Made markdown honor :safe option and handle safe input. Also added te…

…sts for markdown. [#4794 state:resolved] Signed-off-by: José Valim <jose.valim@gmail.com>
rails · Jun 8, 2010 · 47bf19c · 47bf19c
1 parent 9d33c2a
commit 47bf19c
Show file tree

Hide file tree

Showing 3 changed files with 39 additions and 2 deletions.
diff --git a/Gemfile b/Gemfile
@@ -46,6 +46,7 @@ end
 
 # AP
 gem "RedCloth", ">= 4.2.2"
+gem "bluecloth", ">= 2.0.7"
 
 group :documentation do
   gem 'rdoc', '2.1'

diff --git a/actionpack/lib/action_view/helpers/text_helper.rb b/actionpack/lib/action_view/helpers/text_helper.rb
@@ -298,8 +298,8 @@ def textilize_without_paragraph(text, *options)
       #
       #   markdown('![The ROR logo](http://rubyonrails.com/images/rails.png "Ruby on Rails")')
       #   # => '<p><img src="http://rubyonrails.com/images/rails.png" alt="The ROR logo" title="Ruby on Rails" /></p>'
-      def markdown(text, options = {})
-        text = sanitize(text) unless options[:safe]
+      def markdown(text, *options)
+        text = sanitize(text) unless text.html_safe? || options.delete(:safe)
         (text.blank? ? "" : BlueCloth.new(text).to_html).html_safe
       end
 

diff --git a/actionpack/test/template/text_helper_test.rb b/actionpack/test/template/text_helper_test.rb
@@ -7,6 +7,12 @@
   $stderr.puts "Skipping textilize tests. `gem install RedCloth` to enable."
 end
 
+begin
+  require 'bluecloth'
+rescue LoadError
+  $stderr.puts "Skipping markdown tests. 'gem install bluecloth' to enable."
+end
+
 class TextHelperTest < ActionView::TestCase
   tests ActionView::Helpers::TextHelper
   include TestingSandbox
@@ -726,4 +732,34 @@ def test_textilize_without_paragraph_with_hard_breaks
       assert_equal("This is one scary world.<br />\n True.", textilize_without_paragraph("This is one scary world.\n True."))
     end
   end
+
+  if defined? BlueCloth
+    def test_markdown_should_be_html_safe
+      assert markdown("We are using __Markdown__ now!").html_safe?
+    end
+
+    def test_markdown
+      assert_equal("<p>We are using <strong>Markdown</strong> now!</p>", markdown("We are using __Markdown__ now!"))
+    end
+
+    def test_markdown_with_blank
+      assert_equal("", markdown(""))
+    end
+
+    def test_markdown_should_sanitize_unsafe_input
+      assert_equal("<p>This is worded <strong>strongly</strong></p>", markdown("This is worded <strong>strongly</strong><script>code!</script>"))
+    end
+
+    def test_markdown_should_not_sanitize_input_if_safe_option
+      assert_equal("<p>This is worded <strong>strongly</strong><script>code!</script></p>", markdown("This is worded <strong>strongly</strong><script>code!</script>", :safe))
+    end
+
+    def test_markdown_should_not_sanitize_safe_input
+      assert_equal("<p>This is worded <strong>strongly</strong><script>code!</script></p>", markdown("This is worded <strong>strongly</strong><script>code!</script>".html_safe))
+    end
+
+    def test_markdown_with_hard_breaks
+      assert_equal("<p>This is one scary world.</p>\n\n<p>True.</p>", markdown("This is one scary world.\n\nTrue."))
+    end
+  end
 end