Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Fix for 4034
  • Loading branch information
aslakhellesoy committed Feb 22, 2010
1 parent 39bcf14 commit 30416d3
Show file tree
Hide file tree
Showing 11 changed files with 19 additions and 21 deletions.
4 changes: 2 additions & 2 deletions actionpack/lib/action_controller/failsafe.rb
Expand Up @@ -62,11 +62,11 @@ def failsafe_response_body

# The default 500.html uses the h() method.
def h(text) # :nodoc:
ERB::Util.h(text)
SafeERB::Util.h(text)
end

def render_template(filename)
ERB.new(File.read(filename)).result(binding)
SafeERB.new(File.read(filename)).result(binding)
end

def log_failsafe_exception(exception)
Expand Down
2 changes: 1 addition & 1 deletion actionpack/lib/action_view/base.rb
Expand Up @@ -160,7 +160,7 @@ def initialize(paths, path, template_format = nil)
#
# See the ActionView::Helpers::PrototypeHelper::GeneratorMethods documentation for more details.
class Base
include Helpers, Partials, ::ERB::Util
include Helpers, Partials, ::SafeERB::Util
extend ActiveSupport::Memoizable

attr_accessor :base_path, :assigns, :template_extension
Expand Down
4 changes: 2 additions & 2 deletions actionpack/lib/action_view/helpers/active_record_helper.rb
Expand Up @@ -121,7 +121,7 @@ def error_message_on(object, method, *args)
if (obj = (object.respond_to?(:errors) ? object : instance_variable_get("@#{object}"))) &&
(errors = obj.errors.on(method))
content_tag("div",
"#{options[:prepend_text]}#{ERB::Util.html_escape(errors.is_a?(Array) ? errors.first : errors)}#{options[:append_text]}".html_safe,
"#{options[:prepend_text]}#{SafeERB::Util.html_escape(errors.is_a?(Array) ? errors.first : errors)}#{options[:append_text]}".html_safe,
:class => options[:css_class]
)
else
Expand Down Expand Up @@ -198,7 +198,7 @@ def error_messages_for(*params)
locale.t :header, :count => count, :model => object_name
end
message = options.include?(:message) ? options[:message] : locale.t(:body)
error_messages = objects.sum {|object| object.errors.full_messages.map {|msg| content_tag(:li, ERB::Util.html_escape(msg)) } }.join.html_safe
error_messages = objects.sum {|object| object.errors.full_messages.map {|msg| content_tag(:li, SafeERB::Util.html_escape(msg)) } }.join.html_safe

contents = ''
contents << content_tag(options[:header_tag] || :h2, header_message) unless header_message.blank?
Expand Down
2 changes: 1 addition & 1 deletion actionpack/lib/action_view/helpers/form_options_helper.rb
Expand Up @@ -97,7 +97,7 @@ module Helpers
# </select>
#
module FormOptionsHelper
include ERB::Util
include SafeERB::Util

# Create a select tag and a series of contained option tags for the provided object and method.
# The option currently held by the object will be selected, provided that the object is available.
Expand Down
4 changes: 2 additions & 2 deletions actionpack/lib/action_view/helpers/tag_helper.rb
Expand Up @@ -6,7 +6,7 @@ module Helpers #:nodoc:
# Provides methods to generate HTML tags programmatically when you can't use
# a Builder. By default, they output XHTML compliant tags.
module TagHelper
include ERB::Util
include SafeERB::Util

BOOLEAN_ATTRIBUTES = %w(disabled readonly multiple checked).to_set
BOOLEAN_ATTRIBUTES.merge(BOOLEAN_ATTRIBUTES.map(&:to_sym))
Expand Down Expand Up @@ -103,7 +103,7 @@ def cdata_section(content)
# escape_once("&lt;&lt; Accept & Checkout")
# # => "&lt;&lt; Accept &amp; Checkout"
def escape_once(html)
ActiveSupport::Multibyte.clean(html.to_s).gsub(/[\"><]|&(?!([a-zA-Z]+|(#\d+));)/) { |special| ERB::Util::HTML_ESCAPE[special] }
ActiveSupport::Multibyte.clean(html.to_s).gsub(/[\"><]|&(?!([a-zA-Z]+|(#\d+));)/) { |special| SafeERB::Util::HTML_ESCAPE[special] }
end

private
Expand Down
2 changes: 1 addition & 1 deletion actionpack/lib/action_view/template_handlers/erb.rb
Expand Up @@ -11,7 +11,7 @@ class ERB < TemplateHandler
self.erb_trim_mode = '-'

def compile(template)
src = ::ERB.new("<% __in_erb_template=true %>#{template.source}", nil, erb_trim_mode, '@output_buffer').src
src = ::SafeERB.new("<% __in_erb_template=true %>#{template.source}", nil, erb_trim_mode, '@output_buffer').src

# Ruby 1.9 prepends an encoding to the source. However this is
# useless because you can only set an encoding on the first line
Expand Down
6 changes: 3 additions & 3 deletions actionpack/test/controller/output_escaping_test.rb
Expand Up @@ -3,17 +3,17 @@
class OutputEscapingTest < ActiveSupport::TestCase

test "escape_html shouldn't die when passed nil" do
assert ERB::Util.h(nil).blank?
assert SafeERB::Util.h(nil).blank?
end

test "escapeHTML should escape strings" do
assert_equal "&lt;&gt;&quot;", ERB::Util.h("<>\"")
assert_equal "&lt;&gt;&quot;", SafeERB::Util.h("<>\"")
end

test "escapeHTML shouldn't touch explicitly safe strings" do
# TODO this seems easier to compose and reason about, but
# this should be verified
assert_equal "<", ERB::Util.h("<".html_safe)
assert_equal "<", SafeERB::Util.h("<".html_safe)
end

end
6 changes: 3 additions & 3 deletions actionpack/test/template/erb_util_test.rb
@@ -1,16 +1,16 @@
require 'abstract_unit'

class ErbUtilTest < Test::Unit::TestCase
include ERB::Util
include SafeERB::Util

ERB::Util::HTML_ESCAPE.each do |given, expected|
SafeERB::Util::HTML_ESCAPE.each do |given, expected|
define_method "test_html_escape_#{expected.gsub /\W/, ''}" do
assert_equal expected, html_escape(given)
end

unless given == '"'
define_method "test_json_escape_#{expected.gsub /\W/, ''}" do
assert_equal ERB::Util::JSON_ESCAPE[given], json_escape(given)
assert_equal SafeERB::Util::JSON_ESCAPE[given], json_escape(given)
end
end
end
Expand Down
@@ -1,7 +1,6 @@
require 'erb'

class ERB
undef :set_eoutvar
class SafeERB < ERB
def set_eoutvar(compiler, eoutvar = '_erbout')
compiler.put_cmd = "#{eoutvar}.safe_concat"
compiler.insert_cmd = "#{eoutvar}.safe_concat"
Expand Down Expand Up @@ -39,7 +38,6 @@ def html_escape(s)
end
end

undef :h
alias h html_escape

module_function :html_escape
Expand Down Expand Up @@ -84,7 +82,7 @@ def concat(value)
if value.html_safe?
super(value)
else
super(ERB::Util.h(value))
super(SafeERB::Util.h(value))
end
end
alias << concat
Expand Down
2 changes: 1 addition & 1 deletion railties/guides/rails_guides/generator.rb
Expand Up @@ -122,7 +122,7 @@ def textile(body)
def with_workaround_for_notextile(body)
code_blocks = []
body.gsub!(%r{<(yaml|shell|ruby|erb|html|sql|plain)>(.*?)</\1>}m) do |m|
es = ERB::Util.h($2)
es = SafeERB::Util.h($2)
css_class = ['erb', 'shell'].include?($1) ? 'html' : $1
code_blocks << %{<div class="code_container"><code class="#{css_class}">#{es}</code></div>}
"\ndirty_workaround_for_notextile_#{code_blocks.size - 1}\n"
Expand Down
2 changes: 1 addition & 1 deletion railties/guides/rails_guides/textile_extensions.rb
Expand Up @@ -32,7 +32,7 @@ def plusplus(body)

def code(body)
body.gsub!(%r{<(yaml|shell|ruby|erb|html|sql|plain)>(.*?)</\1>}m) do |m|
es = ERB::Util.h($2)
es = SafeERB::Util.h($2)
css_class = ['erb', 'shell'].include?($1) ? 'html' : $1
%{<notextile><div class="code_container"><code class="#{css_class}">#{es}</code></div></notextile>}
end
Expand Down

0 comments on commit 30416d3

Please sign in to comment.