Make text_area_tag escape contents by default.

Signed-off-by: Michael Koziarski <michael@koziarski.com>
JEG2 · Jun 27, 2009 · eb52dc3 · eb52dc3
1 parent 9407f6e
commit eb52dc3
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 0 deletions.
diff --git a/actionpack/lib/action_view/helpers/form_tag_helper.rb b/actionpack/lib/action_view/helpers/form_tag_helper.rb
@@ -230,6 +230,8 @@ def password_field_tag(name = "password", value = nil, options = {})
       # * <tt>:rows</tt> - Specify the number of rows in the textarea
       # * <tt>:cols</tt> - Specify the number of columns in the textarea
       # * <tt>:disabled</tt> - If set to true, the user will not be able to use this input.
+      # * <tt>:escape</tt> - By default, the contents of the text input are HTML escaped.
+      #   If you need unescaped contents, set this to false.
       # * Any other key creates standard HTML attributes for the tag.
       #
       # ==== Examples
@@ -257,6 +259,9 @@ def text_area_tag(name, content = nil, options = {})
           options["cols"], options["rows"] = size.split("x") if size.respond_to?(:split)
         end
 
+        escape = options.key?("escape") ? options.delete("escape") : true
+        content = html_escape(content) if escape
+
         content_tag :textarea, content, { "name" => name, "id" => sanitize_to_id(name) }.update(options.stringify_keys)
       end
 

diff --git a/actionpack/test/template/form_tag_helper_test.rb b/actionpack/test/template/form_tag_helper_test.rb
@@ -158,6 +158,18 @@ def test_text_area_tag_id_sanitized
     assert_match VALID_HTML_ID, input_elem['id']
   end
 
+  def test_text_area_tag_escape_content
+    actual = text_area_tag "body", "<b>hello world</b>", :size => "20x40"
+    expected = %(<textarea cols="20" id="body" name="body" rows="40">&lt;b&gt;hello world&lt;/b&gt;</textarea>)
+    assert_dom_equal expected, actual
+  end
+
+  def test_text_area_tag_unescaped_content
+    actual = text_area_tag "body", "<b>hello world</b>", :size => "20x40", :escape => false
+    expected = %(<textarea cols="20" id="body" name="body" rows="40"><b>hello world</b></textarea>)
+    assert_dom_equal expected, actual
+  end
+
   def test_text_field_tag
     actual = text_field_tag "title", "Hello!"
     expected = %(<input id="title" name="title" type="text" value="Hello!" />)