ActionView
select_html = "\n"
select_html << content_tag(:option, '', :value => '') + "\n" if @options[:include_blank]
select_html << prompt_option_tag(type, @options[:prompt]) + "\n" if @options[:prompt]
select_html << select_options_as_html.to_s
select_html << select_options_as_html
(content_tag(:select, select_html, select_options) + "\n").html_safe
(content_tag(:select, select_html.html_safe, select_options) + "\n").html_safe
end
# Builds a prompt option tag with supplied options or from default options

5
actionpack/lib/action_view/helpers/form_options_helper.rb
View File

@@ -572,10 +572,9 @@ module ActionView
end
if value.blank? && options[:prompt]
prompt = options[:prompt].kind_of?(String) ? options[:prompt] : I18n.translate('helpers.select.prompt', :default => 'Please select')
"<option value=\"\">#{prompt}</option>\n" + option_tags
else
option_tags
option_tags = "<option value=\"\">#{prompt}</option>\n" + option_tags
end
option_tags.html_safe
end
end

6
actionpack/lib/action_view/helpers/form_tag_helper.rb
View File

@@ -90,9 +90,9 @@ module ActionView
html_name = (options[:multiple] == true && !name.to_s.ends_with?("[]")) ? "#{name}[]" : name
if blank = options.delete(:include_blank)
if blank.kind_of?(String)
option_tags = "<option value=\"\">#{blank}</option>" + option_tags
option_tags = "<option value=\"\">#{blank}</option>".html_safe + option_tags
else
option_tags = "<option value=\"\"></option>" + option_tags
option_tags = "<option value=\"\"></option>".html_safe + option_tags
end
end
content_tag :select, option_tags, { "name" => html_name, "id" => sanitize_to_id(name) }.update(options.stringify_keys)
@@ -279,7 +279,7 @@ module ActionView
escape = options.key?("escape") ? options.delete("escape") : true
content = html_escape(content) if escape
content_tag :textarea, content, { "name" => name, "id" => sanitize_to_id(name) }.update(options)
content_tag :textarea, content.html_safe, { "name" => name, "id" => sanitize_to_id(name) }.update(options)
end
# Creates a check box form input tag.

2
actionpack/lib/action_view/helpers/javascript_helper.rb
View File

@@ -93,7 +93,7 @@ module ActionView
end
def javascript_cdata_section(content) #:nodoc:
"\n//#{cdata_section("\n#{content}\n//")}\n"
"\n//#{cdata_section("\n#{content}\n//")}\n".html_safe
end
end
end

2
actionpack/lib/action_view/helpers/tag_helper.rb
View File

@@ -127,7 +127,7 @@ module ActionView
def content_tag_string(name, content, options, escape = true)
tag_options = tag_options(options, escape) if options
"<#{name}#{tag_options}>#{content}</#{name}>".html_safe
"<#{name}#{tag_options}>#{ERB::Util.h content}</#{name}>".html_safe
end
def tag_options(options, escape = true)

2
actionpack/lib/action_view/helpers/url_helper.rb
View File

@@ -493,7 +493,7 @@ module ActionView
char = c.chr
string << (char =~ /\w/ ? sprintf("%%%x", c) : char)
end
content_tag "a", name || email_address_encoded, html_options.merge({ "href" => "#{string}#{extras}" })
content_tag "a", name || email_address_encoded.html_safe, html_options.merge({ "href" => "#{string}#{extras}" })
else
content_tag "a", name || email_address_obfuscated, html_options.merge({ "href" => "mailto:#{email_address}#{extras}" })
end

16
actionpack/test/template/form_tag_helper_test.rb
View File

@@ -127,19 +127,19 @@ class FormTagHelperTest < ActionView::TestCase
end
def test_select_tag
actual = select_tag "people", "<option>david</option>"
actual = select_tag "people", "<option>david</option>".html_safe
expected = %(<select id="people" name="people"><option>david</option></select>)
assert_dom_equal expected, actual
end
def test_select_tag_with_multiple
actual = select_tag "colors", "<option>Red</option><option>Blue</option><option>Green</option>", :multiple => :true
actual = select_tag "colors", "<option>Red</option><option>Blue</option><option>Green</option>".html_safe, :multiple => :true
expected = %(<select id="colors" multiple="multiple" name="colors"><option>Red</option><option>Blue</option><option>Green</option></select>)
assert_dom_equal expected, actual
end
def test_select_tag_disabled
actual = select_tag "places", "<option>Home</option><option>Work</option><option>Pub</option>", :disabled => :true
actual = select_tag "places", "<option>Home</option><option>Work</option><option>Pub</option>".html_safe, :disabled => :true
expected = %(<select id="places" disabled="disabled" name="places"><option>Home</option><option>Work</option><option>Pub</option></select>)
assert_dom_equal expected, actual
end
@@ -150,13 +150,13 @@ class FormTagHelperTest < ActionView::TestCase
end
def test_select_tag_with_include_blank
actual = select_tag "places", "<option>Home</option><option>Work</option><option>Pub</option>", :include_blank => true
actual = select_tag "places", "<option>Home</option><option>Work</option><option>Pub</option>".html_safe, :include_blank => true
expected = %(<select id="places" name="places"><option value=""></option><option>Home</option><option>Work</option><option>Pub</option></select>)
assert_dom_equal expected, actual
end
def test_select_tag_with_include_blank_with_string
actual = select_tag "places", "<option>Home</option><option>Work</option><option>Pub</option>", :include_blank => "string"
actual = select_tag "places", "<option>Home</option><option>Work</option><option>Pub</option>".html_safe, :include_blank => "string"
expected = %(<select id="places" name="places"><option value="">string</option><option>Home</option><option>Work</option><option>Pub</option></select>)
assert_dom_equal expected, actual
end
@@ -282,9 +282,9 @@ class FormTagHelperTest < ActionView::TestCase
assert_dom_equal %(<input checked="checked" disabled="disabled" id="admin" name="admin" readonly="readonly" type="checkbox" value="1" />), check_box_tag("admin", 1, true, 'disabled' => true, :readonly => "yes")
assert_dom_equal %(<input checked="checked" id="admin" name="admin" type="checkbox" value="1" />), check_box_tag("admin", 1, true, :disabled => false, :readonly => nil)
assert_dom_equal %(<input type="checkbox" />), tag(:input, :type => "checkbox", :checked => false)
assert_dom_equal %(<select id="people" multiple="multiple" name="people[]"><option>david</option></select>), select_tag("people", "<option>david</option>", :multiple => true)
assert_dom_equal %(<select id="people_" multiple="multiple" name="people[]"><option>david</option></select>), select_tag("people[]", "<option>david</option>", :multiple => true)
assert_dom_equal %(<select id="people" name="people"><option>david</option></select>), select_tag("people", "<option>david</option>", :multiple => nil)
assert_dom_equal %(<select id="people" multiple="multiple" name="people[]"><option>david</option></select>), select_tag("people", "<option>david</option>".html_safe, :multiple => true)
assert_dom_equal %(<select id="people_" multiple="multiple" name="people[]"><option>david</option></select>), select_tag("people[]", "<option>david</option>".html_safe, :multiple => true)
assert_dom_equal %(<select id="people" name="people"><option>david</option></select>), select_tag("people", "<option>david</option>".html_safe, :multiple => nil)
end
def test_stringify_symbol_keys

2
actionpack/test/template/tag_helper_test.rb
View File

@@ -37,6 +37,8 @@ class TagHelperTest < ActionView::TestCase
assert content_tag("a", "Create", "href" => "create").html_safe?
assert_equal content_tag("a", "Create", "href" => "create"),
content_tag("a", "Create", :href => "create")
assert_equal "<p>&lt;script&gt;evil_js&lt;/script&gt;</p>",
content_tag(:p, '<script>evil_js</script>')
end
def test_content_tag_with_block_in_erb

2
actionpack/test/template/url_helper_test.rb
View File

@@ -346,7 +346,7 @@ class UrlHelperTest < ActionView::TestCase
end
def test_mail_to_with_img
assert_dom_equal %(<a href="mailto:feedback@example.com"><img src="/feedback.png" /></a>), mail_to('feedback@example.com', '<img src="/feedback.png" />')
assert_dom_equal %(<a href="mailto:feedback@example.com"><img src="/feedback.png" /></a>), mail_to('feedback@example.com', '<img src="/feedback.png" />'.html_safe)
end
def test_mail_to_with_hex