TEST_CODEOWNERS/rails
3
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Call html_escape in ERB::Util module and don't mix it in in the helpers

Browse Source
This commit is contained in:
Santiago Pastorino 2010-10-18 13:58:57 -02:00
parent df044ec4ac
commit 330327eeec
7 changed files with 24 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
actionpack/lib/action_view/helpers/asset_tag_helper.rb
View File

@ -4,6 +4,7 @@
require 'action_view/helpers/tag_helper'
require 'active_support/core_ext/file'
require 'active_support/core_ext/object/blank'
require 'active_support/core_ext/string/output_safety'
module ActionView
# = Action View Asset Tag Helpers
@ -819,7 +820,7 @@ def javascript_src_tag(source, options)
end
def stylesheet_tag(source, options)
tag("link", { "rel" => "stylesheet", "type" => Mime::CSS, "media" => "screen", "href" => html_escape(path_to_stylesheet(source)) }.merge(options), false, false)
tag("link", { "rel" => "stylesheet", "type" => Mime::CSS, "media" => "screen", "href" => ERB::Util.html_escape(path_to_stylesheet(source)) }.merge(options), false, false)
end
def compute_javascript_paths(*args)

5
actionpack/lib/action_view/helpers/form_helper.rb
View File

@ -5,6 +5,7 @@
require 'active_support/core_ext/class/inheritable_attributes'
require 'active_support/core_ext/hash/slice'
require 'active_support/core_ext/object/blank'
require 'active_support/core_ext/string/output_safety'
module ActionView
# = Action View Form Helpers
@ -907,7 +908,7 @@ def to_input_field_tag(field_type, options = {})
end
options["type"] ||= field_type
options["value"] = options.fetch("value"){ value_before_type_cast(object) } unless field_type == "file"
options["value"] &&= html_escape(options["value"])
options["value"] &&= ERB::Util.html_escape(options["value"])
add_default_name_and_id(options)
tag("input", options)
end
@ -943,7 +944,7 @@ def to_text_area_tag(options = {})
options["cols"], options["rows"] = size.split("x") if size.respond_to?(:split)
end
content_tag("textarea", html_escape(options.delete('value') || value_before_type_cast(object)), options)
content_tag("textarea", ERB::Util.html_escape(options.delete('value') || value_before_type_cast(object)), options)
end
def to_check_box_tag(options = {}, checked_value = "1", unchecked_value = "0")

12
actionpack/lib/action_view/helpers/form_options_helper.rb
View File

@ -2,6 +2,7 @@
require 'erb'
require 'action_view/helpers/form_helper'
require 'active_support/core_ext/object/blank'
require 'active_support/core_ext/string/output_safety'
module ActionView
# = Action View Form Option Helpers
@ -100,7 +101,6 @@ module Helpers
#
module FormOptionsHelper
# ERB::Util can mask some helpers like textilize. Make sure to include them.
include ERB::Util
include TextHelper
# Create a select tag and a series of contained option tags for the provided object and method.
@ -306,7 +306,7 @@ def options_for_select(container, selected = nil)
text, value = option_text_and_value(element).map(&:to_s)
selected_attribute = ' selected="selected"' if option_value_selected?(value, selected)
disabled_attribute = ' disabled="disabled"' if disabled && option_value_selected?(value, disabled)
%(<option value="#{html_escape(value)}"#{selected_attribute}#{disabled_attribute}#{html_attributes}>#{html_escape(text)}</option>)
%(<option value="#{ERB::Util.html_escape(value)}"#{selected_attribute}#{disabled_attribute}#{html_attributes}>#{ERB::Util.html_escape(text)}</option>)
end.join("\n").html_safe
end
@ -396,7 +396,7 @@ def options_from_collection_for_select(collection, value_method, text_method, se
def option_groups_from_collection_for_select(collection, group_method, group_label_method, option_key_method, option_value_method, selected_key = nil)
collection.map do |group|
group_label_string = eval("group.#{group_label_method}")
"<optgroup label=\"#{html_escape(group_label_string)}\">" +
"<optgroup label=\"#{ERB::Util.html_escape(group_label_string)}\">" +
options_from_collection_for_select(eval("group.#{group_method}"), option_key_method, option_value_method, selected_key) +
'</optgroup>'
end.join.html_safe
@ -501,7 +501,7 @@ def option_html_attributes(element)
return "" unless Array === element
html_attributes = []
element.select { |e| Hash === e }.reduce({}, :merge).each do |k, v|
html_attributes << " #{k}=\"#{html_escape(v.to_s)}\""
html_attributes << " #{k}=\"#{ERB::Util.html_escape(v.to_s)}\""
end
html_attributes.join
end
@ -595,11 +595,11 @@ def to_time_zone_select_tag(priority_zones, options, html_options)
private
def add_options(option_tags, options, value = nil)
if options[:include_blank]
option_tags = "<option value=\"\">#{html_escape(options[:include_blank]) if options[:include_blank].kind_of?(String)}</option>\n" + option_tags
option_tags = "<option value=\"\">#{ERB::Util.html_escape(options[:include_blank]) if options[:include_blank].kind_of?(String)}</option>\n" + option_tags
end
if value.blank? && options[:prompt]
prompt = options[:prompt].kind_of?(String) ? options[:prompt] : I18n.translate('helpers.select.prompt', :default => 'Please select')
option_tags = "<option value=\"\">#{html_escape(prompt)}</option>\n" + option_tags
option_tags = "<option value=\"\">#{ERB::Util.html_escape(prompt)}</option>\n" + option_tags
end
option_tags.html_safe
end

3
actionpack/lib/action_view/helpers/form_tag_helper.rb
View File

@ -1,6 +1,7 @@
require 'cgi'
require 'action_view/helpers/tag_helper'
require 'active_support/core_ext/object/blank'
require 'active_support/core_ext/string/output_safety'
module ActionView
# = Action View Form Tag Helpers
@ -287,7 +288,7 @@ def text_area_tag(name, content = nil, options = {})
end
escape = options.key?("escape") ? options.delete("escape") : true
content = html_escape(content) if escape
content = ERB::Util.html_escape(content) if escape
content_tag :textarea, content.to_s.html_safe, { "name" => name, "id" => sanitize_to_id(name) }.update(options)
end

3
actionpack/lib/action_view/helpers/prototype_helper.rb
View File

@ -1,6 +1,7 @@
require 'set'
require 'active_support/json'
require 'active_support/core_ext/object/blank'
require 'active_support/core_ext/string/output_safety'
module ActionView
# = Action View Prototype Helpers
@ -131,7 +132,7 @@ def remote_function(options)
url_options = options[:url]
url_options = url_options.merge(:escape => false) if url_options.is_a?(Hash)
function << "'#{html_escape(escape_javascript(url_for(url_options)))}'"
function << "'#{ERB::Util.html_escape(escape_javascript(url_for(url_options)))}'"
function << ", #{javascript_options})"
function = "#{options[:before]}; #{function}" if options[:before]

7
actionpack/lib/action_view/helpers/tag_helper.rb
View File

@ -1,4 +1,5 @@
require 'active_support/core_ext/object/blank'
require 'active_support/core_ext/string/output_safety'
require 'set'
module ActionView
@ -7,8 +8,6 @@ module Helpers #:nodoc:
# Provides methods to generate HTML tags programmatically when you can't use
# a Builder. By default, they output XHTML compliant tags.
module TagHelper
include ERB::Util
extend ActiveSupport::Concern
include CaptureHelper
@ -130,14 +129,14 @@ def tag_options(options, escape = true)
if !v.is_a?(String) && !v.is_a?(Symbol)
v = v.to_json
end
v = html_escape(v) if escape
v = ERB::Util.html_escape(v) if escape
attrs << %(data-#{k.to_s.dasherize}="#{v}")
end
elsif BOOLEAN_ATTRIBUTES.include?(key)
attrs << %(#{key}="#{key}") if value
elsif !value.nil?
final_value = value.is_a?(Array) ? value.join(" ") : value
final_value = html_escape(final_value) if escape
final_value = ERB::Util.html_escape(final_value) if escape
attrs << %(#{key}="#{final_value}")
end
end

11
actionpack/lib/action_view/helpers/url_helper.rb
View File

@ -1,6 +1,7 @@
require 'action_view/helpers/javascript_helper'
require 'active_support/core_ext/array/access'
require 'active_support/core_ext/hash/keys'
require 'active_support/core_ext/string/output_safety'
require 'action_dispatch'
module ActionView
@ -240,8 +241,8 @@ def link_to(*args, &block)
href = html_options['href']
tag_options = tag_options(html_options)
href_attr = "href=\"#{html_escape(url)}\"" unless href
"<a #{href_attr}#{tag_options}>#{html_escape(name || url)}</a>".html_safe
href_attr = "href=\"#{ERB::Util.html_escape(url)}\"" unless href
"<a #{href_attr}#{tag_options}>#{ERB::Util.html_escape(name || url)}</a>".html_safe
end
end
@ -326,7 +327,7 @@ def button_to(name, options = {}, html_options = {})
html_options.merge!("type" => "submit", "value" => name)
("<form method=\"#{form_method}\" action=\"#{html_escape(url)}\" #{"data-remote=\"true\"" if remote} class=\"button_to\"><div>" +
("<form method=\"#{form_method}\" action=\"#{ERB::Util.html_escape(url)}\" #{"data-remote=\"true\"" if remote} class=\"button_to\"><div>" +
method_tag + tag("input", html_options) + request_token_tag + "</div></form>").html_safe
end
@ -472,7 +473,7 @@ def link_to_if(condition, name, options = {}, html_options = {}, &block)
# :subject => "This is an example email"
# # => <a href="mailto:me@domain.com?cc=ccaddress@domain.com&subject=This%20is%20an%20example%20email">My email</a>
def mail_to(email_address, name = nil, html_options = {})
email_address = html_escape(email_address)
email_address = ERB::Util.html_escape(email_address)
html_options = html_options.stringify_keys
encode = html_options.delete("encode").to_s
@ -481,7 +482,7 @@ def mail_to(email_address, name = nil, html_options = {})
option = html_options.delete(item) || next
"#{item}=#{Rack::Utils.escape(option).gsub("+", "%20")}"
}.compact
extras = extras.empty? ? '' : '?' + html_escape(extras.join('&'))
extras = extras.empty? ? '' : '?' + ERB::Util.html_escape(extras.join('&'))
email_address_obfuscated = email_address.dup
email_address_obfuscated.gsub!(/@/, html_options.delete("replace_at")) if html_options.key?("replace_at")