Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Make sure non-escaped urls aren't considered safe

  • Loading branch information...
commit 1d01bad3cedfd690c6d125cac6d4504baa9409e5 1 parent 5d5e34f
@NZKoz NZKoz authored
View
2  actionpack/lib/action_view/helpers/url_helper.rb
@@ -93,7 +93,7 @@ def url_for(options = {})
polymorphic_path(options)
end
- (escape ? escape_once(url) : url).html_safe!
+ escape ? escape_once(url).html_safe! : url
end
# Creates a link tag of the given +name+ using a URL created by the set
View
5 actionpack/test/template/url_helper_test.rb
@@ -26,6 +26,11 @@ def test_url_for_escapes_urls
assert_equal "http://www.example.com?a=b&c=d", url_for(:a => 'b', :c => 'd', :escape => true)
assert_equal "http://www.example.com?a=b&c=d", url_for(:a => 'b', :c => 'd', :escape => false)
end
+
+ def test_url_for_escaping_is_safety_aware
+ assert url_for(:a => 'b', :c => 'd', :escape => true).html_safe?, "escaped urls should be html_safe?"
+ assert !url_for(:a => 'b', :c => 'd', :escape => false).html_safe?, "non-escaped urls shouldn't be safe"
+ end
def test_url_for_escapes_url_once
@controller.url = "http://www.example.com?a=b&c=d"
Please sign in to comment.
Something went wrong with that request. Please try again.