From b387d9a14aeecc372f49544d927b2f24d5a39d49 Mon Sep 17 00:00:00 2001 From: Vipul A M Date: Wed, 20 Jan 2016 12:25:06 +0530 Subject: [PATCH] html_safe is not supposed to be public API for AV. This change removes usage of html_safe in favour of raw() in AV helpers. Also changed usage of html_safe to make use of raw() instead so that the intended behaviour is verified with raw() --- .../lib/action_view/helpers/form_helper.rb | 4 ++-- .../action_view/helpers/form_tag_helper.rb | 12 +++++----- .../helpers/output_safety_helper.rb | 4 ++-- .../test/template/active_model_helper_test.rb | 2 +- .../test/template/capture_helper_test.rb | 4 ++-- actionview/test/template/date_helper_test.rb | 2 +- actionview/test/template/form_helper_test.rb | 4 ++-- .../test/template/form_options_helper_test.rb | 2 +- .../test/template/form_tag_helper_test.rb | 24 +++++++++---------- .../template/output_safety_helper_test.rb | 4 ++-- actionview/test/template/tag_helper_test.rb | 4 ++-- actionview/test/template/url_helper_test.rb | 20 ++++++++-------- 12 files changed, 43 insertions(+), 43 deletions(-) diff --git a/actionview/lib/action_view/helpers/form_helper.rb b/actionview/lib/action_view/helpers/form_helper.rb index b43d99ebb7..c1015ffe89 100644 --- a/actionview/lib/action_view/helpers/form_helper.rb +++ b/actionview/lib/action_view/helpers/form_helper.rb @@ -765,7 +765,7 @@ module ActionView # # => # # label(:post, :terms) do - # 'Accept Terms.'.html_safe + # raw('Accept Terms.') # end # # => def label(object_name, method, content_or_options = nil, options = nil, &block) @@ -1675,7 +1675,7 @@ module ActionView # # => # # label(:terms) do - # 'Accept Terms.'.html_safe + # raw('Accept Terms.') # end # # => def label(method, text = nil, options = {}, &block) diff --git a/actionview/lib/action_view/helpers/form_tag_helper.rb b/actionview/lib/action_view/helpers/form_tag_helper.rb index d521553481..55dac74d00 100644 --- a/actionview/lib/action_view/helpers/form_tag_helper.rb +++ b/actionview/lib/action_view/helpers/form_tag_helper.rb @@ -93,22 +93,22 @@ module ActionView # select_tag "people", options_from_collection_for_select(@people, "id", "name", "1") # # # - # select_tag "people", "".html_safe + # select_tag "people", raw("") # # => # - # select_tag "count", "".html_safe + # select_tag "count", raw("") # # => # - # select_tag "colors", "".html_safe, multiple: true + # select_tag "colors", raw(""), multiple: true # # => # - # select_tag "locations", "".html_safe + # select_tag "locations", raw("") # # => # - # select_tag "access", "".html_safe, multiple: true, class: 'form_input', id: 'unique_id' + # select_tag "access", raw(""), multiple: true, class: 'form_input', id: 'unique_id' # # => # @@ -121,7 +121,7 @@ module ActionView # select_tag "people", options_from_collection_for_select(@people, "id", "name"), prompt: "Select something" # # => # - # select_tag "destination", "".html_safe, disabled: true + # select_tag "destination", raw(""), disabled: true # # => # diff --git a/actionview/lib/action_view/helpers/output_safety_helper.rb b/actionview/lib/action_view/helpers/output_safety_helper.rb index 1c2a400245..c0fc3b820f 100644 --- a/actionview/lib/action_view/helpers/output_safety_helper.rb +++ b/actionview/lib/action_view/helpers/output_safety_helper.rb @@ -22,10 +22,10 @@ module ActionView #:nodoc: # the supplied separator, are HTML escaped unless they are HTML # safe, and the returned string is marked as HTML safe. # - # safe_join(["

foo

".html_safe, "

bar

"], "
") + # safe_join([raw("

foo

"), "

bar

"], "
") # # => "

foo

<br /><p>bar</p>" # - # safe_join(["

foo

".html_safe, "

bar

".html_safe], "
".html_safe) + # safe_join([raw("

foo

"), raw("

bar

")], raw("
") # # => "

foo


bar

" # def safe_join(array, sep=$,) diff --git a/actionview/test/template/active_model_helper_test.rb b/actionview/test/template/active_model_helper_test.rb index 86bccdfade..55d62cf692 100644 --- a/actionview/test/template/active_model_helper_test.rb +++ b/actionview/test/template/active_model_helper_test.rb @@ -85,7 +85,7 @@ class ActiveModelHelperTest < ActionView::TestCase def test_field_error_proc old_proc = ActionView::Base.field_error_proc ActionView::Base.field_error_proc = Proc.new do |html_tag, instance| - %(
#{html_tag} #{[instance.error_message].join(', ')}
).html_safe + raw(%(
#{html_tag} #{[instance.error_message].join(', ')}
)) end assert_dom_equal( diff --git a/actionview/test/template/capture_helper_test.rb b/actionview/test/template/capture_helper_test.rb index 7e6761e580..ffaf773c53 100644 --- a/actionview/test/template/capture_helper_test.rb +++ b/actionview/test/template/capture_helper_test.rb @@ -34,7 +34,7 @@ class CaptureHelperTest < ActionView::TestCase end def test_capture_doesnt_escape_twice - string = @av.capture { '<em>bar</em>'.html_safe } + string = @av.capture { raw('<em>bar</em>') } assert_equal '<em>bar</em>', string end @@ -171,7 +171,7 @@ class CaptureHelperTest < ActionView::TestCase @view_flow = ActionView::OutputFlow.new provide :title, "hi" - provide :title, "

title

".html_safe + provide :title, raw("

title

") assert_equal "hi

title

", content_for(:title) end diff --git a/actionview/test/template/date_helper_test.rb b/actionview/test/template/date_helper_test.rb index 92e77599f4..4678998bdc 100644 --- a/actionview/test/template/date_helper_test.rb +++ b/actionview/test/template/date_helper_test.rb @@ -3207,7 +3207,7 @@ class DateHelperTest < ActionView::TestCase end def test_time_tag_with_given_block - assert_match(/Right now<\/span><\/time>/, time_tag(Time.now){ 'Right now'.html_safe }) + assert_match(/Right now<\/span><\/time>/, time_tag(Time.now){ raw('Right now') }) end def test_time_tag_with_different_format diff --git a/actionview/test/template/form_helper_test.rb b/actionview/test/template/form_helper_test.rb index 1be1c68c14..034b8a4bf6 100644 --- a/actionview/test/template/form_helper_test.rb +++ b/actionview/test/template/form_helper_test.rb @@ -336,7 +336,7 @@ class FormHelperTest < ActionView::TestCase def test_label_with_block_and_html assert_dom_equal( '', - label(:post, :terms) { 'Accept Terms.'.html_safe } + label(:post, :terms) { raw('Accept Terms.') } ) end @@ -351,7 +351,7 @@ class FormHelperTest < ActionView::TestCase with_locale :label do assert_dom_equal( '', - label(:post, :body) { |b| "#{b.translation}".html_safe } + label(:post, :body) { |b| raw("#{b.translation}") } ) end end diff --git a/actionview/test/template/form_options_helper_test.rb b/actionview/test/template/form_options_helper_test.rb index 6b97cec34c..c5b63d33f1 100644 --- a/actionview/test/template/form_options_helper_test.rb +++ b/actionview/test/template/form_options_helper_test.rb @@ -588,7 +588,7 @@ class FormOptionsHelperTest < ActionView::TestCase def test_select_under_fields_for_with_string_and_given_prompt @post = Post.new - options = "".html_safe + options = raw("") output_buffer = fields_for :post, @post do |f| concat f.select(:category, options, :prompt => 'The prompt') diff --git a/actionview/test/template/form_tag_helper_test.rb b/actionview/test/template/form_tag_helper_test.rb index 359ecbc637..07b3fba754 100644 --- a/actionview/test/template/form_tag_helper_test.rb +++ b/actionview/test/template/form_tag_helper_test.rb @@ -216,19 +216,19 @@ class FormTagHelperTest < ActionView::TestCase end def test_select_tag - actual = select_tag "people", "".html_safe + actual = select_tag "people", raw("") expected = %() assert_dom_equal expected, actual end def test_select_tag_with_multiple - actual = select_tag "colors", "".html_safe, multiple: true + actual = select_tag "colors", raw(""), multiple: true expected = %() assert_dom_equal expected, actual end def test_select_tag_disabled - actual = select_tag "places", "".html_safe, disabled: true + actual = select_tag "places", raw(""), disabled: true expected = %() assert_dom_equal expected, actual end @@ -239,37 +239,37 @@ class FormTagHelperTest < ActionView::TestCase end def test_select_tag_with_include_blank - actual = select_tag "places", "".html_safe, :include_blank => true + actual = select_tag "places", raw(""), :include_blank => true expected = %() assert_dom_equal expected, actual end def test_select_tag_with_include_blank_false - actual = select_tag "places", "".html_safe, include_blank: false + actual = select_tag "places", raw(""), include_blank: false expected = %() assert_dom_equal expected, actual end def test_select_tag_with_include_blank_string - actual = select_tag "places", "".html_safe, include_blank: 'Choose' + actual = select_tag "places", raw(""), include_blank: 'Choose' expected = %() assert_dom_equal expected, actual end def test_select_tag_with_prompt - actual = select_tag "places", "".html_safe, :prompt => "string" + actual = select_tag "places", raw(""), :prompt => "string" expected = %() assert_dom_equal expected, actual end def test_select_tag_escapes_prompt - actual = select_tag "places", "".html_safe, :prompt => "" + actual = select_tag "places", raw(""), :prompt => "" expected = %() assert_dom_equal expected, actual end def test_select_tag_with_prompt_and_include_blank - actual = select_tag "places", "".html_safe, :prompt => "string", :include_blank => true + actual = select_tag "places", raw(""), :prompt => "string", :include_blank => true expected = %() assert_dom_equal expected, actual end @@ -433,9 +433,9 @@ class FormTagHelperTest < ActionView::TestCase assert_dom_equal %(), check_box_tag("admin", 1, true, 'disabled' => true, :readonly => "yes") assert_dom_equal %(), check_box_tag("admin", 1, true, :disabled => false, :readonly => nil) assert_dom_equal %(), tag(:input, :type => "checkbox", :checked => false) - assert_dom_equal %(), select_tag("people", "".html_safe, :multiple => true) - assert_dom_equal %(), select_tag("people[]", "".html_safe, :multiple => true) - assert_dom_equal %(), select_tag("people", "".html_safe, :multiple => nil) + assert_dom_equal %(), select_tag("people", raw(""), :multiple => true) + assert_dom_equal %(), select_tag("people[]", raw(""), :multiple => true) + assert_dom_equal %(), select_tag("people", raw(""), :multiple => nil) end def test_stringify_symbol_keys diff --git a/actionview/test/template/output_safety_helper_test.rb b/actionview/test/template/output_safety_helper_test.rb index a1bf0e1a5f..8de0ae2f6f 100644 --- a/actionview/test/template/output_safety_helper_test.rb +++ b/actionview/test/template/output_safety_helper_test.rb @@ -18,10 +18,10 @@ class OutputSafetyHelperTest < ActionView::TestCase end test "safe_join should html_escape any items, including the separator, if they are not html_safe" do - joined = safe_join(["

foo

".html_safe, "

bar

"], "
") + joined = safe_join([raw("

foo

"), "

bar

"], "
") assert_equal "

foo

<br /><p>bar</p>", joined - joined = safe_join(["

foo

".html_safe, "

bar

".html_safe], "
".html_safe) + joined = safe_join([raw("

foo

"), raw("

bar

")], raw("
")) assert_equal "

foo


bar

", joined end diff --git a/actionview/test/template/tag_helper_test.rb b/actionview/test/template/tag_helper_test.rb index d037447567..6f7a78ccef 100644 --- a/actionview/test/template/tag_helper_test.rb +++ b/actionview/test/template/tag_helper_test.rb @@ -143,10 +143,10 @@ class TagHelperTest < ActionView::TestCase end def test_tag_honors_html_safe_with_escaped_array_class - str = tag('p', :class => ['song>', 'play>'.html_safe]) + str = tag('p', :class => ['song>', raw('play>')]) assert_equal '

', str - str = tag('p', :class => ['song>'.html_safe, 'play>']) + str = tag('p', :class => [raw('song>'), 'play>']) assert_equal '

', str end diff --git a/actionview/test/template/url_helper_test.rb b/actionview/test/template/url_helper_test.rb index 89cabb8f6b..3010656166 100644 --- a/actionview/test/template/url_helper_test.rb +++ b/actionview/test/template/url_helper_test.rb @@ -78,7 +78,7 @@ class UrlHelperTest < ActiveSupport::TestCase def test_button_to_with_path assert_dom_equal( %{

}, - button_to("Hello", article_path("Hello".html_safe)) + button_to("Hello", article_path("Hello")) ) end @@ -106,7 +106,7 @@ class UrlHelperTest < ActiveSupport::TestCase end def test_button_to_with_html_safe_URL - assert_dom_equal %{
}, button_to("Hello", "http://www.example.com/q1=v1&q2=v2".html_safe) + assert_dom_equal %{
}, button_to("Hello", raw("http://www.example.com/q1=v1&q2=v2")) end def test_button_to_with_query_and_no_name @@ -232,7 +232,7 @@ class UrlHelperTest < ActiveSupport::TestCase end def test_link_tag_with_img - link = link_to("".html_safe, "/") + link = link_to(raw(""), "/") expected = %{} assert_dom_equal expected, link end @@ -358,7 +358,7 @@ class UrlHelperTest < ActiveSupport::TestCase def test_link_tag_with_html_safe_string assert_dom_equal( %{Gerd Müller}, - link_to("Gerd Müller", article_path("Gerd_Müller".html_safe)) + link_to("Gerd Müller", article_path("Gerd_Müller")) ) end @@ -369,7 +369,7 @@ class UrlHelperTest < ActiveSupport::TestCase def test_link_tag_does_not_escape_html_safe_content assert_dom_equal %{Malicious }, - link_to("Malicious ".html_safe, "/") + link_to(raw("Malicious "), "/") end def test_link_to_unless @@ -380,7 +380,7 @@ class UrlHelperTest < ActiveSupport::TestCase assert_equal "Showing", link_to_unless(true, "Showing", url_hash) { |name| - "#{name}".html_safe + raw "#{name}" } assert_equal "test", @@ -390,8 +390,8 @@ class UrlHelperTest < ActiveSupport::TestCase assert_equal %{<b>Showing</b>}, link_to_unless(true, "Showing", url_hash) assert_equal %{<b>Showing</b>}, link_to_unless(false, "Showing", url_hash) - assert_equal %{Showing}, link_to_unless(true, "Showing".html_safe, url_hash) - assert_equal %{Showing}, link_to_unless(false, "Showing".html_safe, url_hash) + assert_equal %{Showing}, link_to_unless(true, raw("Showing"), url_hash) + assert_equal %{Showing}, link_to_unless(false, raw("Showing"), url_hash) end def test_link_to_if @@ -541,13 +541,13 @@ class UrlHelperTest < ActiveSupport::TestCase def test_mail_to_with_img assert_dom_equal %{}, - mail_to('feedback@example.com', ''.html_safe) + mail_to('feedback@example.com', raw('')) end def test_mail_to_with_html_safe_string assert_dom_equal( %{david@loudthinking.com}, - mail_to("david@loudthinking.com".html_safe) + mail_to(raw("david@loudthinking.com")) ) end