Skip to content
Permalink
Browse files

Introduce `ActionView::Template::Handlers::ERB.escape_whitelist`.

This is a list of mime types where template text is not html escaped
by default. It prevents `Jack & Joe` from rendering as
`Jack & Joe` for the whitelisted mime types. The default whitelist
contains text/plain.

This follows a whitelist approach where plain text templates are
not escaped, and all the others (json, xml) are. The mime type is
assumed to be set by the abstract controller.
  • Loading branch information
tilsammans committed Nov 16, 2012
1 parent 44f12bb commit 5f189f41258b83d49012ec5a0678d827327e7543
@@ -43,6 +43,13 @@

*Josh Peek*

* Introduce `ActionView::Template::Handlers::ERB.escape_whitelist`. This is a list
of mime types where template text is not html escaped by default. It prevents `Jack & Joe`
from rendering as `Jack & Joe` for the whitelisted mime types. The default whitelist
contains text/plain. Fix #7976

*Joost Baaij*

* `assert_template` can be used to assert on the same template with different locals
Fix #3675

@@ -47,6 +47,10 @@ class ERB
class_attribute :erb_implementation
self.erb_implementation = Erubis

# Do not escape templates of these mime types.
class_attribute :escape_whitelist
self.escape_whitelist = ["text/plain"]

ENCODING_TAG = Regexp.new("\\A(<%#{ENCODING_FLAG}-?%>)[ \\t]*")

def self.call(template)
@@ -78,6 +82,7 @@ def call(template)

self.class.erb_implementation.new(
erb,
:escape => (self.class.escape_whitelist.include? template.type),
:trim => (self.class.erb_trim_mode == "-")
).src
end
@@ -26,6 +26,10 @@ def hello
"Hello"
end

def apostrophe
"l'apostrophe"
end

def partial
ActionView::Template.new(
"<%= @virtual_path %>",
@@ -48,7 +52,7 @@ def my_buffer
end
end

def new_template(body = "<%= hello %>", details = {})
def new_template(body = "<%= hello %>", details = {format: html})
ActionView::Template.new(body, "hello template", details.fetch(:handler) { ERBHandler }, {:virtual_path => "hello"}.merge!(details))
end

@@ -72,6 +76,16 @@ def test_basic_template
assert_equal "Hello", render
end

def test_basic_template_does_html_escape
@template = new_template("<%= apostrophe %>")
assert_equal "l&#39;apostrophe", render
end

def test_text_template_does_not_html_escape
@template = new_template("<%= apostrophe %>", format: text)
assert_equal "l'apostrophe", render
end

def test_raw_template
@template = new_template("<%= hello %>", :handler => ActionView::Template::Handlers::Raw.new)
assert_equal "<%= hello %>", render

0 comments on commit 5f189f4

Please sign in to comment.
You can’t perform that action at this time.