1
0
Fork 0
mirror of https://github.com/rails/rails.git synced 2022-11-09 12:12:34 -05:00

truncate() should not try to produce HTML-safe output

As discussed in Lighthouse ticket #4825 and ticket #4878, the truncate()
method cannot guarantee safe output for all possible inputs/offsets, so
it is best to leave the output unsafe so that it gets escaped when used
in a view.

Signed-off-by: Santiago Pastorino <santiago@wyeworks.com>
Signed-off-by: David Heinemeier Hansson <david@loudthinking.com>
This commit is contained in:
Wincent Colaiuta 2010-06-17 08:39:13 +02:00 committed by David Heinemeier Hansson
parent 69bc8b26a9
commit a424808df9
2 changed files with 8 additions and 22 deletions

View file

@ -39,7 +39,10 @@ module ActionView
# for a total length not exceeding <tt>:length</tt>.
#
# Pass a <tt>:separator</tt> to truncate +text+ at a natural break.
# Pass a <tt>:safe</tt> value as "true" to not to escape the content.
#
# The result is not marked as HTML-safe, so will be subject to the default escaping when
# used in views, unless wrapped by <tt>raw()</tt>. Care should be taken if +text+ contains HTML tags
# or entities, because truncation may produce invalid HTML (such as unbalanced or incomplete tags).
#
# ==== Examples
#
@ -56,12 +59,6 @@ module ActionView
# # => "And they f... (continued)"
#
# truncate("<p>Once upon a time in a world far far away</p>")
# # => "&lt;p&gt;Once upon a time i..."
#
# truncate("<p>Once upon a time in a world far far away</p>", :safe => true)
# # => "<p>Once upon a time in a wo..."
#
# truncate("<p>Once upon a time in a world far far away</p>".html_safe)
# # => "<p>Once upon a time in a wo..."
#
# You can still use <tt>truncate</tt> with the old API that accepts the
@ -84,7 +81,6 @@ module ActionView
options.reverse_merge!(:length => 30)
text = h(text) unless text.html_safe? || options[:safe]
text.truncate(options.delete(:length), options) if text
end

View file

@ -52,8 +52,8 @@ class TextHelperTest < ActionView::TestCase
assert_equal "<p><b> test with safe string </b></p>", simple_format("<b> test with safe string </b>".html_safe)
end
def test_truncate_should_be_html_safe
assert truncate("Hello World!", :length => 12).html_safe?
def test_truncate_should_not_be_html_safe
assert !truncate("Hello World!", :length => 12).html_safe?
end
def test_truncate
@ -61,18 +61,8 @@ class TextHelperTest < ActionView::TestCase
assert_equal "Hello Wor...", truncate("Hello World!!", :length => 12)
end
def test_truncate_should_escape_unsafe_input
assert_equal "Hello &lt...", truncate("Hello <script>code!</script>World!!", :length => 12)
end
def test_truncate_should_not_escape_input_if_safe_option
assert_equal "Hello <sc...", truncate("Hello <script>code!</script>World!", :length => 12, :safe => true)
assert_equal "Hello <sc...", truncate("Hello <script>code!</script>World!!", :length => 12, :safe => true)
end
def test_truncate_should_not_escape_safe_input
assert_equal "Hello <sc...", truncate("Hello <script>code!</script>World!".html_safe, :length => 12)
assert_equal "Hello <sc...", truncate("Hello <script>code!</script>World!!".html_safe, :length => 12)
def test_truncate_should_not_escape_input
assert_equal "Hello <sc...", truncate("Hello <script>code!</script>World!!", :length => 12)
end
def test_truncate_should_use_default_length_of_30