Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

Move link_to to UrlHelper module, so if UrlHelper is included you get…

… the xss protection
  • Loading branch information...
commit 14b75220111a7256efae6ac17539d3c2a2265a44 1 parent 688c387
Santiago Pastorino authored May 26, 2010

Showing 1 changed file with 28 additions and 29 deletions. Show diff stats Hide diff stats

  1. 57  lib/rails_xss/action_view.rb
57  lib/rails_xss/action_view.rb
@@ -32,6 +32,34 @@ def content_tag_string_with_escaping(name, content, options, escape = true)
32 32
         end
33 33
         alias_method_chain :content_tag_string, :escaping
34 34
     end
  35
+
  36
+    module UrlHelper
  37
+      def link_to(*args, &block)
  38
+        if block_given?
  39
+          options      = args.first || {}
  40
+          html_options = args.second
  41
+          concat(link_to(capture(&block), options, html_options))
  42
+        else
  43
+          name         = args.first
  44
+          options      = args.second || {}
  45
+          html_options = args.third
  46
+
  47
+          url = url_for(options)
  48
+
  49
+          if html_options
  50
+            html_options = html_options.stringify_keys
  51
+            href = html_options['href']
  52
+            convert_options_to_javascript!(html_options, url)
  53
+            tag_options = tag_options(html_options)
  54
+          else
  55
+            tag_options = nil
  56
+          end
  57
+
  58
+          href_attr = "href=\"#{url}\"" unless href
  59
+          "<a #{href_attr}#{tag_options}>#{ERB::Util.h(name || url)}</a>".html_safe
  60
+        end
  61
+      end
  62
+    end
35 63
   end
36 64
 end
37 65
 
@@ -49,35 +77,6 @@ def #{aliased_target}_with_xss_safety#{punctuation}(*args, &block)
49 77
       end
50 78
     end
51 79
   end
52  
-
53  
-  module HelperOverrides
54  
-    def link_to(*args, &block)
55  
-      if block_given?
56  
-        options      = args.first || {}
57  
-        html_options = args.second
58  
-        concat(link_to(capture(&block), options, html_options))
59  
-      else
60  
-        name         = args.first
61  
-        options      = args.second || {}
62  
-        html_options = args.third
63  
-
64  
-        url = url_for(options)
65  
-
66  
-        if html_options
67  
-          html_options = html_options.stringify_keys
68  
-          href = html_options['href']
69  
-          convert_options_to_javascript!(html_options, url)
70  
-          tag_options = tag_options(html_options)
71  
-        else
72  
-          tag_options = nil
73  
-        end
74  
-
75  
-        href_attr = "href=\"#{url}\"" unless href
76  
-        "<a #{href_attr}#{tag_options}>#{ERB::Util.h(name || url)}</a>".html_safe
77  
-      end
78  
-    end
79  
-  end
80 80
 end
81 81
 
82 82
 Module.class_eval { include RailsXss::SafeHelpers }
83  
-ActionController::Base.helper(RailsXss::HelperOverrides)

0 notes on commit 14b7522

Please sign in to comment.
Something went wrong with that request. Please try again.