mirror of
https://github.com/rails/rails.git
synced 2022-11-09 12:12:34 -05:00
truncate() should not try to produce HTML-safe output
As discussed in Lighthouse ticket #4825 and ticket #4878, the truncate() method cannot guarantee safe output for all possible inputs/offsets, so it is best to leave the output unsafe so that it gets escaped when used in a view. Signed-off-by: Santiago Pastorino <santiago@wyeworks.com> Signed-off-by: David Heinemeier Hansson <david@loudthinking.com>
This commit is contained in:
parent
69bc8b26a9
commit
a424808df9
2 changed files with 8 additions and 22 deletions
|
@ -39,7 +39,10 @@ module ActionView
|
|||
# for a total length not exceeding <tt>:length</tt>.
|
||||
#
|
||||
# Pass a <tt>:separator</tt> to truncate +text+ at a natural break.
|
||||
# Pass a <tt>:safe</tt> value as "true" to not to escape the content.
|
||||
#
|
||||
# The result is not marked as HTML-safe, so will be subject to the default escaping when
|
||||
# used in views, unless wrapped by <tt>raw()</tt>. Care should be taken if +text+ contains HTML tags
|
||||
# or entities, because truncation may produce invalid HTML (such as unbalanced or incomplete tags).
|
||||
#
|
||||
# ==== Examples
|
||||
#
|
||||
|
@ -56,12 +59,6 @@ module ActionView
|
|||
# # => "And they f... (continued)"
|
||||
#
|
||||
# truncate("<p>Once upon a time in a world far far away</p>")
|
||||
# # => "<p>Once upon a time i..."
|
||||
#
|
||||
# truncate("<p>Once upon a time in a world far far away</p>", :safe => true)
|
||||
# # => "<p>Once upon a time in a wo..."
|
||||
#
|
||||
# truncate("<p>Once upon a time in a world far far away</p>".html_safe)
|
||||
# # => "<p>Once upon a time in a wo..."
|
||||
#
|
||||
# You can still use <tt>truncate</tt> with the old API that accepts the
|
||||
|
@ -84,7 +81,6 @@ module ActionView
|
|||
|
||||
options.reverse_merge!(:length => 30)
|
||||
|
||||
text = h(text) unless text.html_safe? || options[:safe]
|
||||
text.truncate(options.delete(:length), options) if text
|
||||
end
|
||||
|
||||
|
|
|
@ -52,8 +52,8 @@ class TextHelperTest < ActionView::TestCase
|
|||
assert_equal "<p><b> test with safe string </b></p>", simple_format("<b> test with safe string </b>".html_safe)
|
||||
end
|
||||
|
||||
def test_truncate_should_be_html_safe
|
||||
assert truncate("Hello World!", :length => 12).html_safe?
|
||||
def test_truncate_should_not_be_html_safe
|
||||
assert !truncate("Hello World!", :length => 12).html_safe?
|
||||
end
|
||||
|
||||
def test_truncate
|
||||
|
@ -61,18 +61,8 @@ class TextHelperTest < ActionView::TestCase
|
|||
assert_equal "Hello Wor...", truncate("Hello World!!", :length => 12)
|
||||
end
|
||||
|
||||
def test_truncate_should_escape_unsafe_input
|
||||
assert_equal "Hello <...", truncate("Hello <script>code!</script>World!!", :length => 12)
|
||||
end
|
||||
|
||||
def test_truncate_should_not_escape_input_if_safe_option
|
||||
assert_equal "Hello <sc...", truncate("Hello <script>code!</script>World!", :length => 12, :safe => true)
|
||||
assert_equal "Hello <sc...", truncate("Hello <script>code!</script>World!!", :length => 12, :safe => true)
|
||||
end
|
||||
|
||||
def test_truncate_should_not_escape_safe_input
|
||||
assert_equal "Hello <sc...", truncate("Hello <script>code!</script>World!".html_safe, :length => 12)
|
||||
assert_equal "Hello <sc...", truncate("Hello <script>code!</script>World!!".html_safe, :length => 12)
|
||||
def test_truncate_should_not_escape_input
|
||||
assert_equal "Hello <sc...", truncate("Hello <script>code!</script>World!!", :length => 12)
|
||||
end
|
||||
|
||||
def test_truncate_should_use_default_length_of_30
|
||||
|
|
Loading…
Reference in a new issue