Browse files

In actionview, eliminate calls to tag that use html_safe parameter va…

…lues. This is generally unnecessary, since tag handles string quoting, except in one case (utf8_enforcer_tag) where we want to specify the encoding ourselves.
  • Loading branch information...
1 parent 6071d62 commit 19af434840802ca0feb39253241917286467a86e @pdg137 pdg137 committed Jun 13, 2014
6 actionview/lib/action_view/helpers/form_tag_helper.rb
@@ -794,9 +794,11 @@ def range_field_tag(name, value = nil, options = {})
# Creates the hidden UTF8 enforcer tag. Override this method in a helper
- # to customize the tag.
+ # to customize the tag. Note that we have the HTML written out
+ # explicitly here to avoid potential problems with including a
+ # unicode character in output.
def utf8_enforcer_tag
- tag(:input, :type => "hidden", :name => "utf8", :value => "✓".html_safe)
+ %{<input name="utf8" type="hidden" value="&#x2713;" />}.html_safe
1 actionview/lib/action_view/helpers/tags/text_field.rb
@@ -7,7 +7,6 @@ def render
options["size"] = options["maxlength"] unless options.key?("size")
options["type"] ||= field_type
options["value"] = options.fetch("value") { value_before_type_cast(object) } unless field_type == "file"
- options["value"] &&= ERB::Util.html_escape(options["value"])
bughit added a line comment Jul 8, 2015


this changes how arrays are encoded in form fields

bughit added a line comment Jul 9, 2015

@rafaelfranca, why does @matthewd get to rage close this bug? His opinion was backed up by nothing (just declared) and was clearly wrong, it is not "more useful" to loose the ability to decode the array, I actually provided a coherent argument.

Ruby on Rails member
dhh added a line comment Jul 9, 2015

You were completely out of line on your tone and your indignation. I don't care what kind of bug you found, that's no justification for such antics. Nobody here owes you anything.

bughit added a line comment Jul 9, 2015

There was no indignation, the tone is your interpretation and was not intended. I simply saw a worthless opinion backed up by nothing, and stated it was wrong. If you are going to claim something is more useful then you should show how it's more useful. Otherwise it is argument by authority.

I also did not claim someone owes me something, I would have done a pull request if that's what @rafaelfranca asked.

Ruby on Rails member
dhh added a line comment Jul 9, 2015

You're clearly oblivious to your own actions. Please spend some time developing your social skills before attempting to comment on another Rails issue.

bughit added a line comment Jul 9, 2015

I see, so your team can make dismissive fallacious arguments by authority, offering nonsensical opinions backed up by nothing, and I have to gingerly tiptoe, pleading gently, so that my bug is not rage closed by them.

Ok got it, perhaps I let my annoyance show, sometimes one forgets and says what one thinks of a bad argument, know what I mean?

At no point did you address the substance, which is that it is much better to encode arrays into form field value strings in a way that allows them to be decoded. Pretty self evident, no?

Ruby on Rails member
dhh added a line comment Jul 9, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
tag("input", options)
8 actionview/lib/action_view/helpers/url_helper.rb
@@ -462,20 +462,18 @@ def link_to_if(condition, name, options = {}, html_options = {}, &block)
# <strong>Email me:</strong> <span></span>
# </a>
def mail_to(email_address, name = nil, html_options = {}, &block)
- email_address = ERB::Util.unwrapped_html_escape(email_address)
html_options, name = name, nil if block_given?
html_options = (html_options || {}).stringify_keys
extras = %w{ cc bcc body subject }.map! { |item|
option = html_options.delete(item) || next
- extras = extras.empty? ? '' : '?' + ERB::Util.unwrapped_html_escape(extras.join('&'))
+ extras = extras.empty? ? '' : '?' + extras.join('&')
- html_options["href"] = "mailto:#{email_address}#{extras}".html_safe
+ html_options["href"] = "mailto:#{email_address}#{extras}"
- content_tag(:a, name || email_address.html_safe, html_options, &block)
+ content_tag(:a, name || email_address, html_options, &block)
# True if the current request URI was generated by the given +options+.

0 comments on commit 19af434

Please sign in to comment.