From 709fbd3f323607f6974bfc4aeaeca791479e5fbe Mon Sep 17 00:00:00 2001
From: Carlos Antonio da Silva <carlosantoniodasilva@gmail.com>
Date: Sat, 26 Jan 2013 22:07:47 -0200
Subject: [PATCH] Fix failing test related to escaping include_blank in
 select_tag

Rails 3.0.x doesn't have the :prompt option in select_tag, it was
introduced in c5d54be746473ce5610e5e6de51f6b9d2495c935 that is only
available from 3.1.x on.

The test and related fix were introduced in
c9795871baacbe85ed4f19c2b830006fc6faeffd for Rails 3.0.17, as a fix for
a security vulnerability. The code is completely fine but the test was
using the invalid :prompt option for this version, probably because it
was cherry-picked from other branch which has the option.
---
 actionpack/CHANGELOG                             | 4 ++--
 actionpack/test/template/form_tag_helper_test.rb | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/actionpack/CHANGELOG b/actionpack/CHANGELOG
index 7c868d517e057..d51b09dddad32 100644
--- a/actionpack/CHANGELOG
+++ b/actionpack/CHANGELOG
@@ -19,9 +19,9 @@
 
   *Marek from Nethemba (www.nethemba.com) & Santiago Pastorino*
 
-* When a "prompt" value is supplied to the `select_tag` helper, the "prompt" value is not escaped.  If untrusted data is not escaped, and is supplied as the prompt value, there is a potential for XSS attacks.
+* When an "include_blank" value is supplied to the `select_tag` helper, the "include_blank" value is not escaped.  If untrusted data is not escaped, and is supplied as the prompt value, there is a potential for XSS attacks.
   Vulnerable code will look something like this:
-    select_tag("name", options, :prompt => UNTRUSTED_INPUT)
+    select_tag("name", options, :include_blank => UNTRUSTED_INPUT)
 
   *Santiago Pastorino*
 
diff --git a/actionpack/test/template/form_tag_helper_test.rb b/actionpack/test/template/form_tag_helper_test.rb
index e87db7ad35af4..14943064c1caf 100644
--- a/actionpack/test/template/form_tag_helper_test.rb
+++ b/actionpack/test/template/form_tag_helper_test.rb
@@ -195,8 +195,8 @@ def test_select_tag_with_include_blank
     assert_dom_equal expected, actual
   end
 
-  def test_select_tag_escapes_prompt
-    actual = select_tag "places", "<option>Home</option><option>Work</option><option>Pub</option>".html_safe, :prompt => "<script>alert(1337)</script>"
+  def test_select_tag_escapes_include_blank
+    actual = select_tag "places", "<option>Home</option><option>Work</option><option>Pub</option>".html_safe, :include_blank => "<script>alert(1337)</script>"
     expected = %(<select id="places" name="places"><option value="">&lt;script&gt;alert(1337)&lt;/script&gt;</option><option>Home</option><option>Work</option><option>Pub</option></select>)
     assert_dom_equal expected, actual
   end