Permalink
Browse files

simple_format should return html_safe but not escape text, that's for…

… rails_xss plugin [#3767 state:committed]

Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
  • Loading branch information...
1 parent 6d1344d commit adcfb4e8bd886fe9d14a9b97afdb9182d8abdc95 @spastorino spastorino committed with jeremy May 7, 2010
@@ -323,12 +323,12 @@ def markdown(text)
# # => "<p class='description'>Look ma! A class!</p>"
def simple_format(text, html_options={})
start_tag = tag('p', html_options, true)
- text = h(text)
+ text = text.to_s.dup
text.gsub!(/\r\n?/, "\n") # \r\n and \r -> \n
text.gsub!(/\n\n+/, "</p>\n\n#{start_tag}") # 2+ newline -> paragraph
text.gsub!(/([^\n]\n)(?=[^\n])/, '\1<br />') # 1 newline -> br
text.insert 0, start_tag
- text.safe_concat "</p>"
+ text.html_safe.safe_concat("</p>")
end
# Turns all URLs and e-mail addresses into clickable links. The <tt>:link</tt> option
@@ -44,10 +44,6 @@ def test_simple_format_should_be_html_safe
assert simple_format("<b> test with html tags </b>").html_safe?
end
- def test_simple_format_should_escape_unsafe_input
- assert_equal "<p>&lt;b&gt; test with unsafe string &lt;/b&gt;</p>", simple_format("<b> test with unsafe string </b>")
- end
-
def test_simple_format_should_not_escape_safe_input
assert_equal "<p><b> test with safe string </b></p>", simple_format("<b> test with safe string </b>".html_safe)
end

0 comments on commit adcfb4e

Please sign in to comment.