From dbd0bd5e5c9946ffb48bf8651f81ebc6dd9b52e5 Mon Sep 17 00:00:00 2001 From: Rick Olson Date: Wed, 18 Oct 2006 16:42:19 +0000 Subject: [PATCH] Add <%= escape_once html %> to escape html while leaving any currently escaped entities alone. Fix button_to double-escaping issue. [Rick] git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@5322 5ecf4fe2-1ee6-0310-87b1-e25e094e27de --- actionpack/CHANGELOG | 2 ++ actionpack/lib/action_view/helpers/tag_helper.rb | 11 ++++++++++- actionpack/lib/action_view/helpers/url_helper.rb | 4 ++-- actionpack/test/template/tag_helper_test.rb | 4 ++++ actionpack/test/template/url_helper_test.rb | 4 ++++ 5 files changed, 22 insertions(+), 3 deletions(-) diff --git a/actionpack/CHANGELOG b/actionpack/CHANGELOG index 1993fcf41c..05f2328f7d 100644 --- a/actionpack/CHANGELOG +++ b/actionpack/CHANGELOG @@ -1,5 +1,7 @@ *SVN* +* Add <%= escape_once html %> to escape html while leaving any currently escaped entities alone. Fix button_to double-escaping issue. [Rick] + * Fix double-escaped entities, such as &amp;, &#123;, etc. [Rick] * Fix deprecation warnings when rendering the template error template. [Nicholas Seckar] diff --git a/actionpack/lib/action_view/helpers/tag_helper.rb b/actionpack/lib/action_view/helpers/tag_helper.rb index 6001b21e63..f913c99abb 100644 --- a/actionpack/lib/action_view/helpers/tag_helper.rb +++ b/actionpack/lib/action_view/helpers/tag_helper.rb @@ -31,10 +31,19 @@ module ActionView "" end + # Escapes a given string, while leaving any currently escaped entities alone. + # + # escape_once("1 > 2 & 3") + # # => "1 < 2 & 3" + # + def escape_once(html) + fix_double_escape(html_escape(html.to_s)) + end + private def tag_options(options) cleaned_options = convert_booleans(options.stringify_keys.reject {|key, value| value.nil?}) - ' ' + cleaned_options.map {|key, value| %(#{key}="#{fix_double_escape(html_escape(value.to_s))}")}.sort * ' ' unless cleaned_options.empty? + ' ' + cleaned_options.map {|key, value| %(#{key}="#{escape_once(value)}")}.sort * ' ' unless cleaned_options.empty? end def convert_booleans(options) diff --git a/actionpack/lib/action_view/helpers/url_helper.rb b/actionpack/lib/action_view/helpers/url_helper.rb index 42c28335d5..4f52a018a7 100644 --- a/actionpack/lib/action_view/helpers/url_helper.rb +++ b/actionpack/lib/action_view/helpers/url_helper.rb @@ -131,8 +131,8 @@ module ActionView name ||= url html_options.merge!("type" => "submit", "value" => name) - - "
" + + + "
" + method_tag + tag("input", html_options) + "
" end diff --git a/actionpack/test/template/tag_helper_test.rb b/actionpack/test/template/tag_helper_test.rb index 8611f4c9bd..bda57c4e9b 100644 --- a/actionpack/test/template/tag_helper_test.rb +++ b/actionpack/test/template/tag_helper_test.rb @@ -39,6 +39,10 @@ class TagHelperTest < Test::Unit::TestCase assert_equal "]]>", cdata_section("") end + def test_escape_once + assert_equal '1 < 2 & 3', escape_once('1 < 2 & 3') + end + def test_double_escaping_attributes ['1&2', '1 < 2', '“test“'].each do |escaped| assert_equal %(), tag('a', :href => escaped) diff --git a/actionpack/test/template/url_helper_test.rb b/actionpack/test/template/url_helper_test.rb index 77ca8094f7..ba813f72ce 100644 --- a/actionpack/test/template/url_helper_test.rb +++ b/actionpack/test/template/url_helper_test.rb @@ -38,6 +38,10 @@ class UrlHelperTest < Test::Unit::TestCase assert_dom_equal "
", button_to("Hello", "http://www.example.com/q1=v1&q2=v2") end + def test_button_to_with_escaped_query + assert_dom_equal "
", button_to("Hello", "http://www.example.com/q1=v1&q2=v2") + end + def test_button_to_with_query_and_no_name assert_dom_equal "
", button_to(nil, "http://www.example.com?q1=v1&q2=v2") end