diff --git a/actionview/lib/action_view/helpers/javascript_helper.rb b/actionview/lib/action_view/helpers/javascript_helper.rb index 619ce9706b..0624833c14 100644 --- a/actionview/lib/action_view/helpers/javascript_helper.rb +++ b/actionview/lib/action_view/helpers/javascript_helper.rb @@ -12,7 +12,9 @@ module ActionView "\n" => '\n', "\r" => '\n', '"' => '\\"', - "'" => "\\'" + "'" => "\\'", + "`" => "\\`", + "$" => "\\$" } JS_ESCAPE_MAP[(+"\342\200\250").force_encoding(Encoding::UTF_8).encode!] = "
" @@ -29,7 +31,7 @@ module ActionView if javascript.empty? result = "" else - result = javascript.gsub(/(\\|<\/|\r\n|\342\200\250|\342\200\251|[\n\r"'])/u, JS_ESCAPE_MAP) + result = javascript.gsub(/(\\|<\/|\r\n|\342\200\250|\342\200\251|[\n\r"']|[`]|[$])/u, JS_ESCAPE_MAP) end javascript.html_safe? ? result.html_safe : result end diff --git a/actionview/test/template/javascript_helper_test.rb b/actionview/test/template/javascript_helper_test.rb index f974e5ae0c..4b7284d15b 100644 --- a/actionview/test/template/javascript_helper_test.rb +++ b/actionview/test/template/javascript_helper_test.rb @@ -36,6 +36,14 @@ class JavaScriptHelperTest < ActionView::TestCase assert_equal %(dont <\\/close> tags), j(%(dont tags)) end + def test_escape_backtick + assert_equal "\\`", escape_javascript("`") + end + + def test_escape_dollar_sign + assert_equal "\\$", escape_javascript("$") + end + def test_escape_javascript_with_safebuffer given = %('quoted' "double-quoted" new-line:\n ) expect = %(\\'quoted\\' \\"double-quoted\\" new-line:\\n <\\/closed>)