Move link_to to UrlHelper module, so if UrlHelper is included you get…

… the xss protection
rails · May 26, 2010 · 14b7522 · 14b7522
1 parent 688c387
commit 14b7522
Showing 1 changed file with 28 additions and 29 deletions.
diff --git a/lib/rails_xss/action_view.rb b/lib/rails_xss/action_view.rb
@@ -32,6 +32,34 @@ def content_tag_string_with_escaping(name, content, options, escape = true)
         end
         alias_method_chain :content_tag_string, :escaping
     end
+
+    module UrlHelper
+      def link_to(*args, &block)
+        if block_given?
+          options      = args.first || {}
+          html_options = args.second
+          concat(link_to(capture(&block), options, html_options))
+        else
+          name         = args.first
+          options      = args.second || {}
+          html_options = args.third
+
+          url = url_for(options)
+
+          if html_options
+            html_options = html_options.stringify_keys
+            href = html_options['href']
+            convert_options_to_javascript!(html_options, url)
+            tag_options = tag_options(html_options)
+          else
+            tag_options = nil
+          end
+
+          href_attr = "href=\"#{url}\"" unless href
+          "<a #{href_attr}#{tag_options}>#{ERB::Util.h(name || url)}</a>".html_safe
+        end
+      end
+    end
   end
 end
 
@@ -49,35 +77,6 @@ def #{aliased_target}_with_xss_safety#{punctuation}(*args, &block)
       end
     end
   end
-
-  module HelperOverrides
-    def link_to(*args, &block)
-      if block_given?
-        options      = args.first || {}
-        html_options = args.second
-        concat(link_to(capture(&block), options, html_options))
-      else
-        name         = args.first
-        options      = args.second || {}
-        html_options = args.third
-
-        url = url_for(options)
-
-        if html_options
-          html_options = html_options.stringify_keys
-          href = html_options['href']
-          convert_options_to_javascript!(html_options, url)
-          tag_options = tag_options(html_options)
-        else
-          tag_options = nil
-        end
-
-        href_attr = "href=\"#{url}\"" unless href
-        "<a #{href_attr}#{tag_options}>#{ERB::Util.h(name || url)}</a>".html_safe
-      end
-    end
-  end
 end
 
 Module.class_eval { include RailsXss::SafeHelpers }
-ActionController::Base.helper(RailsXss::HelperOverrides)