kotovalexarian-likes-github/rails--rails
1
0
Fork 0
mirror of https://github.com/rails/rails.git synced 2022-11-09 12:12:34 -05:00
Code Releases Activity

Make sure :id and friends are properly unescaped (closes #5275).

Browse source 
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@4435 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
This commit is contained in:
Jamis Buck 2006-06-05 14:51:27 +00:00
parent 332fcfaf6b
commit 2ffc84d23f
3 changed files with 22 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
actionpack/CHANGELOG
View file

@ -1,5 +1,7 @@
*SVN*
* Make sure :id and friends are unescaped properly. #5275 [me@julik.nl]
* Fix documentation for with_routing to reflect new reality. #5281 [rramdas@gmail.com]
* Rewind readable CGI params so others may reread them (such as CGI::Session when passing the session id in a multipart form). #210 [mklame@atxeu.com, matthew@walker.wattle.id.au]

4
actionpack/lib/action_controller/routing.rb
View file

@ -500,7 +500,9 @@ module ActionController
end
def match_extraction(next_capture)
hangon = (default ? "|| #{default.inspect}" : "if match[#{next_capture}]")
"params[:#{key}] = match[#{next_capture}] #{hangon}"
# All non code-related keys (such as :id, :slug) have to be unescaped as other CGI params
"params[:#{key}] = match[#{next_capture}] && CGI.unescape(match[#{next_capture}]) #{hangon}"
end
def optionality_implied?

17
actionpack/test/controller/routing_test.rb
View file

@ -241,6 +241,23 @@ class LegacyRouteSetTests < Test::Unit::TestCase
assert_equal({:controller => "content", :action => 'show_page', :id => '10'}, rs.recognize_path("/page/10"))
end
# For newer revision
def test_route_with_text_default
rs.draw do |map|
map.connect 'page/:id', :controller => 'content', :action => 'show_page', :id => 1
map.connect ':controller/:action/:id'
end
assert_equal '/page/foo', rs.generate(:controller => 'content', :action => 'show_page', :id => 'foo')
assert_equal({:controller => "content", :action => 'show_page', :id => 'foo'}, rs.recognize_path("/page/foo"))
token = "\321\202\320\265\320\272\321\201\321\202" # 'text' in russian
escaped_token = CGI::escape(token)
assert_equal '/page/' + escaped_token, rs.generate(:controller => 'content', :action => 'show_page', :id => token)
assert_equal({:controller => "content", :action => 'show_page', :id => token}, rs.recognize_path("/page/#{escaped_token}"))
end
def test_action_expiry
assert_equal '/content', rs.generate({:controller => 'content'}, {:controller => 'content', :action => 'show'})
end