mirror of
https://github.com/rails/rails.git
synced 2022-11-09 12:12:34 -05:00
text_helper now escape the unsafe input instead of sanitizing
Signed-off-by: José Valim <jose.valim@gmail.com>
This commit is contained in:
parent
51ad68367a
commit
b4976ce91b
2 changed files with 12 additions and 13 deletions
|
@ -74,7 +74,7 @@ module ActionView
|
|||
|
||||
options.reverse_merge!(:length => 30)
|
||||
|
||||
text = sanitize(text) unless text.html_safe? || options[:safe]
|
||||
text = h(text) unless text.html_safe? || options[:safe]
|
||||
text.truncate(options.delete(:length), options) if text
|
||||
end
|
||||
|
||||
|
@ -106,7 +106,7 @@ module ActionView
|
|||
end
|
||||
options.reverse_merge!(:highlighter => '<strong class="highlight">\1</strong>')
|
||||
|
||||
text = sanitize(text) unless text.html_safe? || options[:safe]
|
||||
text = h(text) unless text.html_safe? || options[:safe]
|
||||
if text.blank? || phrases.blank?
|
||||
text
|
||||
else
|
||||
|
@ -244,7 +244,7 @@ module ActionView
|
|||
def simple_format(text, html_options={}, options={})
|
||||
text = '' if text.nil?
|
||||
start_tag = tag('p', html_options, true)
|
||||
text = sanitize(text) unless text.html_safe? || options[:safe]
|
||||
text = h(text) unless text.html_safe? || options[:safe]
|
||||
text.gsub!(/\r\n?/, "\n") # \r\n and \r -> \n
|
||||
text.gsub!(/\n\n+/, "</p>\n\n#{start_tag}") # 2+ newline -> paragraph
|
||||
text.gsub!(/([^\n]\n)(?=[^\n])/, '\1<br />') # 1 newline -> br
|
||||
|
@ -503,7 +503,7 @@ module ActionView
|
|||
text.html_safe
|
||||
else
|
||||
display_text = (block_given?) ? yield(text) : text
|
||||
display_text = sanitize(display_text) unless options[:safe]
|
||||
display_text = h(display_text) unless options[:safe]
|
||||
mail_to text, display_text, html_options
|
||||
end
|
||||
end
|
||||
|
|
|
@ -41,7 +41,7 @@ class TextHelperTest < ActionView::TestCase
|
|||
end
|
||||
|
||||
def test_simple_format_should_sanitize_unsafe_input
|
||||
assert_equal "<p><b> test with unsafe string </b></p>", simple_format("<b> test with unsafe string </b><script>code!</script>")
|
||||
assert_equal "<p><b> test with unsafe string </b><script>code!</script></p>", simple_format("<b> test with unsafe string </b><script>code!</script>")
|
||||
end
|
||||
|
||||
def test_simple_format_should_not_sanitize_input_if_safe_option
|
||||
|
@ -62,8 +62,7 @@ class TextHelperTest < ActionView::TestCase
|
|||
end
|
||||
|
||||
def test_truncate_should_sanitize_unsafe_input
|
||||
assert_equal "Hello World!", truncate("Hello <script>code!</script>World!", :length => 12)
|
||||
assert_equal "Hello Wor...", truncate("Hello <script>code!</script>World!!", :length => 12)
|
||||
assert_equal "Hello <...", truncate("Hello <script>code!</script>World!!", :length => 12)
|
||||
end
|
||||
|
||||
def test_truncate_should_not_sanitize_input_if_safe_option
|
||||
|
@ -141,7 +140,7 @@ class TextHelperTest < ActionView::TestCase
|
|||
|
||||
def test_highlight_should_sanitize_unsafe_input
|
||||
assert_equal(
|
||||
"This is a <strong class=\"highlight\">beautiful</strong> morning",
|
||||
"This is a <strong class=\"highlight\">beautiful</strong> morning<script>code!</script>",
|
||||
highlight("This is a beautiful morning<script>code!</script>", "beautiful")
|
||||
)
|
||||
end
|
||||
|
@ -190,23 +189,23 @@ class TextHelperTest < ActionView::TestCase
|
|||
|
||||
def test_highlight_with_html
|
||||
assert_equal(
|
||||
"<p>This is a <strong class=\"highlight\">beautiful</strong> morning, but also a <strong class=\"highlight\">beautiful</strong> day</p>",
|
||||
"<p>This is a <strong class=\"highlight\">beautiful</strong> morning, but also a <strong class=\"highlight\">beautiful</strong> day</p>",
|
||||
highlight("<p>This is a beautiful morning, but also a beautiful day</p>", "beautiful")
|
||||
)
|
||||
assert_equal(
|
||||
"<p>This is a <em><strong class=\"highlight\">beautiful</strong></em> morning, but also a <strong class=\"highlight\">beautiful</strong> day</p>",
|
||||
"<p>This is a <em><strong class=\"highlight\">beautiful</strong></em> morning, but also a <strong class=\"highlight\">beautiful</strong> day</p>",
|
||||
highlight("<p>This is a <em>beautiful</em> morning, but also a beautiful day</p>", "beautiful")
|
||||
)
|
||||
assert_equal(
|
||||
"<p>This is a <em class=\"error\"><strong class=\"highlight\">beautiful</strong></em> morning, but also a <strong class=\"highlight\">beautiful</strong> <span class=\"last\">day</span></p>",
|
||||
"<p>This is a <em class="error"><strong class=\"highlight\">beautiful</strong></em> morning, but also a <strong class=\"highlight\">beautiful</strong> <span class="last">day</span></p>",
|
||||
highlight("<p>This is a <em class=\"error\">beautiful</em> morning, but also a beautiful <span class=\"last\">day</span></p>", "beautiful")
|
||||
)
|
||||
assert_equal(
|
||||
"<p class=\"beautiful\">This is a <strong class=\"highlight\">beautiful</strong> morning, but also a <strong class=\"highlight\">beautiful</strong> day</p>",
|
||||
"<p class="<strong class=\"highlight\">beautiful</strong>">This is a <strong class=\"highlight\">beautiful</strong> morning, but also a <strong class=\"highlight\">beautiful</strong> day</p>",
|
||||
highlight("<p class=\"beautiful\">This is a beautiful morning, but also a beautiful day</p>", "beautiful")
|
||||
)
|
||||
assert_equal(
|
||||
"<p>This is a <strong class=\"highlight\">beautiful</strong> <a href=\"http://example.com/beautiful\#top?what=beautiful%20morning&when=now+then\">morning</a>, but also a <strong class=\"highlight\">beautiful</strong> day</p>",
|
||||
"<p>This is a <strong class=\"highlight\">beautiful</strong> <a href="http://example.com/<strong class=\"highlight\">beautiful</strong>#top?what=<strong class=\"highlight\">beautiful</strong>%20morning&when=now+then">morning</a>, but also a <strong class=\"highlight\">beautiful</strong> day</p>",
|
||||
highlight("<p>This is a beautiful <a href=\"http://example.com/beautiful\#top?what=beautiful%20morning&when=now+then\">morning</a>, but also a beautiful day</p>", "beautiful")
|
||||
)
|
||||
end
|
||||
|
|
Loading…
Reference in a new issue