Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Fix SafeBuffers by adding a dirty flag.

  • Loading branch information...
commit bc070baca3111350c53c7d87457093eb7b891278 1 parent 22cc1e9
@josevalim josevalim authored
View
46 activesupport/lib/active_support/core_ext/string/output_safety.rb
@@ -75,10 +75,33 @@ def html_safe?
module ActiveSupport #:nodoc:
class SafeBuffer < String
UNSAFE_STRING_METHODS = ["capitalize", "chomp", "chop", "delete", "downcase", "gsub", "lstrip", "next", "reverse", "rstrip", "slice", "squeeze", "strip", "sub", "succ", "swapcase", "tr", "tr_s", "upcase"].freeze
- alias safe_concat concat
+
+ alias_method :original_concat, :concat
+ private :original_concat
+
+ class SafeConcatError < StandardError
+ def initialize
+ super "Could not concatenate to the buffer because it is not html safe."
+ end
+ end
+
+ def safe_concat(value)
+ raise SafeConcatError if dirty?
+ original_concat(value)
+ end
+
+ def initialize(*)
+ @dirty = false
+ super
+ end
+
+ def initialize_copy(other)
+ super
+ @dirty = other.dirty?
+ end
def concat(value)
- if value.html_safe?
+ if dirty? || value.html_safe?
super(value)
else
super(ERB::Util.h(value))
@@ -91,11 +114,7 @@ def +(other)
end
def html_safe?
- true
- end
-
- def html_safe
- self
+ !dirty?
end
def to_s
@@ -117,18 +136,21 @@ def #{unsafe_method}(*args)
end
def #{unsafe_method}!(*args)
- raise TypeError, "Cannot modify SafeBuffer in place"
+ @dirty = true
+ super
end
EOT
end
+
+ protected
+
+ def dirty?
+ @dirty
+ end
end
end
class String
- def html_safe!
- raise "You can't call html_safe! on a String"
- end
-
def html_safe
ActiveSupport::SafeBuffer.new(self)
end
View
39 activesupport/test/safe_buffer_test.rb
@@ -1,4 +1,6 @@
require 'abstract_unit'
+require 'active_support/core_ext/string/inflections'
+require 'yaml'
class SafeBufferTest < ActiveSupport::TestCase
def setup
@@ -39,15 +41,46 @@ def setup
assert_equal ActiveSupport::SafeBuffer, new_buffer.class
end
+ test "Should work with underscore" do
+ str = "MyTest".html_safe.underscore
+ assert_equal "my_test", str
+ end
+
test "Should not return safe buffer from gsub" do
altered_buffer = @buffer.gsub('', 'asdf')
assert_equal 'asdf', altered_buffer
assert !altered_buffer.html_safe?
end
- test "Should not allow gsub! on safe buffers" do
- assert_raise TypeError do
- @buffer.gsub!('', 'asdf')
+ test "Should not return safe buffer from gsub!" do
+ @buffer.gsub!('', 'asdf')
+ assert_equal 'asdf', @buffer
+ assert !@buffer.html_safe?
+ end
+
+ test "Should escape dirty buffers on add" do
+ dirty = @buffer
+ clean = "hello".html_safe
+ @buffer.gsub!('', '<>')
+ assert_equal "hello&lt;&gt;", clean + @buffer
+ end
+
+ test "Should concat as a normal string when dirty" do
+ dirty = @buffer
+ clean = "hello".html_safe
+ @buffer.gsub!('', '<>')
+ assert_equal "<>hello", @buffer + clean
+ end
+
+ test "Should preserve dirty? status on copy" do
+ @buffer.gsub!('', '<>')
+ assert !@buffer.dup.html_safe?
+ end
+
+ test "Should raise an error when safe_concat is called on dirty buffers" do
+ @buffer.gsub!('', '<>')
+ assert_raise ActiveSupport::SafeBuffer::SafeConcatError do
+ @buffer.safe_concat "BUSTED"
end
end
end
View
0  activesupport/test/tmp/development.log
No changes.
Please sign in to comment.
Something went wrong with that request. Please try again.