Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Newer
Older
100644 118 lines (99 sloc) 2.499 kb
644219a @snusnu Require AS singleton_class code in AS output_safety
snusnu authored
1 require 'erb'
89978f1 @fxn moves Object#singleton_class to Kernel#singleton_class to match Ruby …
fxn authored
2 require 'active_support/core_ext/kernel/singleton_class'
4cbb9db For performance reasons, you can no longer call html_safe! on Strings…
Yehuda Katz authored
3
4 class ERB
5 module Util
6 HTML_ESCAPE = { '&' => '&amp;', '>' => '&gt;', '<' => '&lt;', '"' => '&quot;' }
7 JSON_ESCAPE = { '&' => '\u0026', '>' => '\u003E', '<' => '\u003C' }
8
9 # A utility method for escaping HTML tag characters.
10 # This method is also aliased as <tt>h</tt>.
11 #
12 # In your ERb templates, use this method to escape any unsafe content. For example:
13 # <%=h @person.name %>
14 #
15 # ==== Example:
16 # puts html_escape("is a > 0 & a < 10?")
17 # # => is a &gt; 0 &amp; a &lt; 10?
18 def html_escape(s)
19 s = s.to_s
20 if s.html_safe?
21 s
22 else
23 s.gsub(/[&"><]/) { |special| HTML_ESCAPE[special] }.html_safe
24 end
25 end
26
a5587ef @wycats Remove some 1.9 warnings (resulting in some fixed bugs). Remaining AM…
wycats authored
27 remove_method(:h)
4cbb9db For performance reasons, you can no longer call html_safe! on Strings…
Yehuda Katz authored
28 alias h html_escape
29
30 module_function :h
31
a5587ef @wycats Remove some 1.9 warnings (resulting in some fixed bugs). Remaining AM…
wycats authored
32 singleton_class.send(:remove_method, :html_escape)
33 module_function :html_escape
34
a7d3223 @fxn applies API conventions to the RDoc of json_encode
fxn authored
35 # A utility method for escaping HTML entities in JSON strings
36 # using \uXXXX JavaScript escape sequences for string literals:
4cbb9db For performance reasons, you can no longer call html_safe! on Strings…
Yehuda Katz authored
37 #
a7d3223 @fxn applies API conventions to the RDoc of json_encode
fxn authored
38 # json_escape("is a > 0 & a < 10?")
39 # # => is a \u003E 0 \u0026 a \u003C 10?
54828a1 @neerajdotname json_escape makes json invalid doc change [#1485 state:resolved]
neerajdotname authored
40 #
a7d3223 @fxn applies API conventions to the RDoc of json_encode
fxn authored
41 # Note that after this operation is performed the output is not
42 # valid JSON. In particular double quotes are removed:
4cbb9db For performance reasons, you can no longer call html_safe! on Strings…
Yehuda Katz authored
43 #
a7d3223 @fxn applies API conventions to the RDoc of json_encode
fxn authored
44 # json_escape('{"name":"john","created_at":"2010-04-28T01:39:31Z","id":1}')
54828a1 @neerajdotname json_escape makes json invalid doc change [#1485 state:resolved]
neerajdotname authored
45 # # => {name:john,created_at:2010-04-28T01:39:31Z,id:1}
46 #
a7d3223 @fxn applies API conventions to the RDoc of json_encode
fxn authored
47 # This method is also aliased as +j+, and available as a helper
48 # in Rails templates:
49 #
50 # <%=j @person.to_json %>
51 #
4cbb9db For performance reasons, you can no longer call html_safe! on Strings…
Yehuda Katz authored
52 def json_escape(s)
53 s.to_s.gsub(/[&"><]/) { |special| JSON_ESCAPE[special] }
54 end
55
56 alias j json_escape
57 module_function :j
58 module_function :json_escape
59 end
60 end
61
561885a @josevalim String#<< should work for any object which responds to :to_str, so en…
josevalim authored
62 class Object
63 def html_safe?
64 false
65 end
66 end
67
68 class Fixnum
69 def html_safe?
70 true
71 end
72 end
73
4cbb9db For performance reasons, you can no longer call html_safe! on Strings…
Yehuda Katz authored
74 module ActiveSupport #:nodoc:
75 class SafeBuffer < String
76 alias safe_concat concat
9415935 @NZKoz Switch to on-by-default XSS escaping for rails.
NZKoz authored
77
4cbb9db For performance reasons, you can no longer call html_safe! on Strings…
Yehuda Katz authored
78 def concat(value)
79 if value.html_safe?
80 super(value)
81 else
82 super(ERB::Util.h(value))
83 end
84 end
c65f4b1 @spastorino Making SafeBuffer << an alias for concat method
spastorino authored
85 alias << concat
e12380e @josh Remove concat before overriding it
josh authored
86
4cbb9db For performance reasons, you can no longer call html_safe! on Strings…
Yehuda Katz authored
87 def +(other)
88 dup.concat(other)
89 end
90
91 def html_safe?
92 true
93 end
94
95 def html_safe
96 self
97 end
e12380e @josh Remove concat before overriding it
josh authored
98
4cbb9db For performance reasons, you can no longer call html_safe! on Strings…
Yehuda Katz authored
99 def to_s
100 self
101 end
1f6c567 @jeremy OutputBuffer#to_yaml should return string yaml, not some custom class…
jeremy authored
102
f10631e @jeremy Be sure to pass through args to to_yaml
jeremy authored
103 def to_yaml(*args)
c937da9 @jeremy to_str works here
jeremy authored
104 to_str.to_yaml(*args)
1f6c567 @jeremy OutputBuffer#to_yaml should return string yaml, not some custom class…
jeremy authored
105 end
9415935 @NZKoz Switch to on-by-default XSS escaping for rails.
NZKoz authored
106 end
4cbb9db For performance reasons, you can no longer call html_safe! on Strings…
Yehuda Katz authored
107 end
e12380e @josh Remove concat before overriding it
josh authored
108
4cbb9db For performance reasons, you can no longer call html_safe! on Strings…
Yehuda Katz authored
109 class String
110 def html_safe!
111 raise "You can't call html_safe! on a String"
9415935 @NZKoz Switch to on-by-default XSS escaping for rails.
NZKoz authored
112 end
e12380e @josh Remove concat before overriding it
josh authored
113
4cbb9db For performance reasons, you can no longer call html_safe! on Strings…
Yehuda Katz authored
114 def html_safe
115 ActiveSupport::SafeBuffer.new(self)
116 end
c65f4b1 @spastorino Making SafeBuffer << an alias for concat method
spastorino authored
117 end
Something went wrong with that request. Please try again.