Skip to content
This repository
Browse code

Change url_for to escape the resulting URLs when called from a view. …

…Closes #4202

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@3953 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
  • Loading branch information...
commit 1e7ce13b372e554438aa58c466dc100ef174ae9e 1 parent eba58b2
Nicholas Seckar seckar authored
2  actionpack/CHANGELOG
... ... @@ -1,5 +1,7 @@
1 1 *SVN*
2 2
  3 +* Change url_for to escape the resulting URLs when called from a view. [Nicholas Seckar, eddiewould@paradise.net.nz]
  4 +
3 5 * Added easy support for testing file uploads with fixture_file_upload #4105 [turnip@turnipspatch.com]. Example:
4 6
5 7 # Looks in Test::Unit::TestCase.fixture_path + '/files/spongebob.png'
16 actionpack/lib/action_view/helpers/url_helper.rb
@@ -15,7 +15,7 @@ module UrlHelper
15 15 # http://example.com/controller/action part (makes it harder to parse httpd log files)
16 16 def url_for(options = {}, *parameters_for_method_reference)
17 17 options = { :only_path => true }.update(options.symbolize_keys) if options.kind_of? Hash
18   - @controller.send(:url_for, options, *parameters_for_method_reference)
  18 + html_escape(@controller.send(:url_for, options, *parameters_for_method_reference))
19 19 end
20 20
21 21 # Creates a link tag of the given +name+ using an URL created by the set of +options+. See the valid options in
@@ -46,8 +46,8 @@ def link_to(name, options = {}, html_options = nil, *parameters_for_method_refer
46 46 else
47 47 tag_options = nil
48 48 end
49   - url = html_escape(options.is_a?(String) ? options : url_for(options, *parameters_for_method_reference))
50   - "<a href=\"#{url}\"#{tag_options}>#{name||url}</a>"
  49 + url = options.is_a?(String) ? options : self.url_for(options, *parameters_for_method_reference)
  50 + "<a href=\"#{url}\"#{tag_options}>#{name || url}</a>"
51 51 end
52 52
53 53 # Generates a form containing a sole button that submits to the
@@ -104,11 +104,10 @@ def button_to(name, options = {}, html_options = nil)
104 104 if confirm = html_options.delete("confirm")
105 105 html_options["onclick"] = "return #{confirm_javascript_function(confirm)};"
106 106 end
107   -
108   - url, name = options.is_a?(String) ?
109   - [ options, name || options ] :
110   - [ url_for(options), name || html_escape(url_for(options)) ]
111   -
  107 +
  108 + url = options.is_a?(String) ? options : url_for(options)
  109 + name ||= url
  110 +
112 111 html_options.merge!("type" => "submit", "value" => name)
113 112
114 113 "<form method=\"post\" action=\"#{h url}\" class=\"button-to\"><div>" +
@@ -197,6 +196,7 @@ def link_to_if(condition, name, options = {}, html_options = {}, *parameters_for
197 196 # mail_to "me@domain.com", "My email", :cc => "ccaddress@domain.com", :bcc => "bccaddress@domain.com", :subject => "This is an example email", :body => "This is the body of the message." # =>
198 197 # <a href="mailto:me@domain.com?cc="ccaddress@domain.com"&bcc="bccaddress@domain.com"&body="This%20is%20the%20body%20of%20the%20message."&subject="This%20is%20an%20example%20email">My email</a>
199 198 def mail_to(email_address, name = nil, html_options = {})
  199 + name = html_escape(name) if name
200 200 html_options = html_options.stringify_keys
201 201 encode = html_options.delete("encode")
202 202 cc, bcc, subject, body = html_options.delete("cc"), html_options.delete("bcc"), html_options.delete("subject"), html_options.delete("body")
32 actionpack/test/template/url_helper_test.rb
@@ -13,13 +13,20 @@ class UrlHelperTest < Test::Unit::TestCase
13 13
14 14 def setup
15 15 @controller = Class.new do
  16 + attr_accessor :url
16 17 def url_for(options, *parameters_for_method_reference)
17   - "http://www.example.com"
  18 + url
18 19 end
19 20 end
20 21 @controller = @controller.new
  22 + @controller.url = "http://www.example.com"
21 23 end
22   -
  24 +
  25 + def test_url_for_escapes_urls
  26 + @controller.url = "http://www.example.com?a=b&c=d"
  27 + assert_equal "http://www.example.com?a=b&amp;c=d", url_for(:a => 'b', :c => 'd')
  28 + end
  29 +
23 30 # todo: missing test cases
24 31 def test_button_to_with_straight_url
25 32 assert_dom_equal "<form method=\"post\" action=\"http://www.example.com\" class=\"button-to\"><div><input type=\"submit\" value=\"Hello\" /></div></form>", button_to("Hello", "http://www.example.com")
@@ -56,17 +63,25 @@ def test_link_tag_with_straight_url
56 63 end
57 64
58 65 def test_link_tag_with_query
59   - assert_dom_equal "<a href=\"http://www.example.com?q1=v1&amp;q2=v2\">Hello</a>", link_to("Hello", "http://www.example.com?q1=v1&q2=v2")
  66 + assert_dom_equal "<a href=\"http://www.example.com?q1=v1&amp;q2=v2\">Hello</a>", link_to("Hello", "http://www.example.com?q1=v1&amp;q2=v2")
60 67 end
61 68
62 69 def test_link_tag_with_query_and_no_name
63   - assert_dom_equal "<a href=\"http://www.example.com?q1=v1&amp;q2=v2\">http://www.example.com?q1=v1&amp;q2=v2</a>", link_to(nil, "http://www.example.com?q1=v1&q2=v2")
  70 + assert_dom_equal "<a href=\"http://www.example.com?q1=v1&amp;q2=v2\">http://www.example.com?q1=v1&amp;q2=v2</a>", link_to(nil, "http://www.example.com?q1=v1&amp;q2=v2")
  71 + end
  72 +
  73 + def test_link_tag_with_img
  74 + assert_dom_equal "<a href=\"http://www.example.com\"><img src='/favicon.jpg' /></a>", link_to("<img src='/favicon.jpg' />", "http://www.example.com")
  75 + end
  76 +
  77 + def test_link_with_nil_html_options
  78 + assert_dom_equal "<a href=\"http://www.example.com\">Hello</a>", link_to("Hello", {:action => 'myaction'}, nil)
64 79 end
65 80
66 81 def test_link_tag_with_custom_onclick
67 82 assert_dom_equal "<a href=\"http://www.example.com\" onclick=\"alert('yay!')\">Hello</a>", link_to("Hello", "http://www.example.com", :onclick => "alert('yay!')")
68 83 end
69   -
  84 +
70 85 def test_link_tag_with_javascript_confirm
71 86 assert_dom_equal(
72 87 "<a href=\"http://www.example.com\" onclick=\"return confirm('Are you sure?');\">Hello</a>",
@@ -147,7 +162,6 @@ def test_link_to_if
147 162 assert_equal "Showing", link_to_if(false, "Showing", :action => "show", :controller => "weblog", :id => 1)
148 163 end
149 164
150   -
151 165 def xtest_link_unless_current
152 166 @request = RequestMock.new("http://www.example.com")
153 167 assert_equal "Showing", link_to_unless_current("Showing", :action => "show", :controller => "weblog")
@@ -157,7 +171,7 @@ def xtest_link_unless_current
157 171 @request = RequestMock.new("http://www.example.com")
158 172 assert_equal "Showing", link_to_unless_current("Showing", :action => "show", :controller => "weblog", :id => 1)
159 173 end
160   -
  174 +
161 175 def test_mail_to
162 176 assert_dom_equal "<a href=\"mailto:david@loudthinking.com\">david@loudthinking.com</a>", mail_to("david@loudthinking.com")
163 177 assert_dom_equal "<a href=\"mailto:david@loudthinking.com\">David Heinemeier Hansson</a>", mail_to("david@loudthinking.com", "David Heinemeier Hansson")
@@ -191,8 +205,4 @@ def test_mail_to_with_replace_options
191 205 assert_dom_equal "<a href=\"mailto:%6d%65@%64%6f%6d%61%69%6e.%63%6f%6d\">me(at)domain(dot)com</a>", mail_to("me@domain.com", nil, :encode => "hex", :replace_at => "(at)", :replace_dot => "(dot)")
192 206 assert_dom_equal "<script type=\"text/javascript\">eval(unescape('%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%61%20%68%72%65%66%3d%22%6d%61%69%6c%74%6f%3a%6d%65%40%64%6f%6d%61%69%6e%2e%63%6f%6d%22%3e%4d%79%20%65%6d%61%69%6c%3c%2f%61%3e%27%29%3b'))</script>", mail_to("me@domain.com", "My email", :encode => "javascript", :replace_at => "(at)", :replace_dot => "(dot)")
193 207 end
194   -
195   - def test_link_with_nil_html_options
196   - assert_dom_equal "<a href=\"http://www.example.com\">Hello</a>", link_to("Hello", {:action => 'myaction'}, nil)
197   - end
198 208 end

0 comments on commit 1e7ce13

Please sign in to comment.
Something went wrong with that request. Please try again.