Fixed that single quote was not escaped in a UrlHelper#link_to javasc…

…ript confirm rails#549 [Scott Barron] git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@837 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
arthurschreiber · Mar 6, 2005 · 25b656f · 25b656f
1 parent eb5ca2e
commit 25b656f
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 1 deletion.
diff --git a/actionpack/CHANGELOG b/actionpack/CHANGELOG
@@ -1,5 +1,7 @@
 *SVN*
 
+* Fixed that single quote was not escaped in a UrlHelper#link_to javascript confirm #549 [Scott Barron]
+
 * Removed the default border on link_image_to (it broke xhtml strict) -- can be specified with :border => 0 #517 [?/caleb]
 
 * Fixed that form helpers would treat string and symbol keys differently in html_options (and possibly create duplicate entries) #112 [bitsweat]

diff --git a/actionpack/lib/action_view/helpers/url_helper.rb b/actionpack/lib/action_view/helpers/url_helper.rb
@@ -138,7 +138,7 @@ def current_page?(options)
       private
         def convert_confirm_option_to_javascript!(html_options)
           if confirm = html_options.delete("confirm")
-            html_options["onclick"] = "return confirm('#{confirm}');"
+            html_options["onclick"] = "return confirm('#{confirm.gsub(/'/, '\\\\\'')}');"
           end
         end
     end

diff --git a/actionpack/test/template/url_helper_test.rb b/actionpack/test/template/url_helper_test.rb
@@ -27,6 +27,10 @@ def test_link_tag_with_javascript_confirm
       "<a href=\"http://www.world.com\" onclick=\"return confirm('Are you sure?');\">Hello</a>",
       link_to("Hello", "http://www.world.com", :confirm => "Are you sure?")
     )
+    assert_equal(
+      "<a href=\"http://www.world.com\" onclick=\"return confirm('You can\\'t possibly be sure, can you?');\">Hello</a>", 
+      link_to("Hello", "http://www.world.com", :confirm => "You can't possibly be sure, can you?")
+    )
   end
 
   def test_link_image_to