Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Add <%= escape_once html %> to escape html while leaving any currentl…

…y escaped entities alone. Fix button_to double-escaping issue. [Rick]

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@5322 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
  • Loading branch information...
commit dbd0bd5e5c9946ffb48bf8651f81ebc6dd9b52e5 1 parent 02358c8
risk danger olson technoweenie authored
2  actionpack/CHANGELOG
View
@@ -1,5 +1,7 @@
*SVN*
+* Add <%= escape_once html %> to escape html while leaving any currently escaped entities alone. Fix button_to double-escaping issue. [Rick]
+
* Fix double-escaped entities, such as &amp;amp;, &amp;#123;, etc. [Rick]
* Fix deprecation warnings when rendering the template error template. [Nicholas Seckar]
11 actionpack/lib/action_view/helpers/tag_helper.rb
View
@@ -31,10 +31,19 @@ def cdata_section(content)
"<![CDATA[#{content}]]>"
end
+ # Escapes a given string, while leaving any currently escaped entities alone.
+ #
+ # escape_once("1 > 2 &amp; 3")
+ # # => "1 &lt; 2 &amp; 3"
+ #
+ def escape_once(html)
+ fix_double_escape(html_escape(html.to_s))
+ end
+
private
def tag_options(options)
cleaned_options = convert_booleans(options.stringify_keys.reject {|key, value| value.nil?})
- ' ' + cleaned_options.map {|key, value| %(#{key}="#{fix_double_escape(html_escape(value.to_s))}")}.sort * ' ' unless cleaned_options.empty?
+ ' ' + cleaned_options.map {|key, value| %(#{key}="#{escape_once(value)}")}.sort * ' ' unless cleaned_options.empty?
end
def convert_booleans(options)
4 actionpack/lib/action_view/helpers/url_helper.rb
View
@@ -131,8 +131,8 @@ def button_to(name, options = {}, html_options = nil)
name ||= url
html_options.merge!("type" => "submit", "value" => name)
-
- "<form method=\"#{form_method}\" action=\"#{h url}\" class=\"button-to\"><div>" +
+
+ "<form method=\"#{form_method}\" action=\"#{escape_once url}\" class=\"button-to\"><div>" +
method_tag + tag("input", html_options) + "</div></form>"
end
4 actionpack/test/template/tag_helper_test.rb
View
@@ -39,6 +39,10 @@ def test_cdata_section
assert_equal "<![CDATA[<hello world>]]>", cdata_section("<hello world>")
end
+ def test_escape_once
+ assert_equal '1 &lt; 2 &amp; 3', escape_once('1 < 2 &amp; 3')
+ end
+
def test_double_escaping_attributes
['1&amp;2', '1 &lt; 2', '&#8220;test&#8220;'].each do |escaped|
assert_equal %(<a href="#{escaped}" />), tag('a', :href => escaped)
4 actionpack/test/template/url_helper_test.rb
View
@@ -38,6 +38,10 @@ def test_button_to_with_query
assert_dom_equal "<form method=\"post\" action=\"http://www.example.com/q1=v1&amp;q2=v2\" class=\"button-to\"><div><input type=\"submit\" value=\"Hello\" /></div></form>", button_to("Hello", "http://www.example.com/q1=v1&q2=v2")
end
+ def test_button_to_with_escaped_query
+ assert_dom_equal "<form method=\"post\" action=\"http://www.example.com/q1=v1&amp;q2=v2\" class=\"button-to\"><div><input type=\"submit\" value=\"Hello\" /></div></form>", button_to("Hello", "http://www.example.com/q1=v1&amp;q2=v2")
+ end
+
def test_button_to_with_query_and_no_name
assert_dom_equal "<form method=\"post\" action=\"http://www.example.com?q1=v1&amp;q2=v2\" class=\"button-to\"><div><input type=\"submit\" value=\"http://www.example.com?q1=v1&amp;q2=v2\" /></div></form>", button_to(nil, "http://www.example.com?q1=v1&q2=v2")
end
Please sign in to comment.
Something went wrong with that request. Please try again.