kotovalexarian-likes-github
/
rails--rails
mirror of https://github.com/rails/rails.git
1
0
Fork 0
Code Releases Activity

Don't html-escape the :count option to translate if it's a Numeric. Fixes #3685.

This commit is contained in:
Jon Leighton 2011-11-19 13:19:20 +00:00
parent 86b5e81e8a
commit 603a679e87
3 changed files with 21 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
actionpack/CHANGELOG.md
View File

@ -62,6 +62,13 @@
persistent between requests so if you need to manipulate the environment persistent between requests so if you need to manipulate the environment
for your test you need to do it before the cookie jar is created. for your test you need to do it before the cookie jar is created.
## Rails 3.1.3 (unreleased) ##
* Fix using `tranlate` helper with a html translation which uses the `:count` option for
pluralization.
*Jon Leighton*
## Rails 3.1.2 (unreleased) ## ## Rails 3.1.2 (unreleased) ##
* Fix XSS security vulnerability in the `translate` helper method. When using interpolation * Fix XSS security vulnerability in the `translate` helper method. When using interpolation

4
actionpack/lib/action_view/helpers/translation_helper.rb
View File

@ -48,7 +48,9 @@ module ActionView
if html_safe_translation_key?(key) if html_safe_translation_key?(key)
html_safe_options = options.dup html_safe_options = options.dup
options.except(*I18n::RESERVED_KEYS).each do |name, value| options.except(*I18n::RESERVED_KEYS).each do |name, value|
html_safe_options[name] = ERB::Util.html_escape(value.to_s) unless name == :count && value.is_a?(Numeric)
html_safe_options[name] = ERB::Util.html_escape(value.to_s)
end
end end
translation = I18n.translate(scope_key_by_partial(key), html_safe_options) translation = I18n.translate(scope_key_by_partial(key), html_safe_options)

12
actionpack/test/template/translation_helper_test.rb
View File

@ -19,7 +19,11 @@ class TranslationHelperTest < ActiveSupport::TestCase
:hello_html => '<a>Hello World</a>', :hello_html => '<a>Hello World</a>',
:interpolated_html => '<a>Hello %{word}</a>', :interpolated_html => '<a>Hello %{word}</a>',
:array_html => %w(foo bar), :array_html => %w(foo bar),
:array => %w(foo bar) :array => %w(foo bar),
:count_html => {
:one => '<a>One %{count}</a>',
:other => '<a>Other %{count}</a>'
}
} }
) )
@view = ::ActionView::Base.new(ActionController::Base.view_paths, {}) @view = ::ActionView::Base.new(ActionController::Base.view_paths, {})
@ -89,6 +93,12 @@ class TranslationHelperTest < ActiveSupport::TestCase
assert_equal '<a>Hello &lt;World&gt;</a>', translate(:'translations.interpolated_html', :word => stub(:to_s => "<World>")) assert_equal '<a>Hello &lt;World&gt;</a>', translate(:'translations.interpolated_html', :word => stub(:to_s => "<World>"))
end end
def test_translate_with_html_count
assert_equal '<a>One 1</a>', translate(:'translations.count_html', :count => 1)
assert_equal '<a>Other 2</a>', translate(:'translations.count_html', :count => 2)
assert_equal '<a>Other &lt;One&gt;</a>', translate(:'translations.count_html', :count => '<One>')
end
def test_translation_returning_an_array_ignores_html_suffix def test_translation_returning_an_array_ignores_html_suffix
assert_equal ["foo", "bar"], translate(:'translations.array_html') assert_equal ["foo", "bar"], translate(:'translations.array_html')
end end