NumberHelper.number_with_delimiter should html_escape both delimiters and separators #6355

Merged
merged 1 commit into from May 18, 2012
Jump to file or symbol
Failed to load files and symbols.
+4 −1
Diff settings

Always

Just for now

@@ -254,7 +254,7 @@ def number_with_delimiter(number, options = {})
parts = number.to_s.to_str.split('.')
parts[0].gsub!(/(\d)(?=(\d\d\d)+(?!\d))/, "\\1#{options[:delimiter]}")
- parts.join(options[:separator]).html_safe

This comment has been minimized.

@josevalim

josevalim May 17, 2012

Contributor

why not simply use safe_join back again?

@josevalim

josevalim May 17, 2012

Contributor

why not simply use safe_join back again?

+ safe_join(parts, options[:separator])
end
# Formats a +number+ with the specified level of
@@ -78,6 +78,8 @@ def test_number_with_delimiter_with_options_hash
assert_equal '12,345,678-05', number_with_delimiter(12345678.05, :separator => '-')
assert_equal '12.345.678,05', number_with_delimiter(12345678.05, :separator => ',', :delimiter => '.')
assert_equal '12.345.678,05', number_with_delimiter(12345678.05, :delimiter => '.', :separator => ',')
+ assert_equal '1&lt;script&gt;&lt;/script&gt;01', number_with_delimiter(1.01, :separator => "<script></script>")
+ assert_equal '1&lt;script&gt;&lt;/script&gt;000', number_with_delimiter(1000, :delimiter => "<script></script>")
end
def test_number_with_precision
@@ -196,6 +196,7 @@ def self.[](name)
class Base
include ActionView::Helpers::NumberHelper
+ include ActionView::Helpers::OutputSafetyHelper
attr_reader :total