Permalink
Browse files

html_escape mail_to when encode javascript and not hex

Signed-off-by: Yehuda Katz <yehudakatz@YK.local>
  • Loading branch information...
1 parent f86421f commit 9f1900ec7a8a27e1a0eeef93e1226c09a79666b5 Santiago Pastorino and José Ignacio Costa committed with Yehuda Katz Feb 13, 2010
Showing with 3 additions and 5 deletions.
  1. +3 −5 actionpack/lib/action_view/helpers/url_helper.rb
View
8 actionpack/lib/action_view/helpers/url_helper.rb
@@ -469,14 +469,12 @@ def mail_to(email_address, name = nil, html_options = {})
extras << "subject=#{Rack::Utils.escape(subject).gsub("+", "%20")}&" unless subject.nil?
extras = "?" << extras.gsub!(/&?$/,"") unless extras.empty?
- email_address = email_address.to_s
-
- email_address_obfuscated = email_address.dup
+ email_address_obfuscated = html_escape(email_address)
email_address_obfuscated.gsub!(/@/, html_options.delete("replace_at")) if html_options.has_key?("replace_at")
email_address_obfuscated.gsub!(/\./, html_options.delete("replace_dot")) if html_options.has_key?("replace_dot")
if encode == "javascript"
- "document.write('#{content_tag("a", name || email_address_obfuscated, html_options.merge({ "href" => "mailto:"+email_address+extras }))}');".each_byte do |c|
+ "document.write('#{content_tag("a", name || email_address_obfuscated.html_safe, html_options.merge({ "href" => "mailto:"+email_address+extras }))}');".each_byte do |c|
string << sprintf("%%%x", c)
end
"<script type=\"#{Mime::JS}\">eval(decodeURIComponent('#{string}'))</script>"
@@ -495,7 +493,7 @@ def mail_to(email_address, name = nil, html_options = {})
end
content_tag "a", name || email_address_encoded.html_safe, html_options.merge({ "href" => "#{string}#{extras}" })
else
- content_tag "a", name || email_address_obfuscated, html_options.merge({ "href" => "mailto:#{email_address}#{extras}" })
+ content_tag "a", name || email_address_obfuscated.html_safe, html_options.merge({ "href" => "mailto:#{email_address}#{extras}" })
end
end

0 comments on commit 9f1900e

Please sign in to comment.