mirror of
https://github.com/rails/rails.git
synced 2022-11-09 12:12:34 -05:00
s/escape_once/html_escape/, since html safety is the contract that now says whether something has to be escaped
This commit is contained in:
parent
cba1460a2f
commit
ec3bfa2ead
6 changed files with 24 additions and 19 deletions
|
@ -1,5 +1,7 @@
|
||||||
*Rails 3.0.0 [Release Candidate] (unreleased)*
|
*Rails 3.0.0 [Release Candidate] (unreleased)*
|
||||||
|
|
||||||
|
* link_to, button_to, and tag/tag_options now rely on html_escape instead of escape_once. [fxn]
|
||||||
|
|
||||||
* url_for returns always unescaped strings, and the :escape option is gone. [fxn]
|
* url_for returns always unescaped strings, and the :escape option is gone. [fxn]
|
||||||
|
|
||||||
* Added accept-charset parameter and _snowman hidden field to force the contents
|
* Added accept-charset parameter and _snowman hidden field to force the contents
|
||||||
|
|
|
@ -539,7 +539,7 @@ module ActionView
|
||||||
|
|
||||||
def extra_tags_for_form(html_options)
|
def extra_tags_for_form(html_options)
|
||||||
snowman_tag = tag(:input, :type => "hidden",
|
snowman_tag = tag(:input, :type => "hidden",
|
||||||
:name => "_snowman", :value => "☃")
|
:name => "_snowman", :value => "☃".html_safe)
|
||||||
|
|
||||||
method = html_options.delete("method").to_s
|
method = html_options.delete("method").to_s
|
||||||
|
|
||||||
|
|
|
@ -122,7 +122,7 @@ module ActionView
|
||||||
attrs << %(#{key}="#{key}") if value
|
attrs << %(#{key}="#{key}") if value
|
||||||
elsif !value.nil?
|
elsif !value.nil?
|
||||||
final_value = value.is_a?(Array) ? value.join(" ") : value
|
final_value = value.is_a?(Array) ? value.join(" ") : value
|
||||||
final_value = escape_once(final_value) if escape
|
final_value = html_escape(final_value) if escape
|
||||||
attrs << %(#{key}="#{final_value}")
|
attrs << %(#{key}="#{final_value}")
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -243,7 +243,7 @@ module ActionView
|
||||||
tag_options = nil
|
tag_options = nil
|
||||||
end
|
end
|
||||||
|
|
||||||
href_attr = "href=\"#{escape_once(url)}\"" unless href
|
href_attr = "href=\"#{html_escape(url)}\"" unless href
|
||||||
"<a #{href_attr}#{tag_options}>#{html_escape(name || url)}</a>".html_safe
|
"<a #{href_attr}#{tag_options}>#{html_escape(name || url)}</a>".html_safe
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
@ -328,7 +328,7 @@ module ActionView
|
||||||
|
|
||||||
html_options.merge!("type" => "submit", "value" => name)
|
html_options.merge!("type" => "submit", "value" => name)
|
||||||
|
|
||||||
("<form method=\"#{form_method}\" action=\"#{escape_once url}\" #{"data-remote=\"true\"" if remote} class=\"button_to\"><div>" +
|
("<form method=\"#{form_method}\" action=\"#{html_escape(url)}\" #{"data-remote=\"true\"" if remote} class=\"button_to\"><div>" +
|
||||||
method_tag + tag("input", html_options) + request_token_tag + "</div></form>").html_safe
|
method_tag + tag("input", html_options) + request_token_tag + "</div></form>").html_safe
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -474,24 +474,27 @@ module ActionView
|
||||||
# :subject => "This is an example email"
|
# :subject => "This is an example email"
|
||||||
# # => <a href="mailto:me@domain.com?cc=ccaddress@domain.com&subject=This%20is%20an%20example%20email">My email</a>
|
# # => <a href="mailto:me@domain.com?cc=ccaddress@domain.com&subject=This%20is%20an%20example%20email">My email</a>
|
||||||
def mail_to(email_address, name = nil, html_options = {})
|
def mail_to(email_address, name = nil, html_options = {})
|
||||||
|
email_address = html_escape(email_address)
|
||||||
|
|
||||||
html_options = html_options.stringify_keys
|
html_options = html_options.stringify_keys
|
||||||
encode = html_options.delete("encode").to_s
|
encode = html_options.delete("encode").to_s
|
||||||
cc, bcc, subject, body = html_options.delete("cc"), html_options.delete("bcc"), html_options.delete("subject"), html_options.delete("body")
|
cc, bcc, subject, body = html_options.delete("cc"), html_options.delete("bcc"), html_options.delete("subject"), html_options.delete("body")
|
||||||
|
|
||||||
string = ''
|
extras = []
|
||||||
extras = ''
|
extras << "cc=#{Rack::Utils.escape(cc).gsub("+", "%20")}" unless cc.nil?
|
||||||
extras << "cc=#{Rack::Utils.escape(cc).gsub("+", "%20")}&" unless cc.nil?
|
extras << "bcc=#{Rack::Utils.escape(bcc).gsub("+", "%20")}" unless bcc.nil?
|
||||||
extras << "bcc=#{Rack::Utils.escape(bcc).gsub("+", "%20")}&" unless bcc.nil?
|
extras << "body=#{Rack::Utils.escape(body).gsub("+", "%20")}" unless body.nil?
|
||||||
extras << "body=#{Rack::Utils.escape(body).gsub("+", "%20")}&" unless body.nil?
|
extras << "subject=#{Rack::Utils.escape(subject).gsub("+", "%20")}" unless subject.nil?
|
||||||
extras << "subject=#{Rack::Utils.escape(subject).gsub("+", "%20")}&" unless subject.nil?
|
extras = extras.empty? ? '' : '?' + html_escape(extras.join('&'))
|
||||||
extras = "?" << extras.gsub!(/&?$/,"") unless extras.empty?
|
|
||||||
|
|
||||||
email_address_obfuscated = html_escape(email_address)
|
email_address_obfuscated = email_address.dup
|
||||||
email_address_obfuscated.gsub!(/@/, html_options.delete("replace_at")) if html_options.has_key?("replace_at")
|
email_address_obfuscated.gsub!(/@/, html_options.delete("replace_at")) if html_options.has_key?("replace_at")
|
||||||
email_address_obfuscated.gsub!(/\./, html_options.delete("replace_dot")) if html_options.has_key?("replace_dot")
|
email_address_obfuscated.gsub!(/\./, html_options.delete("replace_dot")) if html_options.has_key?("replace_dot")
|
||||||
|
|
||||||
|
string = ''
|
||||||
|
|
||||||
if encode == "javascript"
|
if encode == "javascript"
|
||||||
"document.write('#{content_tag("a", name || email_address_obfuscated.html_safe, html_options.merge({ "href" => "mailto:"+email_address+extras }))}');".each_byte do |c|
|
"document.write('#{content_tag("a", name || email_address_obfuscated.html_safe, html_options.merge("href" => "mailto:#{email_address}#{extras}".html_safe))}');".each_byte do |c|
|
||||||
string << sprintf("%%%x", c)
|
string << sprintf("%%%x", c)
|
||||||
end
|
end
|
||||||
"<script type=\"#{Mime::JS}\">eval(decodeURIComponent('#{string}'))</script>".html_safe
|
"<script type=\"#{Mime::JS}\">eval(decodeURIComponent('#{string}'))</script>".html_safe
|
||||||
|
@ -508,9 +511,9 @@ module ActionView
|
||||||
char = c.chr
|
char = c.chr
|
||||||
string << (char =~ /\w/ ? sprintf("%%%x", c) : char)
|
string << (char =~ /\w/ ? sprintf("%%%x", c) : char)
|
||||||
end
|
end
|
||||||
content_tag "a", name || email_address_encoded.html_safe, html_options.merge({ "href" => "#{string}#{extras}" })
|
content_tag "a", name || email_address_encoded.html_safe, html_options.merge("href" => "#{string}#{extras}".html_safe)
|
||||||
else
|
else
|
||||||
content_tag "a", name || email_address_obfuscated.html_safe, html_options.merge({ "href" => "mailto:#{email_address}#{extras}" })
|
content_tag "a", name || email_address_obfuscated.html_safe, html_options.merge("href" => "mailto:#{email_address}#{extras}".html_safe)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -95,9 +95,9 @@ class TagHelperTest < ActionView::TestCase
|
||||||
assert_equal '1 < 2 & 3', escape_once('1 < 2 & 3')
|
assert_equal '1 < 2 & 3', escape_once('1 < 2 & 3')
|
||||||
end
|
end
|
||||||
|
|
||||||
def test_double_escaping_attributes
|
def test_tag_honors_html_safe_for_param_values
|
||||||
['1&2', '1 < 2', '“test“'].each do |escaped|
|
['1&2', '1 < 2', '“test“'].each do |escaped|
|
||||||
assert_equal %(<a href="#{escaped}" />), tag('a', :href => escaped)
|
assert_equal %(<a href="#{escaped}" />), tag('a', :href => escaped.html_safe)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -65,8 +65,8 @@ class UrlHelperTest < ActiveSupport::TestCase
|
||||||
assert_dom_equal "<form method=\"post\" action=\"http://www.example.com/q1=v1&q2=v2\" class=\"button_to\"><div><input type=\"submit\" value=\"Hello\" /></div></form>", button_to("Hello", "http://www.example.com/q1=v1&q2=v2")
|
assert_dom_equal "<form method=\"post\" action=\"http://www.example.com/q1=v1&q2=v2\" class=\"button_to\"><div><input type=\"submit\" value=\"Hello\" /></div></form>", button_to("Hello", "http://www.example.com/q1=v1&q2=v2")
|
||||||
end
|
end
|
||||||
|
|
||||||
def test_button_to_with_escaped_query
|
def test_button_to_with_html_safe_URL
|
||||||
assert_dom_equal "<form method=\"post\" action=\"http://www.example.com/q1=v1&q2=v2\" class=\"button_to\"><div><input type=\"submit\" value=\"Hello\" /></div></form>", button_to("Hello", "http://www.example.com/q1=v1&q2=v2")
|
assert_dom_equal "<form method=\"post\" action=\"http://www.example.com/q1=v1&q2=v2\" class=\"button_to\"><div><input type=\"submit\" value=\"Hello\" /></div></form>", button_to("Hello", "http://www.example.com/q1=v1&q2=v2".html_safe)
|
||||||
end
|
end
|
||||||
|
|
||||||
def test_button_to_with_query_and_no_name
|
def test_button_to_with_query_and_no_name
|
||||||
|
|
Loading…
Reference in a new issue