mirror of
https://github.com/rails/rails.git
synced 2022-11-09 12:12:34 -05:00
Merge pull request #13321 from mezis/fix-safebuffer-interpolation-master
Fixes interpolation on SafeBuffer
This commit is contained in:
commit
e7b8769cbc
2 changed files with 37 additions and 7 deletions
|
@ -183,15 +183,14 @@ module ActiveSupport #:nodoc:
|
|||
end
|
||||
|
||||
def %(args)
|
||||
args = Array(args).map do |arg|
|
||||
if !html_safe? || arg.html_safe?
|
||||
arg
|
||||
else
|
||||
ERB::Util.h(arg)
|
||||
end
|
||||
case args
|
||||
when Hash
|
||||
escaped_args = Hash[args.map { |k,arg| [k, html_escape_interpolated_argument(arg)] }]
|
||||
else
|
||||
escaped_args = Array(args).map { |arg| html_escape_interpolated_argument(arg) }
|
||||
end
|
||||
|
||||
self.class.new(super(args))
|
||||
self.class.new(super(escaped_args))
|
||||
end
|
||||
|
||||
def html_safe?
|
||||
|
@ -224,6 +223,12 @@ module ActiveSupport #:nodoc:
|
|||
EOT
|
||||
end
|
||||
end
|
||||
|
||||
private
|
||||
|
||||
def html_escape_interpolated_argument(arg)
|
||||
(!html_safe? || arg.html_safe?) ? arg : ERB::Util.h(arg)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
|
|
|
@ -140,4 +140,29 @@ class SafeBufferTest < ActiveSupport::TestCase
|
|||
# should still be unsafe
|
||||
assert !y.html_safe?, "should not be safe"
|
||||
end
|
||||
|
||||
test 'Should work with interpolation (array argument)' do
|
||||
x = 'foo %s bar'.html_safe % ['qux']
|
||||
assert_equal 'foo qux bar', x
|
||||
end
|
||||
|
||||
test 'Should work with interpolation (hash argument)' do
|
||||
x = 'foo %{x} bar'.html_safe % { x: 'qux' }
|
||||
assert_equal 'foo qux bar', x
|
||||
end
|
||||
|
||||
test 'Should escape unsafe interpolated args' do
|
||||
x = 'foo %{x} bar'.html_safe % { x: '<br/>' }
|
||||
assert_equal 'foo <br/> bar', x
|
||||
end
|
||||
|
||||
test 'Should not escape safe interpolated args' do
|
||||
x = 'foo %{x} bar'.html_safe % { x: '<br/>'.html_safe }
|
||||
assert_equal 'foo <br/> bar', x
|
||||
end
|
||||
|
||||
test 'Should interpolate to a safe string' do
|
||||
x = 'foo %{x} bar'.html_safe % { x: 'qux' }
|
||||
assert x.html_safe?, 'should be safe'
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in a new issue