Fix turning off escaping on methods that call other text fields in ot…

…her classes.
wwidea · Feb 18, 2009 · 0791bd6 · 0791bd6
1 parent ff56d5b
commit 0791bd6
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 6 deletions.
diff --git a/lib/cross_site_sniper.rb b/lib/cross_site_sniper.rb
@@ -41,7 +41,7 @@ def define_attribute_methods_with_html_escaping
             val = send("#{column.name}_without_html_escaping")
 
             #if htmlescaping is disabled, just send it as is.
-            return val if @html_escaping_disabled
+            return val if CrossSiteSniper.disabled?
 
             # Only escape strings. Other data types, such
             # as 'nil', should be returned uncorrupted.
@@ -64,9 +64,9 @@ def method_missing(method_sym,*args,&blk)
         #catch without_html_escaping for non-column methods and simulate it
         if method_sym.to_s[/(.+)_without_html_escaping/]
           original_method = $1
-          @html_escaping_disabled = true
+          CrossSiteSniper.disabled = true
           val = self.send(original_method)
-          @html_escaping_disabled = false
+          CrossSiteSniper.disabled = false
           return val
         else
           super
@@ -123,3 +123,13 @@ def html_escape(opts = {})
     end
   end
 end
+
+class CrossSiteSniper
+  def self.disabled?
+    @disabled
+  end
+
+  def self.disabled=(x)
+    @disabled = x
+  end
+end
diff --git a/test/cross_site_sniper_test.rb b/test/cross_site_sniper_test.rb
@@ -1,6 +1,6 @@
 require 'test/unit'
 require 'rubygems'
-gem 'activerecord', '>= 2.0.2'
+gem 'activerecord', '>= 2.3.0'
 require 'active_record'
 require 'erb'
 require "#{File.dirname(__FILE__)}/../init"
@@ -12,7 +12,7 @@ class CrossSiteSniperTest < Test::Unit::TestCase
   def setup
     setup_db
     @hunter = SnipeHunter.create(:name => '<b>One</b>', :title => '<b>One Title</b>', :description => '<b>One Description</b>',:age => 42)
-    @snipe = Snipe.create(:species => '<b>Fitch</b>', :genus => '<b>Abercrombie</b>')
+    @snipe = Snipe.create(:species => '<b>Fitch</b>', :genus => '<b>Abercrombie</b>', :snipe_hunter => @hunter)
     @leprechaun = Leprechaun.create(:name => '<b>Clover McGillicuty</b>')
   end
 
@@ -47,22 +47,28 @@ def test_basics
     assert_equal('&lt;b&gt;Fitch&lt;/b&gt;',snipe.species)
     assert_equal('<b>Abercrombie</b>',snipe.genus)
 
+    assert_equal('&lt;b&gt;Fitch&lt;/b&gt;',hunter.first_snipe_species)
+    assert_equal('<b>Fitch</b>',hunter.first_snipe_species_without_html_escaping)
+
     assert_equal('<b>Clover McGillicuty</b>',leprechaun.name)
   end
 end
 
 class SnipeHunter < ActiveRecord::Base
-
+  has_many :snipes
   #make title unescaped
   html_escape :except => :title
 
   #make description unescaped
   def description; '<b>Overriden</b>'; end
 
   def name_and_age; "#{name}(#{age})"; end
+
+  def first_snipe_species; snipes.first.species; end
 end
 
 class Snipe < ActiveRecord::Base
+  belongs_to :snipe_hunter
   #only escape species
   html_escape :only => :species
 end
@@ -87,6 +93,7 @@ def setup_db
     end
 
     create_table :snipes do |t|
+      t.column :snipe_hunter_id, :integer
       t.column :species, :string
       t.column :genus, :string
     end