Skip to content
This repository
Browse code

Make text_area_tag escape contents by default.

Signed-off-by: Michael Koziarski <michael@koziarski.com>
[#2015 state:committed]
  • Loading branch information...
commit 085db5e128ad4ad8fd042776722c78e194c6d0a4 1 parent 68b02cb
Chris Mear authored February 19, 2009 NZKoz committed June 27, 2009
5  actionpack/lib/action_view/helpers/form_tag_helper.rb
@@ -231,6 +231,8 @@ def password_field_tag(name = "password", value = nil, options = {})
231 231
       # * <tt>:rows</tt> - Specify the number of rows in the textarea
232 232
       # * <tt>:cols</tt> - Specify the number of columns in the textarea
233 233
       # * <tt>:disabled</tt> - If set to true, the user will not be able to use this input.
  234
+      # * <tt>:escape</tt> - By default, the contents of the text input are HTML escaped.
  235
+      #   If you need unescaped contents, set this to false.
234 236
       # * Any other key creates standard HTML attributes for the tag.
235 237
       #
236 238
       # ==== Examples
@@ -258,6 +260,9 @@ def text_area_tag(name, content = nil, options = {})
258 260
           options["cols"], options["rows"] = size.split("x") if size.respond_to?(:split)
259 261
         end
260 262
 
  263
+        escape = options.key?("escape") ? options.delete("escape") : true
  264
+        content = html_escape(content) if escape
  265
+
261 266
         content_tag :textarea, content, { "name" => name, "id" => sanitize_to_id(name) }.update(options.stringify_keys)
262 267
       end
263 268
 
12  actionpack/test/template/form_tag_helper_test.rb
@@ -159,6 +159,18 @@ def test_text_area_tag_id_sanitized
159 159
     assert_match VALID_HTML_ID, input_elem['id']
160 160
   end
161 161
 
  162
+  def test_text_area_tag_escape_content
  163
+    actual = text_area_tag "body", "<b>hello world</b>", :size => "20x40"
  164
+    expected = %(<textarea cols="20" id="body" name="body" rows="40">&lt;b&gt;hello world&lt;/b&gt;</textarea>)
  165
+    assert_dom_equal expected, actual
  166
+  end
  167
+
  168
+  def test_text_area_tag_unescaped_content
  169
+    actual = text_area_tag "body", "<b>hello world</b>", :size => "20x40", :escape => false
  170
+    expected = %(<textarea cols="20" id="body" name="body" rows="40"><b>hello world</b></textarea>)
  171
+    assert_dom_equal expected, actual
  172
+  end
  173
+
162 174
   def test_text_field_tag
163 175
     actual = text_field_tag "title", "Hello!"
164 176
     expected = %(<input id="title" name="title" type="text" value="Hello!" />)

0 notes on commit 085db5e

Please sign in to comment.
Something went wrong with that request. Please try again.