Permalink
Browse files

escape urls in link_to and form_tag, fixes #2016

  • Loading branch information...
ujifgc committed Jun 7, 2016
1 parent 463cea8 commit 90423b5b9cde6996ca36661eef8425550e05f68f
@@ -75,14 +75,14 @@ def flash_tag(*args)
# condition padrino return true/false if the request.path_info match the given url.
#
def link_to(*args, &block)
options = args.extract_options!
options = args.extract_options!
name = block_given? ? '' : args.shift
href = args.first
if fragment = options[:fragment] || options[:anchor]
warn 'Options :anchor and :fragment are deprecated for #link_to. Please use :fragment for #url'
href << '#' << fragment.to_s
end
options.reverse_merge!(:href => href || '#')
options = { :href => href ? escape_link(href) : '#' }.update(options)
return name unless parse_conditions(href, options)
block_given? ? content_tag(:a, options, &block) : content_tag(:a, name, options)
end
@@ -310,7 +310,7 @@ def image_path(src)
#
def asset_path(kind, source = nil)
kind, source = source, kind if source.nil?
source = asset_normalize_extension(kind, URI.escape(source.to_s))
source = asset_normalize_extension(kind, escape_link(source.to_s))
return source if source =~ ABSOLUTE_URL_PATTERN || source =~ /^\//
source = File.join(asset_folder_name(kind), source)
timestamp = asset_timestamp(source)
@@ -92,7 +92,7 @@ def fields_for(object, options={}, &block)
#
def form_tag(url, options={}, &block)
options = {
:action => url,
:action => escape_link(url),
:protect_from_csrf => is_protected_from_csrf?,
'accept-charset' => 'UTF-8'
}.update(options)
@@ -235,6 +235,19 @@ def tag(name, options = nil, open = false)
"<#{name}#{attributes}#{open ? '>' : ' />'}".html_safe
end
##
# Returns an escaped document link.
#
# @example
# escape_link('http://example.com/spaced link')
# # => 'http://example.com/spaced%20link'
# escape_link('already%20partially escaped')
# # => 'already%20partially%20escaped'
#
def escape_link(link)
link.gsub(' ', '%20')
end
private
##
@@ -76,6 +76,11 @@ def flash
assert_match "&lt;&amp;&gt;", actual_link
end
it 'should escape the link href' do
actual_link = link_to('Sign up', '/register new%20user')
assert_has_tag('a', :href => '/register%20new%20user') { actual_link }
end
it 'should not escape image_tag' do
actual_link = link_to(image_tag("/my/fancy/image.png"), :class => 'first', :id => 'binky')
assert_has_tag('img', :src => "/my/fancy/image.png") { actual_link }

0 comments on commit 90423b5

Please sign in to comment.