Permalink
Browse files

Change url_for to escape the resulting URLs when called from a view. …

…Closes #4202

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@3953 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
  • Loading branch information...
1 parent eba58b2 commit 1e7ce13b372e554438aa58c466dc100ef174ae9e @seckar seckar committed Mar 18, 2006
View
2 actionpack/CHANGELOG
@@ -1,5 +1,7 @@
*SVN*
+* Change url_for to escape the resulting URLs when called from a view. [Nicholas Seckar, eddiewould@paradise.net.nz]
+
* Added easy support for testing file uploads with fixture_file_upload #4105 [turnip@turnipspatch.com]. Example:
# Looks in Test::Unit::TestCase.fixture_path + '/files/spongebob.png'
View
16 actionpack/lib/action_view/helpers/url_helper.rb
@@ -15,7 +15,7 @@ module UrlHelper
# http://example.com/controller/action part (makes it harder to parse httpd log files)
def url_for(options = {}, *parameters_for_method_reference)
options = { :only_path => true }.update(options.symbolize_keys) if options.kind_of? Hash
- @controller.send(:url_for, options, *parameters_for_method_reference)
+ html_escape(@controller.send(:url_for, options, *parameters_for_method_reference))
end
# Creates a link tag of the given +name+ using an URL created by the set of +options+. See the valid options in
@@ -46,8 +46,8 @@ def link_to(name, options = {}, html_options = nil, *parameters_for_method_refer
else
tag_options = nil
end
- url = html_escape(options.is_a?(String) ? options : url_for(options, *parameters_for_method_reference))
- "<a href=\"#{url}\"#{tag_options}>#{name||url}</a>"
+ url = options.is_a?(String) ? options : self.url_for(options, *parameters_for_method_reference)
+ "<a href=\"#{url}\"#{tag_options}>#{name || url}</a>"
end
# Generates a form containing a sole button that submits to the
@@ -104,11 +104,10 @@ def button_to(name, options = {}, html_options = nil)
if confirm = html_options.delete("confirm")
html_options["onclick"] = "return #{confirm_javascript_function(confirm)};"
end
-
- url, name = options.is_a?(String) ?
- [ options, name || options ] :
- [ url_for(options), name || html_escape(url_for(options)) ]
-
+
+ url = options.is_a?(String) ? options : url_for(options)
+ name ||= url
+
html_options.merge!("type" => "submit", "value" => name)
"<form method=\"post\" action=\"#{h url}\" class=\"button-to\"><div>" +
@@ -197,6 +196,7 @@ def link_to_if(condition, name, options = {}, html_options = {}, *parameters_for
# mail_to "me@domain.com", "My email", :cc => "ccaddress@domain.com", :bcc => "bccaddress@domain.com", :subject => "This is an example email", :body => "This is the body of the message." # =>
# <a href="mailto:me@domain.com?cc="ccaddress@domain.com"&bcc="bccaddress@domain.com"&body="This%20is%20the%20body%20of%20the%20message."&subject="This%20is%20an%20example%20email">My email</a>
def mail_to(email_address, name = nil, html_options = {})
+ name = html_escape(name) if name
html_options = html_options.stringify_keys
encode = html_options.delete("encode")
cc, bcc, subject, body = html_options.delete("cc"), html_options.delete("bcc"), html_options.delete("subject"), html_options.delete("body")
View
32 actionpack/test/template/url_helper_test.rb
@@ -13,13 +13,20 @@ class UrlHelperTest < Test::Unit::TestCase
def setup
@controller = Class.new do
+ attr_accessor :url
def url_for(options, *parameters_for_method_reference)
- "http://www.example.com"
+ url
end
end
@controller = @controller.new
+ @controller.url = "http://www.example.com"
end
-
+
+ def test_url_for_escapes_urls
+ @controller.url = "http://www.example.com?a=b&c=d"
+ assert_equal "http://www.example.com?a=b&amp;c=d", url_for(:a => 'b', :c => 'd')
+ end
+
# todo: missing test cases
def test_button_to_with_straight_url
assert_dom_equal "<form method=\"post\" action=\"http://www.example.com\" class=\"button-to\"><div><input type=\"submit\" value=\"Hello\" /></div></form>", button_to("Hello", "http://www.example.com")
@@ -56,17 +63,25 @@ def test_link_tag_with_straight_url
end
def test_link_tag_with_query
- assert_dom_equal "<a href=\"http://www.example.com?q1=v1&amp;q2=v2\">Hello</a>", link_to("Hello", "http://www.example.com?q1=v1&q2=v2")
+ assert_dom_equal "<a href=\"http://www.example.com?q1=v1&amp;q2=v2\">Hello</a>", link_to("Hello", "http://www.example.com?q1=v1&amp;q2=v2")
end
def test_link_tag_with_query_and_no_name
- assert_dom_equal "<a href=\"http://www.example.com?q1=v1&amp;q2=v2\">http://www.example.com?q1=v1&amp;q2=v2</a>", link_to(nil, "http://www.example.com?q1=v1&q2=v2")
+ assert_dom_equal "<a href=\"http://www.example.com?q1=v1&amp;q2=v2\">http://www.example.com?q1=v1&amp;q2=v2</a>", link_to(nil, "http://www.example.com?q1=v1&amp;q2=v2")
+ end
+
+ def test_link_tag_with_img
+ assert_dom_equal "<a href=\"http://www.example.com\"><img src='/favicon.jpg' /></a>", link_to("<img src='/favicon.jpg' />", "http://www.example.com")
+ end
+
+ def test_link_with_nil_html_options
+ assert_dom_equal "<a href=\"http://www.example.com\">Hello</a>", link_to("Hello", {:action => 'myaction'}, nil)
end
def test_link_tag_with_custom_onclick
assert_dom_equal "<a href=\"http://www.example.com\" onclick=\"alert('yay!')\">Hello</a>", link_to("Hello", "http://www.example.com", :onclick => "alert('yay!')")
end
-
+
def test_link_tag_with_javascript_confirm
assert_dom_equal(
"<a href=\"http://www.example.com\" onclick=\"return confirm('Are you sure?');\">Hello</a>",
@@ -147,7 +162,6 @@ def test_link_to_if
assert_equal "Showing", link_to_if(false, "Showing", :action => "show", :controller => "weblog", :id => 1)
end
-
def xtest_link_unless_current
@request = RequestMock.new("http://www.example.com")
assert_equal "Showing", link_to_unless_current("Showing", :action => "show", :controller => "weblog")
@@ -157,7 +171,7 @@ def xtest_link_unless_current
@request = RequestMock.new("http://www.example.com")
assert_equal "Showing", link_to_unless_current("Showing", :action => "show", :controller => "weblog", :id => 1)
end
-
+
def test_mail_to
assert_dom_equal "<a href=\"mailto:david@loudthinking.com\">david@loudthinking.com</a>", mail_to("david@loudthinking.com")
assert_dom_equal "<a href=\"mailto:david@loudthinking.com\">David Heinemeier Hansson</a>", mail_to("david@loudthinking.com", "David Heinemeier Hansson")
@@ -191,8 +205,4 @@ def test_mail_to_with_replace_options
assert_dom_equal "<a href=\"mailto:%6d%65@%64%6f%6d%61%69%6e.%63%6f%6d\">me(at)domain(dot)com</a>", mail_to("me@domain.com", nil, :encode => "hex", :replace_at => "(at)", :replace_dot => "(dot)")
assert_dom_equal "<script type=\"text/javascript\">eval(unescape('%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%61%20%68%72%65%66%3d%22%6d%61%69%6c%74%6f%3a%6d%65%40%64%6f%6d%61%69%6e%2e%63%6f%6d%22%3e%4d%79%20%65%6d%61%69%6c%3c%2f%61%3e%27%29%3b'))</script>", mail_to("me@domain.com", "My email", :encode => "javascript", :replace_at => "(at)", :replace_dot => "(dot)")
end
-
- def test_link_with_nil_html_options
- assert_dom_equal "<a href=\"http://www.example.com\">Hello</a>", link_to("Hello", {:action => 'myaction'}, nil)
- end
end

0 comments on commit 1e7ce13

Please sign in to comment.