Permalink
Browse files

Make text_area_tag escape contents by default.

Signed-off-by: Michael Koziarski <michael@koziarski.com>
[#2015 state:committed]
  • Loading branch information...
1 parent 68b02cb commit 085db5e128ad4ad8fd042776722c78e194c6d0a4 @chrismear chrismear committed with NZKoz Feb 19, 2009
View
5 actionpack/lib/action_view/helpers/form_tag_helper.rb
@@ -231,6 +231,8 @@ def password_field_tag(name = "password", value = nil, options = {})
# * <tt>:rows</tt> - Specify the number of rows in the textarea
# * <tt>:cols</tt> - Specify the number of columns in the textarea
# * <tt>:disabled</tt> - If set to true, the user will not be able to use this input.
+ # * <tt>:escape</tt> - By default, the contents of the text input are HTML escaped.
+ # If you need unescaped contents, set this to false.
# * Any other key creates standard HTML attributes for the tag.
#
# ==== Examples
@@ -258,6 +260,9 @@ def text_area_tag(name, content = nil, options = {})
options["cols"], options["rows"] = size.split("x") if size.respond_to?(:split)
end
+ escape = options.key?("escape") ? options.delete("escape") : true
+ content = html_escape(content) if escape
+
content_tag :textarea, content, { "name" => name, "id" => sanitize_to_id(name) }.update(options.stringify_keys)
end
View
12 actionpack/test/template/form_tag_helper_test.rb
@@ -159,6 +159,18 @@ def test_text_area_tag_id_sanitized
assert_match VALID_HTML_ID, input_elem['id']
end
+ def test_text_area_tag_escape_content
+ actual = text_area_tag "body", "<b>hello world</b>", :size => "20x40"
+ expected = %(<textarea cols="20" id="body" name="body" rows="40">&lt;b&gt;hello world&lt;/b&gt;</textarea>)
+ assert_dom_equal expected, actual
+ end
+
+ def test_text_area_tag_unescaped_content
+ actual = text_area_tag "body", "<b>hello world</b>", :size => "20x40", :escape => false
+ expected = %(<textarea cols="20" id="body" name="body" rows="40"><b>hello world</b></textarea>)
+ assert_dom_equal expected, actual
+ end
+
def test_text_field_tag
actual = text_field_tag "title", "Hello!"
expected = %(<input id="title" name="title" type="text" value="Hello!" />)

0 comments on commit 085db5e

Please sign in to comment.