Call html_escape in ERB::Util module and don't mix it in in the helpers
This commit is contained in:
parent
df044ec4ac
commit
330327eeec
@ -4,6 +4,7 @@
|
||||
require 'action_view/helpers/tag_helper'
|
||||
require 'active_support/core_ext/file'
|
||||
require 'active_support/core_ext/object/blank'
|
||||
require 'active_support/core_ext/string/output_safety'
|
||||
|
||||
module ActionView
|
||||
# = Action View Asset Tag Helpers
|
||||
@ -819,7 +820,7 @@ def javascript_src_tag(source, options)
|
||||
end
|
||||
|
||||
def stylesheet_tag(source, options)
|
||||
tag("link", { "rel" => "stylesheet", "type" => Mime::CSS, "media" => "screen", "href" => html_escape(path_to_stylesheet(source)) }.merge(options), false, false)
|
||||
tag("link", { "rel" => "stylesheet", "type" => Mime::CSS, "media" => "screen", "href" => ERB::Util.html_escape(path_to_stylesheet(source)) }.merge(options), false, false)
|
||||
end
|
||||
|
||||
def compute_javascript_paths(*args)
|
||||
|
@ -5,6 +5,7 @@
|
||||
require 'active_support/core_ext/class/inheritable_attributes'
|
||||
require 'active_support/core_ext/hash/slice'
|
||||
require 'active_support/core_ext/object/blank'
|
||||
require 'active_support/core_ext/string/output_safety'
|
||||
|
||||
module ActionView
|
||||
# = Action View Form Helpers
|
||||
@ -907,7 +908,7 @@ def to_input_field_tag(field_type, options = {})
|
||||
end
|
||||
options["type"] ||= field_type
|
||||
options["value"] = options.fetch("value"){ value_before_type_cast(object) } unless field_type == "file"
|
||||
options["value"] &&= html_escape(options["value"])
|
||||
options["value"] &&= ERB::Util.html_escape(options["value"])
|
||||
add_default_name_and_id(options)
|
||||
tag("input", options)
|
||||
end
|
||||
@ -943,7 +944,7 @@ def to_text_area_tag(options = {})
|
||||
options["cols"], options["rows"] = size.split("x") if size.respond_to?(:split)
|
||||
end
|
||||
|
||||
content_tag("textarea", html_escape(options.delete('value') || value_before_type_cast(object)), options)
|
||||
content_tag("textarea", ERB::Util.html_escape(options.delete('value') || value_before_type_cast(object)), options)
|
||||
end
|
||||
|
||||
def to_check_box_tag(options = {}, checked_value = "1", unchecked_value = "0")
|
||||
|
@ -2,6 +2,7 @@
|
||||
require 'erb'
|
||||
require 'action_view/helpers/form_helper'
|
||||
require 'active_support/core_ext/object/blank'
|
||||
require 'active_support/core_ext/string/output_safety'
|
||||
|
||||
module ActionView
|
||||
# = Action View Form Option Helpers
|
||||
@ -100,7 +101,6 @@ module Helpers
|
||||
#
|
||||
module FormOptionsHelper
|
||||
# ERB::Util can mask some helpers like textilize. Make sure to include them.
|
||||
include ERB::Util
|
||||
include TextHelper
|
||||
|
||||
# Create a select tag and a series of contained option tags for the provided object and method.
|
||||
@ -306,7 +306,7 @@ def options_for_select(container, selected = nil)
|
||||
text, value = option_text_and_value(element).map(&:to_s)
|
||||
selected_attribute = ' selected="selected"' if option_value_selected?(value, selected)
|
||||
disabled_attribute = ' disabled="disabled"' if disabled && option_value_selected?(value, disabled)
|
||||
%(<option value="#{html_escape(value)}"#{selected_attribute}#{disabled_attribute}#{html_attributes}>#{html_escape(text)}</option>)
|
||||
%(<option value="#{ERB::Util.html_escape(value)}"#{selected_attribute}#{disabled_attribute}#{html_attributes}>#{ERB::Util.html_escape(text)}</option>)
|
||||
end.join("\n").html_safe
|
||||
|
||||
end
|
||||
@ -396,7 +396,7 @@ def options_from_collection_for_select(collection, value_method, text_method, se
|
||||
def option_groups_from_collection_for_select(collection, group_method, group_label_method, option_key_method, option_value_method, selected_key = nil)
|
||||
collection.map do |group|
|
||||
group_label_string = eval("group.#{group_label_method}")
|
||||
"<optgroup label=\"#{html_escape(group_label_string)}\">" +
|
||||
"<optgroup label=\"#{ERB::Util.html_escape(group_label_string)}\">" +
|
||||
options_from_collection_for_select(eval("group.#{group_method}"), option_key_method, option_value_method, selected_key) +
|
||||
'</optgroup>'
|
||||
end.join.html_safe
|
||||
@ -501,7 +501,7 @@ def option_html_attributes(element)
|
||||
return "" unless Array === element
|
||||
html_attributes = []
|
||||
element.select { |e| Hash === e }.reduce({}, :merge).each do |k, v|
|
||||
html_attributes << " #{k}=\"#{html_escape(v.to_s)}\""
|
||||
html_attributes << " #{k}=\"#{ERB::Util.html_escape(v.to_s)}\""
|
||||
end
|
||||
html_attributes.join
|
||||
end
|
||||
@ -595,11 +595,11 @@ def to_time_zone_select_tag(priority_zones, options, html_options)
|
||||
private
|
||||
def add_options(option_tags, options, value = nil)
|
||||
if options[:include_blank]
|
||||
option_tags = "<option value=\"\">#{html_escape(options[:include_blank]) if options[:include_blank].kind_of?(String)}</option>\n" + option_tags
|
||||
option_tags = "<option value=\"\">#{ERB::Util.html_escape(options[:include_blank]) if options[:include_blank].kind_of?(String)}</option>\n" + option_tags
|
||||
end
|
||||
if value.blank? && options[:prompt]
|
||||
prompt = options[:prompt].kind_of?(String) ? options[:prompt] : I18n.translate('helpers.select.prompt', :default => 'Please select')
|
||||
option_tags = "<option value=\"\">#{html_escape(prompt)}</option>\n" + option_tags
|
||||
option_tags = "<option value=\"\">#{ERB::Util.html_escape(prompt)}</option>\n" + option_tags
|
||||
end
|
||||
option_tags.html_safe
|
||||
end
|
||||
|
@ -1,6 +1,7 @@
|
||||
require 'cgi'
|
||||
require 'action_view/helpers/tag_helper'
|
||||
require 'active_support/core_ext/object/blank'
|
||||
require 'active_support/core_ext/string/output_safety'
|
||||
|
||||
module ActionView
|
||||
# = Action View Form Tag Helpers
|
||||
@ -287,7 +288,7 @@ def text_area_tag(name, content = nil, options = {})
|
||||
end
|
||||
|
||||
escape = options.key?("escape") ? options.delete("escape") : true
|
||||
content = html_escape(content) if escape
|
||||
content = ERB::Util.html_escape(content) if escape
|
||||
|
||||
content_tag :textarea, content.to_s.html_safe, { "name" => name, "id" => sanitize_to_id(name) }.update(options)
|
||||
end
|
||||
|
@ -1,6 +1,7 @@
|
||||
require 'set'
|
||||
require 'active_support/json'
|
||||
require 'active_support/core_ext/object/blank'
|
||||
require 'active_support/core_ext/string/output_safety'
|
||||
|
||||
module ActionView
|
||||
# = Action View Prototype Helpers
|
||||
@ -131,7 +132,7 @@ def remote_function(options)
|
||||
|
||||
url_options = options[:url]
|
||||
url_options = url_options.merge(:escape => false) if url_options.is_a?(Hash)
|
||||
function << "'#{html_escape(escape_javascript(url_for(url_options)))}'"
|
||||
function << "'#{ERB::Util.html_escape(escape_javascript(url_for(url_options)))}'"
|
||||
function << ", #{javascript_options})"
|
||||
|
||||
function = "#{options[:before]}; #{function}" if options[:before]
|
||||
|
@ -1,4 +1,5 @@
|
||||
require 'active_support/core_ext/object/blank'
|
||||
require 'active_support/core_ext/string/output_safety'
|
||||
require 'set'
|
||||
|
||||
module ActionView
|
||||
@ -7,8 +8,6 @@ module Helpers #:nodoc:
|
||||
# Provides methods to generate HTML tags programmatically when you can't use
|
||||
# a Builder. By default, they output XHTML compliant tags.
|
||||
module TagHelper
|
||||
include ERB::Util
|
||||
|
||||
extend ActiveSupport::Concern
|
||||
include CaptureHelper
|
||||
|
||||
@ -130,14 +129,14 @@ def tag_options(options, escape = true)
|
||||
if !v.is_a?(String) && !v.is_a?(Symbol)
|
||||
v = v.to_json
|
||||
end
|
||||
v = html_escape(v) if escape
|
||||
v = ERB::Util.html_escape(v) if escape
|
||||
attrs << %(data-#{k.to_s.dasherize}="#{v}")
|
||||
end
|
||||
elsif BOOLEAN_ATTRIBUTES.include?(key)
|
||||
attrs << %(#{key}="#{key}") if value
|
||||
elsif !value.nil?
|
||||
final_value = value.is_a?(Array) ? value.join(" ") : value
|
||||
final_value = html_escape(final_value) if escape
|
||||
final_value = ERB::Util.html_escape(final_value) if escape
|
||||
attrs << %(#{key}="#{final_value}")
|
||||
end
|
||||
end
|
||||
|
@ -1,6 +1,7 @@
|
||||
require 'action_view/helpers/javascript_helper'
|
||||
require 'active_support/core_ext/array/access'
|
||||
require 'active_support/core_ext/hash/keys'
|
||||
require 'active_support/core_ext/string/output_safety'
|
||||
require 'action_dispatch'
|
||||
|
||||
module ActionView
|
||||
@ -240,8 +241,8 @@ def link_to(*args, &block)
|
||||
href = html_options['href']
|
||||
tag_options = tag_options(html_options)
|
||||
|
||||
href_attr = "href=\"#{html_escape(url)}\"" unless href
|
||||
"<a #{href_attr}#{tag_options}>#{html_escape(name || url)}</a>".html_safe
|
||||
href_attr = "href=\"#{ERB::Util.html_escape(url)}\"" unless href
|
||||
"<a #{href_attr}#{tag_options}>#{ERB::Util.html_escape(name || url)}</a>".html_safe
|
||||
end
|
||||
end
|
||||
|
||||
@ -326,7 +327,7 @@ def button_to(name, options = {}, html_options = {})
|
||||
|
||||
html_options.merge!("type" => "submit", "value" => name)
|
||||
|
||||
("<form method=\"#{form_method}\" action=\"#{html_escape(url)}\" #{"data-remote=\"true\"" if remote} class=\"button_to\"><div>" +
|
||||
("<form method=\"#{form_method}\" action=\"#{ERB::Util.html_escape(url)}\" #{"data-remote=\"true\"" if remote} class=\"button_to\"><div>" +
|
||||
method_tag + tag("input", html_options) + request_token_tag + "</div></form>").html_safe
|
||||
end
|
||||
|
||||
@ -472,7 +473,7 @@ def link_to_if(condition, name, options = {}, html_options = {}, &block)
|
||||
# :subject => "This is an example email"
|
||||
# # => <a href="mailto:me@domain.com?cc=ccaddress@domain.com&subject=This%20is%20an%20example%20email">My email</a>
|
||||
def mail_to(email_address, name = nil, html_options = {})
|
||||
email_address = html_escape(email_address)
|
||||
email_address = ERB::Util.html_escape(email_address)
|
||||
|
||||
html_options = html_options.stringify_keys
|
||||
encode = html_options.delete("encode").to_s
|
||||
@ -481,7 +482,7 @@ def mail_to(email_address, name = nil, html_options = {})
|
||||
option = html_options.delete(item) || next
|
||||
"#{item}=#{Rack::Utils.escape(option).gsub("+", "%20")}"
|
||||
}.compact
|
||||
extras = extras.empty? ? '' : '?' + html_escape(extras.join('&'))
|
||||
extras = extras.empty? ? '' : '?' + ERB::Util.html_escape(extras.join('&'))
|
||||
|
||||
email_address_obfuscated = email_address.dup
|
||||
email_address_obfuscated.gsub!(/@/, html_options.delete("replace_at")) if html_options.key?("replace_at")
|
||||
|
Loading…
Reference in New Issue
Block a user