Permalink
Browse files

Override <%== to always behave as literal text rather than toggling b…

…ased on whether escaping is enabled. Fixes that existing plaintext email templates using <%== unexpectedly flipped to *escaping* HTML when #8235 was merged.
  • Loading branch information...
1 parent d7fdcc8 commit 2797757919e95177c42d70c178e16c88828b674a @jeremy jeremy committed Dec 3, 2012
@@ -14,6 +14,17 @@ def add_text(src, text)
src << "@output_buffer.safe_concat('" << escape_text(text) << "');"
end
+ # Erubis toggles <%= and <%== behavior when escaping is enabled.
+ # We override to always treat <%== as escaped.
+ def add_expr(src, code, indicator)
+ case indicator
+ when '=='
+ add_expr_escaped(src, code)
+ else
+ super
+ end
+ end
+
BLOCK_EXPR = /\s+(do|\{)(\s*\|[^|]*\|)?\s*\Z/
def add_expr_literal(src, code)
@@ -9,7 +9,8 @@ class WithoutLayoutController < ActionController::Base
"locals.html.erb" => "The secret is <%= secret %>",
"xml_template.xml.builder" => "xml.html do\n xml.p 'Hello'\nend",
"with_raw.html.erb" => "Hello <%=raw '<strong>this is raw</strong>' %>",
- "with_implicit_raw.html.erb" => "Hello <%== '<strong>this is also raw</strong>' %>",
+ "with_implicit_raw.html.erb" => "Hello <%== '<strong>this is also raw</strong>' %> in a html template",
+ "with_implicit_raw.text.erb" => "Hello <%== '<strong>this is also raw</strong>' %> in a text template",
"test/with_json.html.erb" => "<%= render :template => 'test/with_json', :formats => [:json] %>",
"test/with_json.json.erb" => "<%= render :template => 'test/final', :formats => [:json] %>",
"test/final.json.erb" => "{ final: json }",
@@ -113,7 +114,12 @@ class TestWithoutLayout < Rack::TestCase
get :with_implicit_raw
- assert_body "Hello <strong>this is also raw</strong>"
+ assert_body "Hello <strong>this is also raw</strong> in a html template"
+ assert_status 200
+
+ get :with_implicit_raw, format: 'text'
+
+ assert_body "Hello <strong>this is also raw</strong> in a text template"
assert_status 200
end
@@ -82,8 +82,8 @@ def test_basic_template_does_html_escape
end
def test_text_template_does_not_html_escape
- @template = new_template("<%= apostrophe %>", format: :text)
- assert_equal "l'apostrophe", render
+ @template = new_template("<%= apostrophe %> <%== apostrophe %>", format: :text)
+ assert_equal "l'apostrophe l'apostrophe", render
end
def test_raw_template

4 comments on commit 2797757

@Fjan
Contributor
Fjan commented on 2797757 Jan 27, 2014

Can we revert this please? People all thought #8235 was a good idea and leads to much cleaner code, and this commit breaks that.

What's more, my Rails 3 app relied on <%== %> being treated as <%= raw %> , and this merge somehow got back ported and suddenly removed this feature. (So much for point releases not breaking existing functionality.)

@Fjan
Contributor
Fjan replied Jan 27, 2014

I forgot something important: Some people have reversed the <%= / <%== behaviour to be the ERB / Rails 2 default instead of the Rails 3 default. In that case the above patch actually has the opposite effect of making all output unescaped.

This is actually how I found out about the problem in my app. I caught it in time but it can trip up other people who've switched to the old Rails 2 way of escaping.

@guilleiguaran
Owner

was this backported to 3.x?

@Fjan
Contributor
Fjan replied Jan 27, 2014

Yes, it was back ported in 3.2.13, but there is no description of it in the change log (the change log for #7976 describes something entirely different. Not sure I understand what's going on.)

Please sign in to comment.