Skip to content
This repository
Browse code

Add <%= escape_once html %> to escape html while leaving any currentl…

…y escaped entities alone. Fix button_to double-escaping issue. [Rick]

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@5322 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
  • Loading branch information...
commit dbd0bd5e5c9946ffb48bf8651f81ebc6dd9b52e5 1 parent 02358c8
risk danger olson authored
2  actionpack/CHANGELOG
... ...
@@ -1,5 +1,7 @@
1 1
 *SVN*
2 2
 
  3
+* Add <%= escape_once html %> to escape html while leaving any currently escaped entities alone.  Fix button_to double-escaping issue. [Rick]
  4
+
3 5
 * Fix double-escaped entities, such as &amp;amp;, &amp;#123;, etc. [Rick]
4 6
 
5 7
 * Fix deprecation warnings when rendering the template error template. [Nicholas Seckar]
11  actionpack/lib/action_view/helpers/tag_helper.rb
@@ -31,10 +31,19 @@ def cdata_section(content)
31 31
         "<![CDATA[#{content}]]>"
32 32
       end
33 33
 
  34
+      # Escapes a given string, while leaving any currently escaped entities alone.
  35
+      #
  36
+      #   escape_once("1 > 2 &amp; 3")
  37
+      #   # => "1 &lt; 2 &amp; 3"
  38
+      #
  39
+      def escape_once(html)
  40
+        fix_double_escape(html_escape(html.to_s))
  41
+      end
  42
+
34 43
       private
35 44
         def tag_options(options)
36 45
           cleaned_options = convert_booleans(options.stringify_keys.reject {|key, value| value.nil?})
37  
-          ' ' + cleaned_options.map {|key, value| %(#{key}="#{fix_double_escape(html_escape(value.to_s))}")}.sort * ' ' unless cleaned_options.empty?
  46
+          ' ' + cleaned_options.map {|key, value| %(#{key}="#{escape_once(value)}")}.sort * ' ' unless cleaned_options.empty?
38 47
         end
39 48
 
40 49
         def convert_booleans(options)
4  actionpack/lib/action_view/helpers/url_helper.rb
@@ -131,8 +131,8 @@ def button_to(name, options = {}, html_options = nil)
131 131
         name ||= url
132 132
 
133 133
         html_options.merge!("type" => "submit", "value" => name)
134  
-
135  
-        "<form method=\"#{form_method}\" action=\"#{h url}\" class=\"button-to\"><div>" + 
  134
+        
  135
+        "<form method=\"#{form_method}\" action=\"#{escape_once url}\" class=\"button-to\"><div>" + 
136 136
           method_tag + tag("input", html_options) + "</div></form>"
137 137
       end
138 138
 
4  actionpack/test/template/tag_helper_test.rb
@@ -39,6 +39,10 @@ def test_cdata_section
39 39
     assert_equal "<![CDATA[<hello world>]]>", cdata_section("<hello world>")
40 40
   end
41 41
   
  42
+  def test_escape_once
  43
+    assert_equal '1 &lt; 2 &amp; 3', escape_once('1 < 2 &amp; 3')
  44
+  end
  45
+  
42 46
   def test_double_escaping_attributes
43 47
     ['1&amp;2', '1 &lt; 2', '&#8220;test&#8220;'].each do |escaped|
44 48
       assert_equal %(<a href="#{escaped}" />), tag('a', :href => escaped)
4  actionpack/test/template/url_helper_test.rb
@@ -38,6 +38,10 @@ def test_button_to_with_query
38 38
     assert_dom_equal "<form method=\"post\" action=\"http://www.example.com/q1=v1&amp;q2=v2\" class=\"button-to\"><div><input type=\"submit\" value=\"Hello\" /></div></form>", button_to("Hello", "http://www.example.com/q1=v1&q2=v2")
39 39
   end
40 40
 
  41
+  def test_button_to_with_escaped_query
  42
+    assert_dom_equal "<form method=\"post\" action=\"http://www.example.com/q1=v1&amp;q2=v2\" class=\"button-to\"><div><input type=\"submit\" value=\"Hello\" /></div></form>", button_to("Hello", "http://www.example.com/q1=v1&amp;q2=v2")
  43
+  end
  44
+
41 45
   def test_button_to_with_query_and_no_name
42 46
     assert_dom_equal "<form method=\"post\" action=\"http://www.example.com?q1=v1&amp;q2=v2\" class=\"button-to\"><div><input type=\"submit\" value=\"http://www.example.com?q1=v1&amp;q2=v2\" /></div></form>", button_to(nil, "http://www.example.com?q1=v1&q2=v2")
43 47
   end

0 notes on commit dbd0bd5

Please sign in to comment.
Something went wrong with that request. Please try again.