Browse files

Merge branch '3-0-8' into 3-0-stable

* 3-0-8:
  bumping to 3.0.8
  Do not modify a safe buffer in helpers
  Ensure that the strings returned by SafeBuffer#gsub and friends aren't considered html_safe?
  • Loading branch information...
2 parents b3b747d + b341e45 commit 54d262f6df075854384da8eac35f57df657b57a6 @tenderlove tenderlove committed Jun 7, 2011
View
2 RAILS_VERSION
@@ -1 +1 @@
-3.0.8.rc4
+3.0.8
View
2 actionmailer/lib/action_mailer/version.rb
@@ -3,7 +3,7 @@ module VERSION #:nodoc:
MAJOR = 3
MINOR = 0
TINY = 8
- PRE = "rc4"
+ PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
end
View
2 actionpack/lib/action_pack/version.rb
@@ -3,7 +3,7 @@ module VERSION #:nodoc:
MAJOR = 3
MINOR = 0
TINY = 8
- PRE = "rc4"
+ PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
end
View
40 actionpack/lib/action_view/helpers/text_helper.rb
@@ -115,13 +115,12 @@ def highlight(text, phrases, *args)
end
options.reverse_merge!(:highlighter => '<strong class="highlight">\1</strong>')
- text = sanitize(text) unless options[:sanitize] == false
- if text.blank? || phrases.blank?
- text
- else
+ if text.present? && phrases.present?
match = Array(phrases).map { |p| Regexp.escape(p) }.join('|')
- text.gsub(/(#{match})(?!(?:[^<]*?)(?:["'])[^<>]*>)/i, options[:highlighter])
- end.html_safe
+ text = text.to_str.gsub(/(#{match})(?!(?:[^<]*?)(?:["'])[^<>]*>)/i, options[:highlighter])
+ end
+ text = sanitize(text) unless options[:sanitize] == false
+ text
end
# Extracts an excerpt from +text+ that matches the first instance of +phrase+.
@@ -251,14 +250,16 @@ def word_wrap(text, *args)
# simple_format("Look ma! A class!", :class => 'description')
# # => "<p class='description'>Look ma! A class!</p>"
def simple_format(text, html_options={}, options={})
- text = ''.html_safe if text.nil?
+ text = text ? text.to_str : ''
+ text = text.dup if text.frozen?
start_tag = tag('p', html_options, true)
- text = sanitize(text) unless options[:sanitize] == false
text.gsub!(/\r\n?/, "\n") # \r\n and \r -> \n
text.gsub!(/\n\n+/, "</p>\n\n#{start_tag}") # 2+ newline -> paragraph
text.gsub!(/([^\n]\n)(?=[^\n])/, '\1<br />') # 1 newline -> br
text.insert 0, start_tag
- text.html_safe.safe_concat("</p>")
+ text.concat("</p>")
+ text = sanitize(text) unless options[:sanitize] == false
+ text
end
# Turns all URLs and e-mail addresses into clickable links. The <tt>:link</tt> option
@@ -477,7 +478,7 @@ def set_cycle(name, cycle_object)
# is yielded and the result is used as the link text.
def auto_link_urls(text, html_options = {}, options = {})
link_attributes = html_options.stringify_keys
- text.gsub(AUTO_LINK_RE) do
+ text.to_str.gsub(AUTO_LINK_RE) do
scheme, href = $1, $&
punctuation = []
@@ -494,33 +495,26 @@ def auto_link_urls(text, html_options = {}, options = {})
end
end
- link_text = block_given?? yield(href) : href
+ link_text = block_given? ? yield(href) : href
href = 'http://' + href unless scheme
- unless options[:sanitize] == false
- link_text = sanitize(link_text)
- href = sanitize(href)
- end
- content_tag(:a, link_text, link_attributes.merge('href' => href), !!options[:sanitize]) + punctuation.reverse.join('')
+ sanitize = options[:sanitize] != false
+ content_tag(:a, link_text, link_attributes.merge('href' => href), sanitize) + punctuation.reverse.join('')
end
end
end
# Turns all email addresses into clickable links. If a block is given,
# each email is yielded and the result is used as the link text.
def auto_link_email_addresses(text, html_options = {}, options = {})
- text.gsub(AUTO_EMAIL_RE) do
+ text.to_str.gsub(AUTO_EMAIL_RE) do
text = $&
if auto_linked?($`, $')
text.html_safe
else
- display_text = (block_given?) ? yield(text) : text
-
- unless options[:sanitize] == false
- text = sanitize(text)
- display_text = sanitize(display_text) unless text == display_text
- end
+ display_text = block_given? ? yield(text) : text
+ display_text = sanitize(display_text) unless options[:sanitize] == false
mail_to text, display_text, html_options
end
end
View
26 actionpack/test/template/text_helper_test.rb
@@ -48,6 +48,10 @@ def test_simple_format_should_not_sanitize_input_when_sanitize_option_is_false
assert_equal "<p><b> test with unsafe string </b><script>code!</script></p>", simple_format("<b> test with unsafe string </b><script>code!</script>", {}, :sanitize => false)
end
+ def test_simple_format_should_not_be_html_safe_when_sanitize_option_is_false
+ assert !simple_format("<b> test with unsafe string </b><script>code!</script>", {}, :sanitize => false).html_safe?
+ end
+
def test_truncate_should_not_be_html_safe
assert !truncate("Hello World!", :length => 12).html_safe?
end
@@ -166,6 +170,13 @@ def test_highlight_with_options_hash
)
end
+ def test_highlight_on_an_html_safe_string
+ assert_equal(
+ "<p>This is a <b>beautiful</b> morning, but also a <b>beautiful</b> day</p>",
+ highlight("<p>This is a beautiful morning, but also a beautiful day</p>".html_safe, "beautiful", :highlighter => '<b>\1</b>')
+ )
+ end
+
def test_highlight_with_html
assert_equal(
"<p>This is a <strong class=\"highlight\">beautiful</strong> morning, but also a <strong class=\"highlight\">beautiful</strong> day</p>",
@@ -306,13 +317,10 @@ def test_auto_link_parsing
end
end
- def generate_result(link_text, href = nil, escape = false)
- href ||= link_text
- if escape
- %{<a href="#{CGI::escapeHTML href}">#{CGI::escapeHTML link_text}</a>}
- else
- %{<a href="#{href}">#{link_text}</a>}
- end
+ def generate_result(link_text, href = nil)
+ href = CGI::escapeHTML(href || link_text)
+ text = CGI::escapeHTML(link_text)
+ %{<a href="#{href}">#{text}</a>}
end
def test_auto_link_should_not_be_html_safe
@@ -323,6 +331,8 @@ def test_auto_link_should_not_be_html_safe
assert !auto_link('').html_safe?, 'should not be html safe'
assert !auto_link("#{link_raw} #{link_raw} #{link_raw}").html_safe?, 'should not be html safe'
assert !auto_link("hello #{email_raw}").html_safe?, 'should not be html safe'
+ assert !auto_link(link_raw.html_safe).html_safe?, 'should not be html safe'
+ assert !auto_link(email_raw.html_safe).html_safe?, 'should not be html safe'
end
def test_auto_link_email_address
@@ -425,7 +435,7 @@ def test_auto_link
def test_auto_link_should_sanitize_input_when_sanitize_option_is_not_false
link_raw = %{http://www.rubyonrails.com?id=1&num=2}
- assert_equal %{<a href="http://www.rubyonrails.com?id=1&num=2">http://www.rubyonrails.com?id=1&num=2</a>}, auto_link(link_raw)
+ assert_equal %{<a href="http://www.rubyonrails.com?id=1&amp;num=2">http://www.rubyonrails.com?id=1&amp;num=2</a>}, auto_link(link_raw)
end
def test_auto_link_should_not_sanitize_input_when_sanitize_option_is_false
View
2 activemodel/lib/active_model/version.rb
@@ -3,7 +3,7 @@ module VERSION #:nodoc:
MAJOR = 3
MINOR = 0
TINY = 8
- PRE = "rc4"
+ PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
end
View
2 activerecord/lib/active_record/version.rb
@@ -3,7 +3,7 @@ module VERSION #:nodoc:
MAJOR = 3
MINOR = 0
TINY = 8
- PRE = "rc4"
+ PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
end
View
2 activeresource/lib/active_resource/version.rb
@@ -3,7 +3,7 @@ module VERSION #:nodoc:
MAJOR = 3
MINOR = 0
TINY = 8
- PRE = "rc4"
+ PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
end
View
13 activesupport/lib/active_support/core_ext/string/output_safety.rb
@@ -73,6 +73,7 @@ def html_safe?
module ActiveSupport #:nodoc:
class SafeBuffer < String
+ UNSAFE_STRING_METHODS = ["capitalize", "chomp", "chop", "delete", "downcase", "gsub", "lstrip", "next", "reverse", "rstrip", "slice", "squeeze", "strip", "sub", "succ", "swapcase", "tr", "tr_s", "upcase"].freeze
alias safe_concat concat
def concat(value)
@@ -103,6 +104,18 @@ def to_s
def to_yaml(*args)
to_str.to_yaml(*args)
end
+
+ for unsafe_method in UNSAFE_STRING_METHODS
+ class_eval <<-EOT, __FILE__, __LINE__
+ def #{unsafe_method}(*args)
+ super.to_str
+ end
+
+ def #{unsafe_method}!(*args)
+ raise TypeError, "Cannot modify SafeBuffer in place"
+ end
+ EOT
+ end
end
end
View
2 activesupport/lib/active_support/version.rb
@@ -3,7 +3,7 @@ module VERSION #:nodoc:
MAJOR = 3
MINOR = 0
TINY = 8
- PRE = "rc4"
+ PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
end
View
12 activesupport/test/safe_buffer_test.rb
@@ -38,4 +38,16 @@ def setup
new_buffer = @buffer.to_s
assert_equal ActiveSupport::SafeBuffer, new_buffer.class
end
+
+ test "Should not return safe buffer from gsub" do
+ altered_buffer = @buffer.gsub('', 'asdf')
+ assert_equal 'asdf', altered_buffer
+ assert !altered_buffer.html_safe?
+ end
+
+ test "Should not allow gsub! on safe buffers" do
+ assert_raise TypeError do
+ @buffer.gsub!('', 'asdf')
+ end
+ end
end
View
2 railties/lib/rails/version.rb
@@ -3,7 +3,7 @@ module VERSION #:nodoc:
MAJOR = 3
MINOR = 0
TINY = 8
- PRE = "rc4"
+ PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
end
View
2 version.rb
@@ -3,7 +3,7 @@ module VERSION #:nodoc:
MAJOR = 3
MINOR = 0
TINY = 8
- PRE = "rc4"
+ PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
end

0 comments on commit 54d262f

Please sign in to comment.