Browse files

Merge pull request #4433 from carlosantoniodasilva/html-escape-once

Html escape once
  • Loading branch information...
2 parents 0eb4673 + 9d25af6 commit 9906492f5382b1d027d6dd64ba21dc6a6ed4f4f5 @josevalim josevalim committed Feb 1, 2012
View
2 actionpack/lib/action_view/helpers/tag_helper.rb
@@ -118,7 +118,7 @@ def cdata_section(content)
# escape_once("<< Accept & Checkout")
# # => "<< Accept & Checkout"
def escape_once(html)
- html.to_s.gsub(/[\"><]|&(?!([a-zA-Z]+|(#\d+));)/) { |special| ERB::Util::HTML_ESCAPE[special] }
+ ERB::Util.html_escape_once(html)
end
private
View
14 actionpack/test/template/erb_util_test.rb
@@ -44,4 +44,18 @@ def test_rest_in_ascii
assert_equal chr, html_escape(chr)
end
end
+
+ def test_html_escape_once
+ assert_equal '1 &lt; 2 &amp; 3', html_escape_once('1 < 2 &amp; 3')
+ end
+
+ def test_html_escape_once_returns_unsafe_strings_when_passed_unsafe_strings
+ value = html_escape_once('1 < 2 &amp; 3')
+ assert !value.html_safe?
+ end
+
+ def test_html_escape_once_returns_safe_strings_when_passed_safe_strings
+ value = html_escape_once('1 < 2 &amp; 3'.html_safe)
+ assert value.html_safe?
+ end
end
View
2 activesupport/CHANGELOG.md
@@ -1,5 +1,7 @@
## Rails 4.0.0 (unreleased) ##
+* Add html_escape_once to ERB::Util, and delegate escape_once tag helper to it. *Carlos Antonio da Silva*
+
* Remove ActiveSupport::TestCase#pending method, use `skip` instead. *Carlos Antonio da Silva*
* Deprecates the compatibility method Module#local_constant_names,
View
19 activesupport/lib/active_support/core_ext/string/output_safety.rb
@@ -5,6 +5,8 @@ class ERB
module Util
HTML_ESCAPE = { '&' => '&amp;', '>' => '&gt;', '<' => '&lt;', '"' => '&quot;' }
JSON_ESCAPE = { '&' => '\u0026', '>' => '\u003E', '<' => '\u003C' }
+ HTML_ESCAPE_ONCE_REGEXP = /[\"><]|&(?!([a-zA-Z]+|(#\d+));)/
@fxn
Ruby on Rails member
fxn added a note Feb 1, 2012

That backslash to the left of the quote is not needed right? Also I think the group (#\d+) is unnecessary, if I am not mistaken ([a-zA-Z]+|#\d+) would suffice.

@tenderlove
Ruby on Rails member

@fxn I think you're right.

@josevalim
Ruby on Rails member

@tenderlove I think you're right.

@hone
hone added a note Feb 1, 2012

@josevalim I think you're right.

@kuinak
kuinak added a note Feb 1, 2012

@hone I think you're right.

@wycats
Ruby on Rails member
wycats added a note Feb 1, 2012

@kuinak I think you're right.

@drbrain
drbrain added a note Feb 1, 2012

@wycats I think you are right.

@j05h
j05h added a note Feb 1, 2012

@drbrain I think you're right!

@guilleiguaran
Ruby on Rails member

@j05h I think you're right!

@jcast
jcast added a note Feb 1, 2012

@guilleiguaran I think you're right.

@sikachu
Ruby on Rails member
@pusewicz
pusewicz added a note Feb 1, 2012

@jcast I think you're right.

@fcoury
fcoury added a note Feb 1, 2012

@pusewicz unfortunately, I think you are wrong. It should have been @sikachu.

@fcoury I think you're right.

@drogus
Ruby on Rails member
drogus added a note Feb 1, 2012

c-c-c-c-c-c-c-combo breaker ;)

@pusewicz
pusewicz added a note Feb 1, 2012

@fcoury 😭

@fxn
Ruby on Rails member
fxn added a note Feb 1, 2012

@tenderlove I think you're right.

@jonleighton
Ruby on Rails member

@fxn I have no idea what this is about, but you're probably right.

@parndt
parndt added a note Feb 2, 2012

@jonleighton I think you're right.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
+ JSON_ESCAPE_REGEXP = /[&"><]/
# A utility method for escaping HTML tag characters.
# This method is also aliased as <tt>h</tt>.
@@ -33,6 +35,21 @@ def html_escape(s)
singleton_class.send(:remove_method, :html_escape)
module_function :html_escape
+ # Returns an escaped version of +html+ without affecting existing escaped entities.
+ #
+ # ==== Examples
+ # html_escape_once("1 < 2 &amp; 3")
+ # # => "1 &lt; 2 &amp; 3"
+ #
+ # html_escape_once("&lt;&lt; Accept & Checkout")
+ # # => "&lt;&lt; Accept &amp; Checkout"
+ def html_escape_once(s)
+ result = s.to_s.gsub(HTML_ESCAPE_ONCE_REGEXP) { |special| HTML_ESCAPE[special] }
+ s.html_safe? ? result.html_safe : result
+ end
+
+ module_function :html_escape_once
+
# A utility method for escaping HTML entities in JSON strings
# using \uXXXX JavaScript escape sequences for string literals:
#
@@ -51,7 +68,7 @@ def html_escape(s)
# <%=j @person.to_json %>
#
def json_escape(s)
- result = s.to_s.gsub(/[&"><]/) { |special| JSON_ESCAPE[special] }
+ result = s.to_s.gsub(JSON_ESCAPE_REGEXP) { |special| JSON_ESCAPE[special] }
s.html_safe? ? result.html_safe : result
end

0 comments on commit 9906492

Please sign in to comment.