Permalink
Browse files

truncate() should not try to produce HTML-safe output

As discussed in Lighthouse ticket #4825 and ticket #4878, the truncate()
method cannot guarantee safe output for all possible inputs/offsets, so
it is best to leave the output unsafe so that it gets escaped when used
in a view.

Signed-off-by: Santiago Pastorino <santiago@wyeworks.com>
Signed-off-by: David Heinemeier Hansson <david@loudthinking.com>
  • Loading branch information...
wincent authored and dhh committed Jun 17, 2010
1 parent 69bc8b2 commit a424808df95c5ebe66d02f0d743e741a1864baa7
Showing with 8 additions and 22 deletions.
  1. +4 −8 actionpack/lib/action_view/helpers/text_helper.rb
  2. +4 −14 actionpack/test/template/text_helper_test.rb
@@ -39,7 +39,10 @@ def safe_concat(string)
# for a total length not exceeding <tt>:length</tt>.
#
# Pass a <tt>:separator</tt> to truncate +text+ at a natural break.
- # Pass a <tt>:safe</tt> value as "true" to not to escape the content.
+ #
+ # The result is not marked as HTML-safe, so will be subject to the default escaping when
+ # used in views, unless wrapped by <tt>raw()</tt>. Care should be taken if +text+ contains HTML tags
+ # or entities, because truncation may produce invalid HTML (such as unbalanced or incomplete tags).
#
# ==== Examples
#
@@ -56,12 +59,6 @@ def safe_concat(string)
# # => "And they f... (continued)"
#
# truncate("<p>Once upon a time in a world far far away</p>")
- # # => "&lt;p&gt;Once upon a time i..."
- #
- # truncate("<p>Once upon a time in a world far far away</p>", :safe => true)
- # # => "<p>Once upon a time in a wo..."
- #
- # truncate("<p>Once upon a time in a world far far away</p>".html_safe)
# # => "<p>Once upon a time in a wo..."
#
# You can still use <tt>truncate</tt> with the old API that accepts the
@@ -84,7 +81,6 @@ def truncate(text, *args)
options.reverse_merge!(:length => 30)
- text = h(text) unless text.html_safe? || options[:safe]
text.truncate(options.delete(:length), options) if text
end
@@ -52,27 +52,17 @@ def test_simple_format_should_not_escape_safe_input
assert_equal "<p><b> test with safe string </b></p>", simple_format("<b> test with safe string </b>".html_safe)
end
- def test_truncate_should_be_html_safe
- assert truncate("Hello World!", :length => 12).html_safe?
+ def test_truncate_should_not_be_html_safe
+ assert !truncate("Hello World!", :length => 12).html_safe?
end
def test_truncate
assert_equal "Hello World!", truncate("Hello World!", :length => 12)
assert_equal "Hello Wor...", truncate("Hello World!!", :length => 12)
end
- def test_truncate_should_escape_unsafe_input
- assert_equal "Hello &lt...", truncate("Hello <script>code!</script>World!!", :length => 12)
- end
-
- def test_truncate_should_not_escape_input_if_safe_option
- assert_equal "Hello <sc...", truncate("Hello <script>code!</script>World!", :length => 12, :safe => true)
- assert_equal "Hello <sc...", truncate("Hello <script>code!</script>World!!", :length => 12, :safe => true)
- end
-
- def test_truncate_should_not_escape_safe_input
- assert_equal "Hello <sc...", truncate("Hello <script>code!</script>World!".html_safe, :length => 12)
- assert_equal "Hello <sc...", truncate("Hello <script>code!</script>World!!".html_safe, :length => 12)
+ def test_truncate_should_not_escape_input
+ assert_equal "Hello <sc...", truncate("Hello <script>code!</script>World!!", :length => 12)
end
def test_truncate_should_use_default_length_of_30

0 comments on commit a424808

Please sign in to comment.