This doesn't provide a way to turn off the escaping, but alternative template engine authors
can figure out what their default should be by calling this. Avoids a messy version + plugin check.
Fixes RSpec integration example groups, which mixes its Matchers
module into ActiveSupport::TestCase.
Signed-off-by: Michael Koziarski <michael@koziarski.com>
Previously this example would always pass, even when cookies.delete was not called.
@request.cookies['foo'] = 'bar'
get :delete_cookie
assert_nil cookies['foo']
Signed-off-by: Michael Koziarski <michael@koziarski.com>
[#2768 state:committed]
ActionView::Helpers::UrlHelper#url_for used to escape the URLs it generated by
default. This was most commonly seen when generating a path with multiple
query parameters, e.g.
url_for(:controller => :foo, :action => :bar, :this => 123, :that => 456)
would return
http://example.com/foo/bar?that=456&this=123
escaping an ampersand that shouldn't be escaped. This is both wrong and
inconsistent with the behavior of ActionController#url_for, and is changed.
Signed-off-by: Michael Koziarski <michael@koziarski.com>
By using config rather than hardcoded constants, we can evolve the
configuration system over time (we'd just need to update the config
method with more robust capabilities and all consumers would get
the capabilities with no code changes)
This consists of:
* String#html_safe! a method to mark a string as 'safe'
* ActionView::SafeBuffer a string subclass which escapes anything unsafe which is concatenated to it
* Calls to String#html_safe! throughout the rails helpers
* a 'raw' helper which lets you concatenate trusted HTML from non-safety-aware sources (e.g. presantized strings in the DB)
* New ERB implementation based on erubis which uses a SafeBuffer instead of a String
Hat tip to Django for the inspiration.
