Add support for compile-time <%= raw %> (Backported from Rails 3 @wycats

commit)
rails · Feb 5, 2010 · 8a6fc54 · 8a6fc54
1 parent 59341ac
commit 8a6fc54
Show file tree

Hide file tree

Showing 6 changed files with 13 additions and 30 deletions.
diff --git a/README.markdown b/README.markdown
@@ -25,7 +25,7 @@ With this plugin installed, the html will be escaped.  So you will need to do on
     def some_helper
       (1..5).map do |i|
         "<li>#{i}</li>"
-      end.join("\n").html_safe!
+      end.join("\n").html_safe
     end
 
 3) Use the safe_helper meta programming method:

diff --git a/init.rb b/init.rb
@@ -9,8 +9,7 @@
     include RailsXss::SafeHelpers
   end
 
-  require 'rails_xss_escaping'
   require 'av_patch'
 rescue LoadError
   puts "Could not load all modules required by rails_xss. Please make sure erubis is installed an try again."
-end unless $gems_rake_task
+end unless $gems_rake_task
diff --git a/lib/av_patch.rb b/lib/av_patch.rb
@@ -1,6 +1,6 @@
 module AvPatch
   # Rails version of with_output_buffer uses '' as the default buf
-  def with_output_buffer(buf = ActionView::SafeBuffer.new) #:nodoc:
+  def with_output_buffer(buf = ActiveSupport::SafeBuffer.new) #:nodoc:
     super(buf)
   end
 end

diff --git a/lib/rails_xss.rb b/lib/rails_xss.rb
@@ -2,15 +2,20 @@
 module RailsXss
   class Erubis < ::Erubis::Eruby
     def add_preamble(src)
-      src << "@output_buffer = ActionView::SafeBuffer.new;\n"
+      src << "@output_buffer = ActiveSupport::SafeBuffer.new;"
     end
 
     def add_text(src, text)
-      src << "@output_buffer << ('" << escape_text(text) << "'.html_safe!);"
+      return if text.empty?
+      src << "@output_buffer.safe_concat('" << escape_text(text) << "');"
     end
 
     def add_expr_literal(src, code)
-      src << '@output_buffer << ((' << code << ').to_s);'
+      if code =~ /\s*raw\s+(.*)/
+        src << "@output_buffer.safe_concat((" << $1 << ").to_s);"
+      else
+        src << '@output_buffer << ((' << code << ').to_s);'
+      end
     end
 
     def add_expr_escaped(src, code)
@@ -36,4 +41,4 @@ def #{aliased_target}_with_xss_safety#{punctuation}(*args, &block)
       end
     end
   end
-end
+end
diff --git a/lib/rails_xss_escaping.rb b/lib/rails_xss_escaping.rb
diff --git a/test/rails_xss_test.rb b/test/rails_xss_test.rb
@@ -1,5 +1,4 @@
 require 'test_helper'
-require 'rails_xss_escaping'
 
 class RailsXssTest < ActiveSupport::TestCase
   test "ERB::Util.h should mark its return value as safe and escape it" do
@@ -11,7 +10,7 @@ class RailsXssTest < ActiveSupport::TestCase
   test "ERB::Util.h should leave previously safe strings alone " do
     # TODO this seems easier to compose and reason about, but
     # this should be verified
-    escaped = ERB::Util.h("<p>".html_safe!)
+    escaped = ERB::Util.h("<p>".html_safe)
     assert_equal "<p>", escaped
     assert escaped.html_safe?
   end