Permalink
Browse files

Make sure :id and friends are properly unescaped (closes #5275).

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@4435 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
  • Loading branch information...
1 parent 332fcfa commit 2ffc84d23ff8f78bf43b277d64a4bcda51e932fc @jamis jamis committed Jun 5, 2006
View
2 actionpack/CHANGELOG
@@ -1,5 +1,7 @@
*SVN*
+* Make sure :id and friends are unescaped properly. #5275 [me@julik.nl]
+
* Fix documentation for with_routing to reflect new reality. #5281 [rramdas@gmail.com]
* Rewind readable CGI params so others may reread them (such as CGI::Session when passing the session id in a multipart form). #210 [mklame@atxeu.com, matthew@walker.wattle.id.au]
View
4 actionpack/lib/action_controller/routing.rb
@@ -500,7 +500,9 @@ def build_pattern(pattern)
end
def match_extraction(next_capture)
hangon = (default ? "|| #{default.inspect}" : "if match[#{next_capture}]")
- "params[:#{key}] = match[#{next_capture}] #{hangon}"
+
+ # All non code-related keys (such as :id, :slug) have to be unescaped as other CGI params
+ "params[:#{key}] = match[#{next_capture}] && CGI.unescape(match[#{next_capture}]) #{hangon}"
end
def optionality_implied?
View
17 actionpack/test/controller/routing_test.rb
@@ -241,6 +241,23 @@ def test_route_with_fixnum_default
assert_equal({:controller => "content", :action => 'show_page', :id => '10'}, rs.recognize_path("/page/10"))
end
+ # For newer revision
+ def test_route_with_text_default
+ rs.draw do |map|
+ map.connect 'page/:id', :controller => 'content', :action => 'show_page', :id => 1
+ map.connect ':controller/:action/:id'
+ end
+
+ assert_equal '/page/foo', rs.generate(:controller => 'content', :action => 'show_page', :id => 'foo')
+ assert_equal({:controller => "content", :action => 'show_page', :id => 'foo'}, rs.recognize_path("/page/foo"))
+
+ token = "\321\202\320\265\320\272\321\201\321\202" # 'text' in russian
+ escaped_token = CGI::escape(token)
+
+ assert_equal '/page/' + escaped_token, rs.generate(:controller => 'content', :action => 'show_page', :id => token)
+ assert_equal({:controller => "content", :action => 'show_page', :id => token}, rs.recognize_path("/page/#{escaped_token}"))
+ end
+
def test_action_expiry
assert_equal '/content', rs.generate({:controller => 'content'}, {:controller => 'content', :action => 'show'})
end

0 comments on commit 2ffc84d

Please sign in to comment.