Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
token_list
: Guard Stimulus' data-action
from multiple escapes
Prior to this commit, chaining more than one `token_list` calls with a [data-action][] attribute value would result in one too many HTML escapes. Additional subsequent calls would compound the problem. For example, the following calls would result in an invalid descriptor that's escaped too many times to be parsed. ```ruby first = "click->controller#action1" second = "click->controller#action2" third = "click->controller#action3" fourth = "click->controller#action4" value = token_list(first, token_list(second, token_list(third))) CGI.unescape_html value.to_s # => "click->controller#action1 click->controller#action2 click->controller#action3 click->controller#action4" ``` By [CGI.unescape_html][] each `String` value before passing it to [token_list][] (which re-escapes the value), we can preserve a lossless concatenation process while also preserving the HTML safety. After this commit, the previous example works as expected: ```ruby first = "click->controller#action1" second = "click->controller#action2" third = "click->controller#action3" fourth = "click->controller#action4" value = token_list(first, token_list(second, token_list(third))) CGI.unescape_html value.to_s # => "click->controller#action1 click->controller#action2 click->controller#action3 click->controller#action4" ``` [unescaping]: https://ruby-doc.org/stdlib-2.5.3/libdoc/cgi/rdoc/CGI/Util.html#method-i-unescape_html [token_list]: https://edgeapi.rubyonrails.org/classes/ActionView/Helpers/TagHelper.html#method-i-token_list [data-action]: https://stimulus.hotwired.dev/reference/actions
- Loading branch information