Skip to content
Browse files

html_escape should escape single quotes

  • Loading branch information...
1 parent c102022 commit b6ab4417720e03f1551abda2f1e4bd0a392dd04e @spastorino spastorino committed
View
2 actionpack/test/controller/new_base/render_template_test.rb
@@ -126,7 +126,7 @@ class TestWithoutLayout < Rack::TestCase
test "rendering a template with error properly excerts the code" do
get :with_error
assert_status 500
- assert_match "undefined local variable or method `idontexist'", response.body
+ assert_match "undefined local variable or method `idontexist", response.body
end
end
View
4 actionpack/test/controller/render_test.rb
@@ -186,7 +186,7 @@ def render_text_hello_world
# :ported:
def render_text_hello_world_with_layout
- @variable_for_layout = ", I'm here!"
+ @variable_for_layout = ", I am here!"
render :text => "hello world", :layout => true
end
@@ -844,7 +844,7 @@ def test_render_text
# :ported:
def test_do_with_render_text_and_layout
get :render_text_hello_world_with_layout
- assert_equal "<html>hello world, I'm here!</html>", @response.body
+ assert_equal "<html>hello world, I am here!</html>", @response.body
end
# :ported:
View
12 actionpack/test/template/erb_util_test.rb
@@ -8,11 +8,11 @@ class ErbUtilTest < ActiveSupport::TestCase
define_method "test_html_escape_#{expected.gsub(/\W/, '')}" do
assert_equal expected, html_escape(given)
end
+ end
- unless given == '"'
- define_method "test_json_escape_#{expected.gsub(/\W/, '')}" do
- assert_equal ERB::Util::JSON_ESCAPE[given], json_escape(given)
- end
+ ERB::Util::JSON_ESCAPE.each do |given, expected|
+ define_method "test_json_escape_#{expected.gsub(/\W/, '')}" do
+ assert_equal ERB::Util::JSON_ESCAPE[given], json_escape(given)
end
end
@@ -40,13 +40,13 @@ def test_html_escape_passes_html_escpe_unmodified
def test_rest_in_ascii
(0..127).to_a.map {|int| int.chr }.each do |chr|
- next if chr.in?('&"<>')
+ next if chr.in?('&"<>\'')
assert_equal chr, html_escape(chr)
end
end
def test_html_escape_once
- assert_equal '1 &lt; 2 &amp; 3', html_escape_once('1 < 2 &amp; 3')
+ assert_equal '1 &lt;&gt;&amp;&quot;&#x27; 2 &amp; 3', html_escape_once('1 <>&"\' 2 &amp; 3')
end
def test_html_escape_once_returns_unsafe_strings_when_passed_unsafe_strings
View
2 actionpack/test/template/form_options_helper_test.rb
@@ -1125,7 +1125,7 @@ def test_time_zone_select_with_default_time_zone_and_value
def test_options_for_select_with_element_attributes
assert_dom_equal(
- "<option value=\"&lt;Denmark&gt;\" class=\"bold\">&lt;Denmark&gt;</option>\n<option value=\"USA\" onclick=\"alert('Hello World');\">USA</option>\n<option value=\"Sweden\">Sweden</option>\n<option value=\"Germany\">Germany</option>",
+ "<option value=\"&lt;Denmark&gt;\" class=\"bold\">&lt;Denmark&gt;</option>\n<option value=\"USA\" onclick=\"" + ERB::Util.html_escape("alert('Hello World');") + "\">USA</option>\n<option value=\"Sweden\">Sweden</option>\n<option value=\"Germany\">Germany</option>",
options_for_select([ [ "<Denmark>", { :class => 'bold' } ], [ "USA", { :onclick => "alert('Hello World');" } ], [ "Sweden" ], "Germany" ])
)
end
View
2 actionpack/test/template/form_tag_helper_test.rb
@@ -374,7 +374,7 @@ def test_stringify_symbol_keys
def test_submit_tag
assert_dom_equal(
- %(<input name='commit' data-disable-with="Saving..." onclick="alert('hello!')" type="submit" value="Save" />),
+ %(<input name='commit' data-disable-with="Saving..." onclick=") + ERB::Util.html_escape("alert('hello!')") + %(" type="submit" value="Save" />),
submit_tag("Save", :onclick => "alert('hello!')", :data => { :disable_with => "Saving..." })
)
end
View
2 actionpack/test/template/template_test.rb
@@ -84,7 +84,7 @@ def test_template_does_not_lose_its_source_after_rendering_if_it_does_not_have_a
def test_locals
@template = new_template("<%= my_local %>")
@template.locals = [:my_local]
- assert_equal "I'm a local", render(:my_local => "I'm a local")
+ assert_equal "I am a local", render(:my_local => "I am a local")
end
def test_restores_buffer
View
8 actionpack/test/template/text_helper_test.rb
@@ -107,8 +107,8 @@ def test_truncate_does_not_modify_the_options_hash
end
def test_truncate_with_link_options
- assert_equal "Here's a long test and I...<a href=\"#\">Continue</a>",
- truncate("Here's a long test and I need a continue to read link", :length => 27) { link_to 'Continue', '#' }
+ assert_equal "Here is a long test and ...<a href=\"#\">Continue</a>",
+ truncate("Here is a long test and I need a continue to read link", :length => 27) { link_to 'Continue', '#' }
end
def test_truncate_should_be_html_safe
@@ -149,8 +149,8 @@ def test_truncate_with_block_with_escape_false_should_be_html_safe
end
def test_truncate_with_block_should_escape_the_block
- assert_equal "Here's a long test and I...&lt;script&gt;alert('foo');&lt;/script&gt;",
- truncate("Here's a long test and I need a continue to read link", :length => 27) { "<script>alert('foo');</script>" }
+ assert_equal "Here is a long test and ...&lt;script&gt;" + ERB::Util.html_escape("alert('foo');") + "&lt;/script&gt;",
+ truncate("Here is a long test and I need a continue to read link", :length => 27) { "<script>alert('foo');</script>" }
end
def test_highlight_should_be_html_safe
View
18 actionpack/test/template/url_helper_test.rb
@@ -244,7 +244,7 @@ def test_link_with_nil_html_options
def test_link_tag_with_custom_onclick
link = link_to("Hello", "http://www.example.com", :onclick => "alert('yay!')")
- expected = %{<a href="http://www.example.com" onclick="alert('yay!')">Hello</a>}
+ expected = %{<a href="http://www.example.com" onclick="} + ERB::Util.html_escape("alert('yay!')") + %{">Hello</a>}
assert_dom_equal expected, link
end
@@ -254,12 +254,12 @@ def test_link_tag_with_javascript_confirm
link_to("Hello", "http://www.example.com", :data => { :confirm => "Are you sure?" })
)
assert_dom_equal(
- "<a href=\"http://www.example.com\" data-confirm=\"You can't possibly be sure, can you?\">Hello</a>",
- link_to("Hello", "http://www.example.com", :data => { :confirm => "You can't possibly be sure, can you?" })
+ "<a href=\"http://www.example.com\" data-confirm=\"You cant possibly be sure, can you?\">Hello</a>",
+ link_to("Hello", "http://www.example.com", :data => { :confirm => "You cant possibly be sure, can you?" })
)
assert_dom_equal(
- "<a href=\"http://www.example.com\" data-confirm=\"You can't possibly be sure,\n can you?\">Hello</a>",
- link_to("Hello", "http://www.example.com", :data => { :confirm => "You can't possibly be sure,\n can you?" })
+ "<a href=\"http://www.example.com\" data-confirm=\"You cant possibly be sure,\n can you?\">Hello</a>",
+ link_to("Hello", "http://www.example.com", :data => { :confirm => "You cant possibly be sure,\n can you?" })
)
end
@@ -272,14 +272,14 @@ def test_link_tag_with_deprecated_confirm
end
assert_deprecated ":confirm option is deprecated and will be removed from Rails 4.1. Use ':data => { :confirm => \'Text\' }' instead" do
assert_dom_equal(
- "<a href=\"http://www.example.com\" data-confirm=\"You can't possibly be sure, can you?\">Hello</a>",
- link_to("Hello", "http://www.example.com", :confirm => "You can't possibly be sure, can you?")
+ "<a href=\"http://www.example.com\" data-confirm=\"You cant possibly be sure, can you?\">Hello</a>",
+ link_to("Hello", "http://www.example.com", :confirm => "You cant possibly be sure, can you?")
)
end
assert_deprecated ":confirm option is deprecated and will be removed from Rails 4.1. Use ':data => { :confirm => \'Text\' }' instead" do
assert_dom_equal(
- "<a href=\"http://www.example.com\" data-confirm=\"You can't possibly be sure,\n can you?\">Hello</a>",
- link_to("Hello", "http://www.example.com", :confirm => "You can't possibly be sure,\n can you?")
+ "<a href=\"http://www.example.com\" data-confirm=\"You cant possibly be sure,\n can you?\">Hello</a>",
+ link_to("Hello", "http://www.example.com", :confirm => "You cant possibly be sure,\n can you?")
)
end
end
View
6 activesupport/lib/active_support/core_ext/string/output_safety.rb
@@ -3,9 +3,9 @@
class ERB
module Util
- HTML_ESCAPE = { '&' => '&amp;', '>' => '&gt;', '<' => '&lt;', '"' => '&quot;' }
+ HTML_ESCAPE = { '&' => '&amp;', '>' => '&gt;', '<' => '&lt;', '"' => '&quot;', "'" => '&#x27;' }
JSON_ESCAPE = { '&' => '\u0026', '>' => '\u003E', '<' => '\u003C' }
- HTML_ESCAPE_ONCE_REGEXP = /[\"><]|&(?!([a-zA-Z]+|(#\d+));)/
+ HTML_ESCAPE_ONCE_REGEXP = /["><']|&(?!([a-zA-Z]+|(#\d+));)/
JSON_ESCAPE_REGEXP = /[&"><]/
# A utility method for escaping HTML tag characters.
@@ -21,7 +21,7 @@ def html_escape(s)
if s.html_safe?
s
else
- s.encode(s.encoding, :xml => :attr)[1...-1].html_safe
+ s.gsub(/[&"'><]/, HTML_ESCAPE).html_safe
end
end
View
4 activesupport/test/core_ext/string_ext_test.rb
@@ -498,8 +498,8 @@ def to_s
end
test "ERB::Util.html_escape should escape unsafe characters" do
- string = '<>&"'
- expected = '&lt;&gt;&amp;&quot;'
+ string = '<>&"\''
+ expected = '&lt;&gt;&amp;&quot;&#x27;'
assert_equal expected, ERB::Util.html_escape(string)
end

0 comments on commit b6ab441

Please sign in to comment.
Something went wrong with that request. Please try again.