Permalink
Browse files

simple_format returns a safe buffer escaping unsafe input [Santiago P…

…astorino] (Closes #3767)

Signed-off-by: David Heinemeier Hansson <david@loudthinking.com>
  • Loading branch information...
1 parent 6451e86 commit 4158282e32bf0a7d9fbb1a7669ade2226f909b12 Santiago Pastorino and José Ignacio Costa committed with dhh Feb 12, 2010
Showing with 14 additions and 2 deletions.
  1. +2 −2 actionpack/lib/action_view/helpers/text_helper.rb
  2. +12 −0 actionpack/test/template/text_helper_test.rb
@@ -323,12 +323,12 @@ def markdown(text)
# # => "<p class='description'>Look ma! A class!</p>"
def simple_format(text, html_options={})
start_tag = tag('p', html_options, true)
- text = text.to_s.dup
+ text = h(text)
text.gsub!(/\r\n?/, "\n") # \r\n and \r -> \n
text.gsub!(/\n\n+/, "</p>\n\n#{start_tag}") # 2+ newline -> paragraph
text.gsub!(/([^\n]\n)(?=[^\n])/, '\1<br />') # 1 newline -> br
text.insert 0, start_tag
- text << "</p>"
+ text.safe_concat "</p>"
end
# Turns all URLs and e-mail addresses into clickable links. The <tt>:link</tt> option
@@ -39,6 +39,18 @@ def test_simple_format
assert_equal %Q(<p class="test">para 1</p>\n\n<p class="test">para 2</p>), simple_format("para 1\n\npara 2", :class => 'test')
end
+ def test_simple_format_should_be_html_safe
+ assert simple_format("<b> test with html tags </b>").html_safe?
+ end
+
+ def test_simple_format_should_escape_unsafe_input
+ assert_equal "<p>&lt;b&gt; test with unsafe string &lt;/b&gt;</p>", simple_format("<b> test with unsafe string </b>")
+ end
+
+ def test_simple_format_should_not_escape_safe_input
+ assert_equal "<p><b> test with safe string </b></p>", simple_format("<b> test with safe string </b>".html_safe)
+ end
+
def test_truncate
assert_equal "Hello World!", truncate("Hello World!", :length => 12)
assert_equal "Hello Wor...", truncate("Hello World!!", :length => 12)

0 comments on commit 4158282

Please sign in to comment.