fix safe string interpolation with SafeBuffer#%, closes #6352

2022-11-09 12:12:34 -05:00 · 2012-05-16 21:04:31 +03:00 · 2012-05-16 21:04:31 +03:00 · 9fb21e98e2
commit 9fb21e98e2
parent e29626901a
2 changed files with 38 additions and 0 deletions
--- a/activesupport/lib/active_support/core_ext/string/output_safety.rb
+++ b/activesupport/lib/active_support/core_ext/string/output_safety.rb
@ -150,6 +150,20 @@ module ActiveSupport #:nodoc:
      dup.concat(other)
    end

+    def %(args)
+      args = Array(args)
+
+      args.map! do |arg|
+        if !html_safe? || arg.html_safe?
+          arg
+        else
+          ERB::Util.h(arg)
+        end
+      end
+
+      self.class.new(super(args))
+    end
+
    def html_safe?
      defined?(@html_safe) && @html_safe
    end
--- a/activesupport/test/core_ext/string_ext_test.rb
+++ b/activesupport/test/core_ext/string_ext_test.rb
@ -439,6 +439,30 @@ class OutputSafetyTest < ActiveSupport::TestCase
    assert @other_string.html_safe?
  end

+  test "Concatting safe onto unsafe with % yields unsafe" do
+    @other_string = "other%s"
+    string = @string.html_safe
+
+    @other_string = @other_string % string
+    assert !@other_string.html_safe?
+  end
+
+  test "Concatting unsafe onto safe with % yields escaped safe" do
+    @other_string = "other%s".html_safe
+    string = @other_string % "<foo>"
+
+    assert_equal "other&lt;foo&gt;", string
+    assert string.html_safe?
+  end
+
+  test "Concatting safe onto safe with % yields safe" do
+    @other_string = "other%s".html_safe
+    string = @string.html_safe
+
+    @other_string = @other_string % string
+    assert @other_string.html_safe?
+  end
+
  test "Concatting a fixnum to safe always yields safe" do
    string = @string.html_safe
    string = string.concat(13)