Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

HTML-escape the label strings (GH-292)

  • Loading branch information...
commit 364ae5c20efbd42a6a882f7e458bd9523433e3a0 1 parent 4d3e4ff
@yabawock yabawock authored
View
7 lib/formtastic.rb
@@ -878,7 +878,7 @@ def radio_input(method, options)
html_options[:checked] = selected_value == value if selected_option_is_present
li_content = template.content_tag(:label,
- Formtastic::Util.html_safe("#{self.radio_button(input_name, value, html_options)} #{label}"),
+ Formtastic::Util.html_safe("#{self.radio_button(input_name, value, html_options)} #{template.escape_once(label)}"),
:for => input_id
)
@@ -1149,7 +1149,7 @@ def check_boxes_input(method, options)
html_options[:id] = input_id
li_content = template.content_tag(:label,
- Formtastic::Util.html_safe("#{self.check_box(input_name, html_options, value, unchecked_value)} #{label}"),
+ Formtastic::Util.html_safe("#{self.check_box(input_name, html_options, value, unchecked_value)} #{template.escape_once(label)}"),
:for => input_id
)
@@ -1622,7 +1622,7 @@ def localized_string(key, value, type, options = {}) #:nodoc:
key = value if value.is_a?(::Symbol)
if value.is_a?(::String)
- value
+ template.escape_once(value)
else
use_i18n = value.nil? ? @@i18n_lookups_by_default : (value != false)
@@ -1644,6 +1644,7 @@ def localized_string(key, value, type, options = {}) #:nodoc:
i18n_value = ::Formtastic::I18n.t(defaults.shift,
options.merge(:default => defaults, :scope => type.to_s.pluralize.to_sym))
+ i18n_value = template.escape_once(i18n_value) if i18n_value.is_a?(::String)
i18n_value.blank? ? nil : i18n_value
end
end
View
10 spec/inputs/check_boxes_input_spec.rb
@@ -104,6 +104,16 @@
output_buffer.should have_tag("form li fieldset ol li label input[@name='project[author_id][]']")
end
end
+
+ it 'should html escape the label string' do
+ output_buffer.replace ''
+ semantic_form_for(:project, :url => 'http://test.host') do |builder|
+ concat(builder.input(:author_id, :as => :check_boxes, :collection => [["<b>Item 1</b>", 1], ["<b>Item 2</b>", 2]]))
+ end
+ output_buffer.should have_tag('form li fieldset ol li label') do |label|
+ label.body.should match /&lt;b&gt;Item [12]&lt;\/b&gt;$/
+ end
+ end
end
describe 'when :selected is set' do
View
10 spec/inputs/radio_input_spec.rb
@@ -111,6 +111,16 @@
end
end
+ it 'should html escape the label string' do
+ output_buffer.replace ''
+ semantic_form_for(:project, :url => 'http://test.host') do |builder|
+ concat(builder.input(:author_id, :as => :radio, :collection => [["<b>Item 1</b>", 1], ["<b>Item 2</b>", 2]]))
+ end
+ output_buffer.should have_tag('form li fieldset ol li label') do |label|
+ label.body.should match /&lt;b&gt;Item [12]&lt;\/b&gt;$/
+ end
+ end
+
it 'should generate inputs for each item' do
::Author.find(:all).each do |author|
output_buffer.should have_tag("form li fieldset ol li label input#project_author_id_#{author.id}")
View
6 spec/label_spec.rb
@@ -42,6 +42,12 @@
builder.label(:login, :label => false).should be_blank
end
end
+
+ it 'should html escape the label string' do
+ semantic_form_for(@new_post) do |builder|
+ builder.label(:login, :required => false, :label => '<b>My label</b>').should == "<label for=\"post_login\">&lt;b&gt;My label&lt;/b&gt;</label>"
+ end
+ end
end
end

3 comments on commit 364ae5c

@jovoto

If I interpret the API-docs for escape_once correctly (http://api.rubyonrails.org/classes/ActionView/Helpers/TagHelper.html#M002247), doesn't this hardwire html escaping for all form labels?

@yabawock
Collaborator

Yes it does. Even if the bug report about unescaped html was only for a collection, the problem is the same for all other labels as well.

@jovoto

I am not sure I follow - if this commit introduced a new bug indeed (i.e. hard-wiring html-escaping into the code with no possibility to configure it) shouldn't this commit be reverted?

Please sign in to comment.
Something went wrong with that request. Please try again.